Sybase Afaria 6.0 Cross Site Request Forgery

` nSense Vulnerability Research Security Advisory NSENSE-2010-004  
---------------------------------------------------------------  
  
Affected Vendor: SAP  
Affected Product: Sybase Afaria 6.0  
Platform: Windows  
Impact: User assisted code execution via CSRF  
Vendor response: Patch  
CVE: None  
Credit: Knud  
  
Technical details  
---------------------------------------------------------------  
  
"Afaria is the industry's most powerful and flexible mobile  
device management and security solution for the enterprise.  
Afaria provides you with a single administrative console to  
centrally manage, secure and deploy mobile data, applications  
and devices"  
  
The web management interface does not validate the origin of  
administrator requests thus it is vulnerable to Cross Site  
Request Forgery.  
  
Successful exploitation may allow an attacker to execute code  
on the target system via custom malicious event handlers  
utilizing UNC paths.  
  
Proof of concept:  
http://<target>/AfariaAdmin/WebForms/ErrorHandler.aspx?msg=csrf  
&ReloadLink=False  
  
Solution  
---------------------------------------------------------------  
* Afaria 6.0 Service Pack 1 Hot Fix 28 (Administrator Only)  
http://frontline.sybase.com/support/fileDownload.aspx?ID=2133  
  
Release Notes  
http://frontline.sybase.com/support/downloads/Afaria/6_0_SP1/  
60Sp1AfariaFx28/60Sp1AfariaFx28.htm  
  
* Afaria 6.5 (there are two parts to Afaria 6.5 Hot Fix 55)  
Server  
http://frontline.sybase.com/support/fileDownload.aspx?ID=2142  
  
Administrator  
http://frontline.sybase.com/support/fileDownload.aspx?ID=2143  
  
Release Notes  
http://frontline.sybase.com/support/downloads/Afaria/6_5  
/65AfariaFx55/65AfariaFx55Admin/65AfariaFx55.htm  
  
  
Timeline:  
August 21st Contacted vendor PSIRT  
September 2nd Vendor responded. Patch confirmed  
September 2nd Inquired patch release date  
September 2nd Vendor responded. No release date yet  
available.  
September 22nd Status update request sent to vendor  
September 23rd Vendor responded. No release date available.  
October 6th Status update request sent to vendor  
October 7th Vendor responded. The patch had already been  
released  
October 7th Inquired vendor about attribution  
October 7th Vendor responded. Research page under  
construction.  
November 9th Vendor inquired about attribution details  
November 9th Attribution details sent to vendor  
November 10th Vendor responded.  
December 20th Advisory published  
  
Links:  
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/  
c05604f6-4eb3-2d10-eea7-ceb666083a6a  
  
  
http://www.nsense.fi http://www.nsense.dk  
  
  
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.  
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$  
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$  
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$  
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P  
  
D r i v e n b y t h e c h a l l e n g e _  
`