BEA Plumtree Portal usernames disclosure and other issues
BEA Plumtree, now known as BEA AquaLogic User Interaction is a popular corporate portal system used by many companies out there.
ProCheckUp has recently published a few vulnerabilities, which Jan Fry, Richard Brain and myself discovered during a pentest. From the three vulnerabilities published, the most interesting one is a disclosure of usernames to unauthenticated users.
We found that by tweaking the parameters of the search request, it becomes possible to obtain all the usernames on the target corporate portal. The results not only include regular user login names, but also administrative ones. Since BEA Plumtree portals are typically used by a big number of corporate users, submitting the specially-crafted search request usually returns hundreds of usernames!
This type of issue is referred to by some people as a username enumeration vulnerability. However, unlike classic username enumeration vulnerabilities that rely on noticing changes in the responses returned by the target server, this type is of username enumeration is of "dumpable" type, which means there is no need to run a dictionary attack to find valid usernames.
What makes this vulnerability more of a concern is that the attacker doesn't need to be logged in in order to obtain the list of usernames. Thus, the threat in this case is not only internal but also external. Also, the fact that BEA Plumtree Portal doesn't enforce a secure password complexity policy (at least not by default), increases the chance of an account being compromised by trying weak passwords against the list of usernames obtained.
In fact, this is exactly what we did during our pentest. We extracted the full list of usernames and then we attempted weak passwords such as passwords equals to "password" and passwords equal to the username. Finally, we managed to identify an account which was using a password equals to the username. At this point, we could already gain access to corporate documents by using the cracked username/password pair.
ProCheckUp has recently published a few vulnerabilities, which Jan Fry, Richard Brain and myself discovered during a pentest. From the three vulnerabilities published, the most interesting one is a disclosure of usernames to unauthenticated users.
We found that by tweaking the parameters of the search request, it becomes possible to obtain all the usernames on the target corporate portal. The results not only include regular user login names, but also administrative ones. Since BEA Plumtree portals are typically used by a big number of corporate users, submitting the specially-crafted search request usually returns hundreds of usernames!
This type of issue is referred to by some people as a username enumeration vulnerability. However, unlike classic username enumeration vulnerabilities that rely on noticing changes in the responses returned by the target server, this type is of username enumeration is of "dumpable" type, which means there is no need to run a dictionary attack to find valid usernames.
What makes this vulnerability more of a concern is that the attacker doesn't need to be logged in in order to obtain the list of usernames. Thus, the threat in this case is not only internal but also external. Also, the fact that BEA Plumtree Portal doesn't enforce a secure password complexity policy (at least not by default), increases the chance of an account being compromised by trying weak passwords against the list of usernames obtained.
In fact, this is exactly what we did during our pentest. We extracted the full list of usernames and then we attempted weak passwords such as passwords equals to "password" and passwords equal to the username. Finally, we managed to identify an account which was using a password equals to the username. At this point, we could already gain access to corporate documents by using the cracked username/password pair.
0 Comments:
Post a Comment
<< Home