Remote access to NeuSecure/Netcool backend database via web interface credentials leakage

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Remote access to NeuSecure/Netcool backend database via web interface credentials leakage
From: D.Snezhkov <dsnezhkov@xxxxxxxxx>
Date: Wed, 8 Mar 2006 11:05:58 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=c2xJZPXyeBrRkiAubFtAFW/4c60h2gCEvzoTrzKGgYkbrpfw5WCDI0j5o3NA4F9e1eQkTHu6Z8KcZIR3BdKOakd+EIbo4s/G/u+OMXNNZchhy2C4/nhaE6NZ/JJpXgxaP6J4PG9RhmD18iUsInAUN8LzNL7pJ+QZbCR1SE9Fi8c=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

               -=     DDSi Security Report  =-
                       March 8th, 2006

------------------------------
---------------------------------------------------------------------------
Another credentials leak  was found in Netcool/NeuSecure Security Information
Management platform which leads to remote backend database access
with administrative privileges by an unauthenticated remote user



Problems :

- Web interface Applet parameters have credentials stored in clear
   which allows access to backend database.
- Version  information leak.


About NeuSecure:

--------------------------------------------------------------------------------------------------------------------------
Netcool/NeuSecure is a security information management (SIM) platform
designed to improve the effectiveness, efficiency and visibility of
security operations and information risk management. The solution
centralizes and stores security data from throughout the enterprise,
automating incident recognition and response, streamlining incident
handling, enabling policy monitoring enforcement and providing
comprehensive reporting for regulatory compliance. The centralization
and automation of these functions results in reduced costs of security
and IT operations

---------------------------------------------------------------------------------------------------------------------------------

Platform : RedHat EL 3
------------------------------

JReports-NeuSecure-3.0.236-1
common-NeuSecure-3.0.236-1
cms-NeuSecure-3.0.236-1
---------------------------------------------------------------------------------------------------------------------------------






Procedure:
----------------------------------------------

Web client mozilla 1.5.0.1
Navigate to company;s Neusecure Server Website:

http://neusecuresrv.domain.com/body.phtml

View source :

SCRIPT LANGUAGE="JAVASCRIPT"

var ap_width = '';
var ap_height = '';
var paramNameArray = ["ARCHIVE", "CODEBASE", "CODE", "EVENT_LIMIT",
"FiresScriptEvents", "MAYSCRIPT", " database.CMS_DBTYPE",
"database.CMS_DBNAME", "database.CMSM_DBNAME", "database.CMS_DBHOST",
"database.CMS_DBUSER", "database.CMS_DBPASS", "agent_count_limit", "
triton.ticket.export", "username", "sessionid",
"javaplugin.jre.params", "database.java.connectionURL"];
var paramValueArray = ["JavaClasses.jar", ".", "
Triton.TritonApplet.class", "", "true", "true", "mysql", "nsdbp",
"nsdbm", "localhost", "ns", " password", "2000", "", "",
"fb9ad3ab8968e88e4a576f598b39d6
1e", "-Xmx512M -Xms256M", "   http://neusecure.domain.com:80/getData.php";];
browser.constructApplet('TritonApplet', paramNameArray,
paramValueArray, ap_width, ap_height);

SCRIPT


Outcome:
-----------------------------------------

- Default settings for database  user [ns] allows connection from any host.
- These credentials are used to connect to NeuSecure  backend Mysql
database with the  following privileges:

Alter                              Tables                             
            To alter the table
Create temporary tables     Databases                             To
use CREATE TEMPORARY TABLE
Create                    Databases,Tables,Indexes     To create new
databases and tables
Delete                             Tables                             
           To delete existing rows
Drop                             Databases,Tables                 To
drop databases and tables
File                            File access on server                
To read and write files on the server
Grant option                Databases,Tables                 To give
to other users those privileges you possess
Index                            Tables                               
         To create or drop indexes
Insert                            Tables                              
           To insert data into tables
Lock tables                 Databases                             To
use LOCK TABLES (together with SELECT privilege)
Process                Server Admin                             To
view the plain text of currently executing queries
References                Databases,Tables                 To have
references on tables
Reload                      Server Admin                            
To reload or refresh tables, logs and privileges
Replication client           Server Admin                            
To ask where the slave or master servers are
Replication slave     Server Admin                             To read
binary log events from the master
Select                           Tables                               
         To retrieve rows from table
Show databases     Server Admin                             To see all
databases with SHOW DATABASES
Shutdown                Server Admin                             To
shutdown the server
Super                            Server Admin                         
   To use KILL thread, SET GLOBAL, CHANGE MASTER, etc.
Update                           Tables                               
         To update existing rows
Usage                            Server Admin                         
    No privileges - allow connect only




*    Also,  under Mozilla client applet  renders to  provide a  Help
button which gives out the version
     of the NeuSecure product and it's service pack version.
     So far IE6 does not display applet in a way to glean this information.




Workaround:
    One can change access permissions for user ns in the database
     to include only valid hosts to prevent direct backend logins.


Conclusion:

 - Vendor needs to validate user session before accessing the applet.
  - Vendor  should not store credential cleartext.

---------------------------------------------------------------------------------------------

Vendor  communication:

   Attempt to make the vendor aware of this problem was ignored.




Thanks,

Dimitry Snezhkov.
DDSi

Prev by Date: M-Phorum Cross Site Scripting
Next by Date: ADP Forum 2.0,* script İnjection
Previous by thread: M-Phorum Cross Site Scripting
Next by thread: ADP Forum 2.0,* script İnjection
Index(es):
- Date
- Thread