SEC Consult SA-20140521-0 :: Multiple critical vulnerabilities in CoSoSys Endpoint Protector 4

2014-06-14T00:00:00
ID SECURITYVULNS:DOC:30867
Type securityvulns
Reporter Securityvulns
Modified 2014-06-14T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140521-0 >

          title: Multiple vulnerabilities
        product: CoSoSys Endpoint Protector 4

vulnerable version: all - except issue #1 fixed version: none - except issue #1 impact: Critical homepage: http://www.endpointprotector.com/ found: 2013-12-02 by: Stefan Viehbock SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================

Vendor/product description:


"Protect your network from the threats posed by portable storage devices. Portable devices such as USB flash drives and smartphones may cause severe issues when it comes to controlling data use within and outside the company. As a full DLP (Data Loss Prevention) product, Endpoint Protector 4 prevents users from taking unauthorized data outside the company or bringing potential harmful files on USB devices, files which can have a significant impact on your network's health."

URL: http://www.endpointprotector.com/products/endpoint_protector

Vulnerability overview/description:


1) Unauthenticated access to statistics / information disclosure Unauthenticated users can access server statistics. These statistics give details about the webserver status (nginx_status) as well as system level information (munin system monitoring).

2) Unauthenticated SQL injection Unauthenticated users can execute arbitrary SQL statements via a vulnerability in the device registration component. The statements will be executed with the high-privileges of the MySQL user "root". This user has permissions to read and write files from/to disk.

3) Backdoor accounts Several undocumented operating system user accounts exist on the appliance. They can be used to gain access to the appliance via the terminal but also via SSH.

Proof of concept:


1) Unauthenticated access to statistics / information disclosure The information can be accessed via the following URLs: https://<host>/nginx_status https://<host>/munin/

2) Unauthenticated SQL injection The following POST request uses this vulnerability to write a file with the content "TEST" to /tmp/test_outfile:

Detailed proof of concept exploits have been removed for this vulnerability.

To demonstrate impact of the issue, the following 2 POST requests will create a MySQL trigger that adds the superadmin user "secconsult" (password: "secconsult") to the user table. (A reboot mysqld/system is required before the trigger is enabled.)

Detailed proof of concept exploits have been removed for this vulnerability.

Affected script: /wsf/webservice.php

3) Backdoor accounts The passwd and shadow file show that the following accounts exist. The password hashes have been removed from this advisory.

epproot:x:1000:1000:epproot,,,:/home/epproot:/bin/bash epproot:removed:15449:0:99999:7:::

endpoint:x:1001:1001::/home/endpoint:/bin/sh endpoint:removed:15449:0:99999:7:::

eppsupport:x:1002:1002::/home/eppsupport:/bin/sh eppsupport:removed:15449:0:99999:7:::

The "epproot" user can elevate privileges to root easily via the sudo command, while the remaining users can get shell access and gain root privileges via kernel exploits etc.

Vulnerable / tested versions:


The vulnerability has been verified to exist in CoSoSys Endpoint Protector version 4.3.0.4, which was the most recent version at the time of discovery.

Vendor contact timeline:


2013-12-10: Sending responsible disclosure policy and requesting encryption keys. 2013-12-10: Vendor provides encryption keys. 2013-12-10: Sending advisory via encrypted channel. 2013-12-17: Vendor confirms receipt of advisory. 2014-01-09: Requesting status update. 2014-01-13: Vendor states that issue #1 has been fixed in version 4.4.0.2. #2 will be fixed in March #3 "accounts for support are available by default on our appliances but we remove them on customer requests" 2014-01-14: Stating that resolution of issue #3 is not sufficient. 2014-01-20: Vendor states that backdoor accounts are documented in latest version and some will be removed in the future and functionality to disable users is in development. 2014-04-04: Requesting status update regarding remaining issues (#2 and #3). 2014-05-16: Requesting status update regarding remaining issues (#2 and #3, 2nd try). 2014-05-21: (No answer) SEC Consult releases security advisory.

Solution:


CoSoSys has only patched the information disclosure vulnerability (issue #1). The patched version is 4.4.0.2.

There is no solution/patch for the remaining, critical vulnerabilities!

Workaround:


No workaround available.

Advisory URL:


https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab

SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15

Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF Stefan Viehbock / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJTfJVPAAoJECyFJyAEdlkKC1sIAKWJe4W55fVeVx9o3pcUpOYX VFxecx2tG1X0thdCGskNVoY+q/dDadhJ5gmJ0Azx6rXy0g0/1xQM37VIKqqEg+NE vmGPH7AgfVBJ1mThPDu0yXPDZl7msLYh9eyiTABUWZ1L+JPjRu9I9RyWJblr44g6 PvbvMMI0LoPuTuFpoGchw9WABMMiQqdA95DuRgF4LGQAQYsoIa18CMRof0QJCahV G6lA9S646CWjmu13dFwZ5JUjp9jPHOzHIMCY73IYuxS4Wnao3AYi6FtQpqmA5M22 SdheuS3xvVS3Eu0rV2KjFfLyF1J5eD82fS9EmwA9oTDzN4rforj9Cd7SY8/T9vk= =KOGW -----END PGP SIGNATURE-----