Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CoSoSys Endpoint Protector 4 SQL Injection / Backdoor

🗓️ 22 May 2014 00:00:00Reported by S. ViehbockType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

CoSoSys Endpoint Protector 4 SQL Injection Backdoor, Unauthenticated Access and Backdoor Account

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20140521-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: CoSoSys Endpoint Protector 4  
vulnerable version: all - except issue #1  
fixed version: none - except issue #1  
impact: Critical  
homepage: http://www.endpointprotector.com/  
found: 2013-12-02  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
- -----------------------------  
"Protect your network from the threats posed by portable storage devices.  
Portable devices such as USB flash drives and smartphones may cause severe  
issues when it comes to controlling data use within and outside the company. As  
a full DLP (Data Loss Prevention) product, Endpoint Protector 4 prevents users  
from taking unauthorized data outside the company or bringing potential harmful  
files on USB devices, files which can have a significant impact on your  
network's health."  
  
URL: http://www.endpointprotector.com/products/endpoint_protector  
  
  
Vulnerability overview/description:  
- -----------------------------------  
1) Unauthenticated access to statistics / information disclosure  
Unauthenticated users can access server statistics. These statistics give  
details about the webserver status (nginx_status) as well as system level  
information (munin system monitoring).  
  
2) Unauthenticated SQL injection  
Unauthenticated users can execute arbitrary SQL statements via a vulnerability  
in the device registration component. The statements will be executed with the  
high-privileges of the MySQL user "root". This user has permissions to read and  
write files from/to disk.  
  
3) Backdoor accounts  
Several undocumented operating system user accounts exist on the appliance.  
They can be used to gain access to the appliance via the terminal but also  
via SSH.  
  
  
Proof of concept:  
- -----------------  
1) Unauthenticated access to statistics / information disclosure  
The information can be accessed via the following URLs:  
https://<host>/nginx_status  
https://<host>/munin/  
  
  
2) Unauthenticated SQL injection  
The following POST request uses this vulnerability to write a file with the  
content "TEST" to /tmp/test_outfile:  
  
Detailed proof of concept exploits have been removed for this vulnerability.  
  
To demonstrate impact of the issue, the following 2 POST requests will create  
a MySQL trigger that adds the superadmin user "secconsult" (password:  
"secconsult") to the user table. (A reboot mysqld/system is required before the  
trigger is enabled.)  
  
Detailed proof of concept exploits have been removed for this vulnerability.  
  
Affected script: /wsf/webservice.php  
  
  
3) Backdoor accounts  
The passwd and shadow file show that the following accounts exist. The  
password hashes have been removed from this advisory.  
  
epproot:x:1000:1000:epproot,,,:/home/epproot:/bin/bash  
epproot:*removed*:15449:0:99999:7:::  
  
endpoint:x:1001:1001::/home/endpoint:/bin/sh  
endpoint:*removed*:15449:0:99999:7:::  
  
eppsupport:x:1002:1002::/home/eppsupport:/bin/sh  
eppsupport:*removed*:15449:0:99999:7:::  
  
The "epproot" user can elevate privileges to root easily via the sudo command,  
while the remaining users can get shell access and gain root privileges via  
kernel exploits etc.  
  
  
Vulnerable / tested versions:  
- -----------------------------  
The vulnerability has been verified to exist in CoSoSys Endpoint Protector  
version 4.3.0.4, which was the most recent version at the time of discovery.  
  
  
Vendor contact timeline:  
- ------------------------  
2013-12-10: Sending responsible disclosure policy and requesting encryption  
keys.  
2013-12-10: Vendor provides encryption keys.  
2013-12-10: Sending advisory via encrypted channel.  
2013-12-17: Vendor confirms receipt of advisory.  
2014-01-09: Requesting status update.  
2014-01-13: Vendor states that issue  
#1 has been fixed in version 4.4.0.2.  
#2 will be fixed in March  
#3 "accounts for support are available by default on our appliances  
but we remove them on customer requests"  
2014-01-14: Stating that resolution of issue #3 is not sufficient.  
2014-01-20: Vendor states that backdoor accounts are documented in latest  
version and some will be removed in the future and functionality  
to disable users is in development.  
2014-04-04: Requesting status update regarding remaining issues (#2 and #3).  
2014-05-16: Requesting status update regarding remaining issues (#2 and #3,  
2nd try).  
2014-05-21: (No answer) SEC Consult releases security advisory.  
  
  
Solution:  
- ---------  
CoSoSys has _only_ patched the information disclosure vulnerability (issue #1).  
The patched version is 4.4.0.2.  
  
There is no solution/patch for the remaining, critical vulnerabilities!  
  
  
Workaround:  
- -----------  
No workaround available.  
  
  
Advisory URL:  
- -------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2014  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.22 (GNU/Linux)  
  
iQEcBAEBAgAGBQJTfJVPAAoJECyFJyAEdlkKC1sIAKWJe4W55fVeVx9o3pcUpOYX  
VFxecx2tG1X0thdCGskNVoY+q/dDadhJ5gmJ0Azx6rXy0g0/1xQM37VIKqqEg+NE  
vmGPH7AgfVBJ1mThPDu0yXPDZl7msLYh9eyiTABUWZ1L+JPjRu9I9RyWJblr44g6  
PvbvMMI0LoPuTuFpoGchw9WABMMiQqdA95DuRgF4LGQAQYsoIa18CMRof0QJCahV  
G6lA9S646CWjmu13dFwZ5JUjp9jPHOzHIMCY73IYuxS4Wnao3AYi6FtQpqmA5M22  
SdheuS3xvVS3Eu0rV2KjFfLyF1J5eD82fS9EmwA9oTDzN4rforj9Cd7SY8/T9vk=  
=KOGW  
-----END PGP SIGNATURE-----  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 May 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
data loss preventionmysql injectionbackdoor accountsvulnerabilityendpoint protector 4cososys
37