dnaLIMS Code Execution / XSS / Traversal / Session Hijacking

`Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing  
web-application  
Advisory URL:  
https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/  
Date published: Mar 08, 2017  
Vendor: dnaTools, Inc.  
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]  
USCERT VU: 929263  
  
Vulnerability Summaries  
1) Improperly protected web shell [CVE-2017-6526]  
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is  
a web shell included with the software running as the web user. However,  
sending a POST request to that page bypasses authentication checks,  
including the UID parameter within the POST request.  
  
2) Unauthenticated Directory Traversal [CVE-2017-6527]  
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated  
directory traversal attack. This allows an unauthenticated attacker to  
retrieve files on the operating system accessible by the permissions of the  
web server. This page also does not require authentication, allowing any  
person on the Internet to exploit this vulnerability.  
  
3) Insecure Password Storage [CVE-2017-6528]  
An option, which is most likely the default, allows the password file  
(/home/dna/spool/.pfile) to store clear text passwords. When combined with  
the unauthenticated directory traversal vulnerability, it is possible to  
gain the username and password for all users of the software and gain  
complete control of the software.  
  
4) Session Hijacking [CVE-2017-6529]  
Each user of the dnaLIMS software is assigned a unique four-digit user  
identification number(UID) upon account creation. These numbers appear to  
be assigned sequentially. Multiple pages of the dnaLIMS application require  
that this UID be passed as a URL parameter in order to view the content of  
the page.  
Consider the following example:  
The URL ahttp://<SERVER NAME  
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL  
to view the page for sequencing requests for the user with the UID of 2410. The  
username parameter of the URL is the mechanism for authentication to the  
system. The first eight-digit number of the username parameter appears to  
be a session identifier as it changes every time the user logs in from the  
password.cgi page, however this value is not checked by the seqreq2N.cgi  
page. This allows an attacker to guess the four-digit UID of valid user  
accounts that have an active session. The user with the UID of 2419  
currently has an active session, so we can simply hijack this useras  
session by requesting this page and specifying the UID 2419.  
  
5) Cross-site Scripting  
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a  
reflected cross site scripting attack via GET request as seen in the  
following URL:  
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT  
Alert("XSS") </SCRIPT>  
  
6) Cross-site Scripting  
The navUserName parameter of the seqTable*.cgi page is vulnerable to a  
reflected cross site scripting attack via POST request as seen in the  
example below. The * reflects a short name for a client, (ie Shorebreak  
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be  
vulnerable for all dnaLIMS installs.  
  
7) Improperly Protected Content  
  
Many of the pages within the admin interface are not properly protected  
from viewing by authenticated users. This can give an attacker additional  
system information about the system, or change system/software  
configuration.  
  
Software was conducted on a live production system, therefore the pages  
themselves were tested, forms within these pages were not.  
  
This is also not an exhaustive list of improperly protected pages:  
  
cgi-bin/dna/configuration.cgi  
  
cgi-bin/dna/createCoInfo.cgi  
  
cgi-bin/dna/configSystem.cgi  
  
cgi-bin/dna/combineAcctsN.cgi  
  
Disclosure Timeline  
  
Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to  
securely exchange details of vulnerabilities identified  
  
Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed  
to PO box via Postal Service  
  
Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified  
Mail  
  
Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the  
report  
  
Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests  
placing the software behind a firewall as a solution to the vulnerabilities.  
  
Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates  
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a  
plan to address the vulnerabilities  
  
Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please  
gather a DNA sequence, PO Number, or Fund Number and go to your local  
grocery store and see what it will buy you.a  
  
Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT  
  
Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE  
assignment  
  
Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly  
  
  
  
  
--   
with respect,  
  
[image: Shorebreak Security]  
Nicholas von Pechmann  
Principal Security Engineer  
O: (888) 838-7311 ext. 444  
M: (818) 292-4915  
  
  
`