sysPass 1.0.9 Insecure Direct Object Reference

2015-12-07T00:00:00
ID PACKETSTORM:134682
Type packetstorm
Reporter Daniele Salaris
Modified 2015-12-07T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-046  
Product: sysPass  
Manufacturer: http://cygnux.org/  
Affected Version(s): 1.0.9 and below  
Tested Version(s): 1.0.9  
Vulnerability Type: Insecure Direct Object References (CWE-932)  
Exposure of Backup File to an Unauthorized Control  
Sphere (CWE-530)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2015-06-10  
Solution Date: 2015-10-26  
Public Disclosure: 2015-12-07  
CVE Reference: Not yet assigned  
Author of Advisory: Daniele Salaris (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
sysPass is an web-based Password Manager written in PHP and Ajax with a  
built-in multiuser environment.  
  
The web application is prone to a security vulnerability that allows an  
unauthorized attacker to download existing backup files containing  
sensitive data.  
  
The software manufacturer describes the web application as follows  
(see [1]):  
  
"sysPass is a web password manager written in PHP that allows the  
password management in a centralized way and in a multiuser environment.  
The main features are:  
  
* HTML5 and Ajax based interface  
* Password encryption with AES-256 CBC.  
* Users and groups management.  
* Advanced profiles management with 16 access levels.  
* MySQL, OpenLDAP and Active Directory authentication.  
* Activity alerts by email.  
* Accounts change history.  
* Accounts files management.  
* Inline image preview.  
* Multilanguage.  
* Links to external Wiki.  
* Portable backup.  
* Action tracking and event log.  
* One-step install process."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The backup functionality of the web-based password manager sysPass  
creates the following two backup files that are stored within the  
application's backup folder:  
  
* sysPass_db.sql  
* sysPass.tar.gz  
  
The file sysPass_db.sql contains a full database dump and the file  
sysPass.tar.gz contains all contents of the sysPass web application  
folder.  
  
An unauthorized attacker can simply download these two existing backup  
files via the following URLs:  
  
http(s)://<HOST>/backup/sysPass_db.sql  
http(s)://<HOST>/backup/sysPass.tar.gz  
  
Thus, an external attacker without valid user credentials can gain  
unauthorized access to all configuration and application data of the  
password manager sysPass. With access to this data, an attacker can  
perform further attacks in order to recover user credentials of sysPass  
users or to decrypt encrypted password information contained within the  
database.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following URLs can be used to download existing backup files of the  
password manager sysPass from an external attacker's perspective:  
  
http(s)://<HOST>/backup/sysPass_db.sql  
http(s)://<HOST>/backup/sysPass.tar.gz  
  
For example:  
  
http://syspass.org/demo/backup/sysPass_db.sql  
http://syspass.org/demo/backup/sysPass.tar.gz  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The reported security vulnerabilities have been fixed in a new software  
release. Update to the new software version.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-06-08: Vulnerability discovered  
2015-06-10: Vulnerability reported to manufacturer  
2015-10-26: Release of new software version that addresses the reported  
security issues. Discussed security fix with manufacturer.  
2015-12-07: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Web site of sysPass - sysadmin password manager  
http://wiki.syspass.org/en/start  
[2] SySS Security Advisory SYSS-2015-046  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Daniele Salaris of the SySS GmbH.  
  
E-Mail: disclosure (at) syss.de  
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td  
T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJleJGS0Zrggwx  
ktKMN09N/GH0PohrPI4+JFFE6Eolmhlf5PkVRFU8X8Z9orqD8s8NqcHg8P4e5FJy  
Dey/+SD9SlbH/ICjxlkjaGXOlCqSHT3mQqhALaKSwikUN3v/YlzVaYwGnUwsYsVt  
arZTqKf6c2Sk8LAwZTWLbm6EB/FxuATObV+tblHd/KOcaDhmp0ykL8r1Mve/XQTw  
NX3aH9yXoRcpHjCSFa6QK89d4dY4Pv9ejpyMATcYmbLa4hEMZ421cAkJuFobHiCg  
MtlHXcVhNn7K+8ogxFk5EKyMEIRYUWqsmh6ZfW9F1qJ5jVezqjYdCmPdUeHlZ66u  
Mk2ikWNu3IkSv0fQy0HVzEvzHlbgzWYvWVaLCVwwS9s4JZTDvKF9E+xAeK2iC9Ul  
OOM1RgYcY57dFL7M6dY6OpMM8xapbJHtYjEC8ammfc9rhRIHQO4evBXGufs5vmc0  
hWHIRLuF4rx0bja4qAbxK6l+7lWdgaPSHDOW7I2v+NUdjvPKcjndsAOB9FiK+jhI  
+Q09ybOMLEzICOlo3VhRwyaEc7X+HZRdTEijU3piV6nxKyhiCI2AVuMRKjJyV3pc  
tz8Q0g6YqzlFi8VnPgSV  
=YMqY  
-----END PGP SIGNATURE-----  
`