[Full-disclosure] Remote access to NeuSecure/Netcool backend database via web interface credentials leakage

2006-03-08T00:00:00
ID SECURITYVULNS:DOC:11747
Type securityvulns
Reporter Securityvulns
Modified 2006-03-08T00:00:00

Description

           -=     DDSi Security Report  =-
                   March 8th, 2006

Another credentials leak was found in Netcool/NeuSecure Security Information Management platform which leads to remote backend database access with administrative privileges by an unauthenticated remote user

Problems :

  • Web interface Applet parameters have credentials stored in clear which allows access to backend database.
  • Version information leak.

About NeuSecure:


Netcool/NeuSecure is a security information management (SIM) platform designed to improve the effectiveness, efficiency and visibility of security operations and information risk management. The solution centralizes and stores security data from throughout the enterprise, automating incident recognition and response, streamlining incident handling, enabling policy monitoring enforcement and providing comprehensive reporting for regulatory compliance. The centralization and automation of these functions results in reduced costs of security and IT operations


Platform : RedHat EL 3

JReports-NeuSecure-3.0.236-1 common-NeuSecure-3.0.236-1 cms-NeuSecure-3.0.236-1


Procedure:

Web client mozilla 1.5.0.1 Navigate to company;s Neusecure Server Website:

http://neusecuresrv.domain.com/body.phtml

View source :

<SCRIPT LANGUAGE="JAVASCRIPT"> var ap_width = ''; var ap_height = ''; var paramNameArray = ["ARCHIVE", "CODEBASE", "CODE", "EVENT_LIMIT", "FiresScriptEvents", "MAYSCRIPT", " database.CMS_DBTYPE", "database.CMS_DBNAME", "database.CMSM_DBNAME", "database.CMS_DBHOST", "database.CMS_DBUSER", "database.CMS_DBPASS", "agent_count_limit", " triton.ticket.export", "username", "sessionid", "javaplugin.jre.params", "database.java.connectionURL"]; var paramValueArray = ["JavaClasses.jar", ".", " Triton.TritonApplet.class", "", "true", "true", "mysql", "nsdbp", "nsdbm", "localhost", "ns", " password", "2000", "", "", "fb9ad3ab8968e88e4a576f598b39d6 1e", "-Xmx512M -Xms256M", " http://neusecure.domain.com:80/getData.php"]; browser.constructApplet('TritonApplet', paramNameArray, paramValueArray, ap_width, ap_height); </SCRIPT>

Outcome:

  • Default settings for database user [ns] allows connection from any host.
  • These credentials are used to connect to NeuSecure backend Mysql database with the following privileges:

Alter Tables To alter the table Create temporary tables Databases To use CREATE TEMPORARY TABLE Create Databases,Tables,Indexes To create new databases and tables Delete Tables To delete existing rows Drop Databases,Tables To drop databases and tables File File access on server To read and write files on the server Grant option Databases,Tables To give to other users those privileges you possess Index Tables To create or drop indexes Insert Tables To insert data into tables Lock tables Databases To use LOCK TABLES (together with SELECT privilege) Process Server Admin To view the plain text of currently executing queries References Databases,Tables To have references on tables Reload Server Admin To reload or refresh tables, logs and privileges Replication client Server Admin To ask where the slave or master servers are Replication slave Server Admin To read binary log events from the master Select Tables To retrieve rows from table Show databases Server Admin To see all databases with SHOW DATABASES Shutdown Server Admin To shutdown the server Super Server Admin To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. Update Tables To update existing rows Usage Server Admin No privileges - allow connect only

  • Also, under Mozilla client applet renders to provide a Help button which gives out the version of the NeuSecure product and it's service pack version. So far IE6 does not display applet in a way to glean this information.

Workaround: One can change access permissions for user ns in the database to include only valid hosts to prevent direct backend logins.

Conclusion:

  • Vendor needs to validate user session before accessing the applet.
  • Vendor should not store credential cleartext.

Vendor communication:

Attempt to make the vendor aware of this problem was ignored.

Thanks,

Dimitry Snezhkov. DDSi