IRM 013: Ultraapps Issue Manager is vulnerable to Privilege Escalation

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: IRM 013: Ultraapps Issue Manager is vulnerable to Privilege Escalation
From: "Advisories" <advisories@xxxxxxxxxx>
Date: Tue, 20 Dec 2005 14:52:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: <advisories@xxxxxxxxxx>
Thread-index: AcYFdQz86YveZCvvTtOdlpgCkfQpsQ==

----------------------------------------------------------------------
IRM Security Advisory No. 013

Ultraapps Issue Manager is vulnerable to Privilege Escalation

Vulnerablity Type / Importance: Privilege Escalation / High

Problem discovered: November 25th 2005
Vendor contacted: November 25th 2005
Advisory published: December 20th 2005
----------------------------------------------------------------------

Abstract:

Utraapps Issue Manager is a freely available web-based business 
application for tracking issues and tasks during software development 
or other projects involving teams of people. The service is vulnerable 
to a privilege escalation attack that would enable a standard user to 
log into the application as an administrator.

Description:

The vulnerability enables a low privileged user to modify the password 
of the administrator account and therefore escalate privileges. The details 
of the vulnerability are shown below:

In the test configuration there are 2 users:

admin/admin
guest/guest

Log on as a guest and visit the "My profile" link:
http://xxx.xxx.xxx.xxx/UserProfile.aspx

Intercept the request using a web proxy and change the field 
'p_User_user_id' and 'User_user_id' from 2 (which is the guest id) to 1 
(which is the administrator id)

Also, modify the password in the 'User_pass' field.

The user can now log into the admin account with the new password.


The vulnerability is located in the file UserProfile.cs, lines 273-275

if (p_User_user_id.Value.Length > 0) {
  sWhere = sWhere + "user_id=" + CCUtility.ToSQL(p_User_user_id.Value,
CCUtility.FIELD_TYPE_Number);
  }


Tested Versions:

Ultraapps Issue Manager V2.1 


Tested Operating Systems:

Microsoft Windows 2000


Vendor & Patch Information:

Contact was initially made via email on November 25th 2005. HOwever, no 
response was received. A bug report was then submitted to the Ultraapps 
website on December 13th 2005. On December 20th, a patch for the issue 
was published on the site (http://www.ultraapps.com)


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research & Advisory: Rodrigo Marcos and Andy Davis


Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

----------------------------------------------------------------------

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420

Prev by Date: IRM 014: Sygate Protection Agent 5.0 vulnerability - A low privileged user can disable the security agent
Next by Date: [ GLSA 200512-11 ] CenterICQ: Multiple vulnerabilities
Previous by thread: IRM 014: Sygate Protection Agent 5.0 vulnerability - A low privileged user can disable the security agent
Next by thread: [ GLSA 200512-11 ] CenterICQ: Multiple vulnerabilities
Index(es):
- Date
- Thread