NetApp OnCommand System Manager 2.1 / 2.0.2 XSS / File Inclusion / Command Execution

`SEC Consult Vulnerability Lab Security Advisory < 20130507-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: NetApp OnCommand System Manager  
vulnerable version: <= 2.1 and <=2.0.2  
fixed version: 2.2 (only XSS fixed)  
CVE: CVE-2013-3320 (XSS)  
CVE-2013-3321 (File inclusion)  
CVE-2013-3322 (OS command execution)  
impact: medium  
homepage: http://www.netapp.com/  
found: 2012-11-06  
by: M. Heinzl  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com/  
=======================================================================  
  
  
Vendor description:  
-------------------  
  
"You don't need to be a storage expert to manage NetApp storage systems.  
Configuration and ongoing storage management are easy using the Web-based  
OnCommand® System Manager. System Manager is the simple yet powerful  
management solution for NetApp storage it'seasy for small to midsize  
businesses to use and efficient for large enterprises and service providers."  
  
Source:   
http://www.netapp.com/us/products/management-software/system-manager.html  
  
  
Vulnerability overview/description:  
-----------------------------------  
  
NetApp OnCommand System Manager suffers from multiple permanent and reflective   
cross-site scripting vulnerabilities, a local file inclusion vulnerability as   
well as an OS command execution vulnerability.  
  
Malicious, authenticated users can exploit these flaws to change the contents   
of the displayed site, redirect the user to other sites, steal user   
credentials, execute system commands and read sensitive information.  
  
The vendor will not fix the file inclusion and OS command execution issues,  
as it is considered a design feature.   
  
  
  
Proof of concepts:  
-----------------  
  
1) Multiple Reflective Cross-Site Scripting Vulnerabilities (internal bug   
number 654355) - CVE-2013-3320  
  
When configuring CIFS (Configuration > Protocols > CIFS > Configuration >   
Setup), JavaScript can be inserted into the parameters <domain-name> and   
<value>.  
  
Request (domain-name):  
POST /zapiServlet HTTP/1.1  
Host: 127.0.0.1:1195  
  
[...]  
  
<netapp version="1.7" xmlns="http://www.netapp.com/filer/admin"><cifs-setup><auth-type>workgroup</auth-type><domain-name><img src=x onerror=alert(1) ></domain-name><security-style>multiprotocol</security-style><server-name>FILER</server-name></cifs-setup></netapp>  
  
  
Furthermore, when creating new LUNs or editing already existing ones (Storage > LUNs >  
(Create or Edit)), JavaScript can be inserted into the parameter <comment>.  
  
  
2) Multiple permanent cross-site scripting vulnerabilities (internal bug   
number 654355) - CVE-2013-3320  
  
When creating new users or editing already existing ones (Configuration >   
Local Users and Groups > Users > (Create or Edit)), JavaScript can be inserted   
into the parameters <full-name> and <comment>.  
  
Request (full-name):  
POST /zapiServlet HTTP/1.1  
Host: 127.0.0.1:1457  
  
[...]  
  
<netapp version="1.7" xmlns="http://www.netapp.com/filer/admin"><useradmin-user-modify><useradmin-user><useradmin-user-info><full-name>test<img src=x onerror=alert(1) ></full-name><comment>test</comment><name>test</name><password-maximum-age>4294967295</password-maximum-age><password-minimum-age>0</password-minimum-age><useradmin-groups><useradmin-group-info><name>Administrators</name></useradmin-group-info></useradmin-groups></useradmin-user-info></useradmin-user></useradmin-user-modify></netapp>  
  
  
Furthermore, when creating new groups or editing already existing ones (Configuration >   
Local Users and Groups > Groups > (Create or Edit)), JavaScript can be   
inserted into the parameter <comment>.  
  
  
When creating new shares or editing already existing ones (Storage > Shares >  
(Create or Edit)), JavaScript can be inserted into the parameter <comment>.  
  
  
3) Local File Inclusion (internal bug number 654357) - CVE-2013-3321 *  
When retrieving log files through SnapMirror (Diagnostics > SnapMirror Log),   
the path can be changed to read arbitrary files from the file system.  
  
  
4) OS Command Execution (internal bug number 654360) - CVE-2013-3322 *  
  
When using the Halt/Reboot interface (Configuration > System Tools > Halt/Reboot),   
arbitrary OS commands can be injected.  
  
  
* To exploit these issues, the attacker must be authenticated as root. The   
vendor will not fix these issues, as it is considered a design feature. Hence   
no proof of concept will be included within this advisory.  
  
  
Vendor contact timeline:  
------------------------  
2012-11-06: Contacting vendor through [email protected]  
2012-11-06: Initial vendor response  
2012-11-07: Forwarding security advisory to vendor  
2012-11-07: Vendor acknowledges that the advisory was received  
2012-11-14: Asking vendor for a status update  
2012-11-14: Vendor asks for more time to address the issues  
2012-11-27: Asking vendor for a conference call to discuss further details  
2012-11-28: Conference call scheduled for 12th of December  
2012-12-12: Conference call   
2012-12-17: Requested feedback from the vendor  
2013-02-07: Requested again for feedback/status update on reported  
vulnerabilities  
2013-03-01: Requested again for feedback/status update on reported   
vulnerabilities (Received automatic reply (OOTO))  
2013-03-11: Contacted vendor once again, containing publication date of   
security advisory (2013-04-11) since no response was received since  
conference call  
2013-04-08: Meeting with vendor  
2013-04-24: Contacting vendor again with updated advisory  
2013-04-25: Vendor replies  
2013-05-01: Vendor notified us that version 2.2 was released on 24th April  
2013-05-07: Coordinated public release of security advisory  
  
  
Solution:  
---------  
  
Update to NetApp OnCommand System Manager 2.2 which fixes the stored and   
reflective cross-site scripting vulnerabilities.  
  
  
Be aware, that OS command execution and file inclusion vulnerabilities are not  
fixed and may be exploited by authenticated attackers.  
  
  
Advisory URL:  
-------------  
  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF M. Heinzl / @2013  
  
  
`