RE: Computer Associates eTrust Security Command Center Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Computer Associates eTrust Security Command Center Multiple Vulnerabilities
From: "Patrick Webster" <patrick@xxxxxxxxxxx>
Date: Fri, 22 Sep 2006 18:03:34 +1000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=jtIA5YsZQKldAUq8rUVd71IwPOBgC961+ZqcUVG+yYD6f7H0d/TEFqpefNaKrTAFXjQyOBrL7lXB3oY23bpFxYBPXOZ+dUv0+ger6hP5824e+9jVBWexSquqIZbd1kAaWr+v8t6OFhzmvi8dcPZFtJG2XQrZDxOOY/MkHVvbFOc=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: aushack@xxxxxxxxx

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
22-Sep-2006

Software:
Computer Associates - eTrust Security Command Center
http://www3.ca.com/solutions/Product.aspx?ID=4351

"eTrust Security Command Center helps you discover and prioritize
relevant security data to effectively manage your security risks in real
time. By correlating security risks to assets, you can take corrective
action and investigate security incidents through a centralized command
and control center."

Versions affected:
eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2.
eTrust Audit 1.5 and r8.

Vulnerabilities discovered:

1) Reveal web server path.

2) Read and delete arbitrary files from the host server under
   the service account, generally LocalSystem.

3) The event alerting does not use authentication, and as such is
   vulnerable to external replay attacks, similar to IDS replay attacks.

Vulnerability impact:

Medium - A malicious authenticated user may read and delete arbitrary
          files, whilst an unauthenticated attacker may use a replay
          attack to distract staff from tracking real events, and/or
          denial of service by consuming disk space with false alerts.  

Vulnerability information

The software is operated by use of a web browser. Authenticated users have
access to the various security reports and functions, which generally do
not verify user controlled parameters.

1) The 'ePPIServlet' script returns a detailed path error when sent the
quote character [ ' ] as part of the 'PIProfile' function.

2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml',
which is used to provide reporting functionality. The component generates
reports in a temporary file location, returns the file contents to the
web client, then deletes it... but does not validate the path.

3) There is an API function to create your own alerts: eTSAPISend.exe.
The service does not use any authentication, so the attacker may script
the binary to send thousands of false-positive alerts to the Security
Command Center, diverting attention and resources from real threats.

Examples (lines have been wrapped):

 1) https://escc-server.example.com:8080/etrust/servlet/ePPIServlet?
 PIProfile=eAV_Report's&PIName=Generate+Pre-7.1+Report+Data&profile=
 Threat+Management&node=

 Would return an error similar to: "Cannot read profile:
 C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. "

 2) https://escc-server.example.com:8080/etrust/servlet/eSMPAuditServlet?
 verb=getadhochtml&eSCCAdHocHtmlFile=../../../../../../../boot.ini

 Assuming the product was installed on the C drive, this will return the
 contents of c:\boot.ini to the client, then immediately delete it, e.g:

 [boot loader]
 timeout=30
 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
 [operating systems]
 multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server"

 3) An example Windows Logon failure event would be similar to:

 C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon
 -sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70
 -src Security -nid 529 -inf "Logon Failure"

Exploitation Requirement:

 Fortunately, the web service requires product based authentication prior
 to execution for 1 and 2. Unfortunately, the product ships with multiple
 default usernames and passwords, which although unlikely, may still be
 present. The default username:password pairs are below:

 eadmin:eadmin
 iam:iam
 threat:threat
 admin:admin

For point 3, the $dstIP must have the Audit Router socket open (tcp/111).

Solution:
1) Fixes QO81875, QO81758, QO81862, QO81863 ...

2) Fixes QO81851, QO81876, QO81878 can be found at:

http://supportconnectw.ca.com/public/eTrust/eTrust_scc/downloads/eTrustscc_updates.asp

3) No solution - use perimeter based firewalls.

References:
aushack.com advisory
http://www.aushack.com/advisories/200608-computerassociates.txt

Credit:
Patrick Webster ( patrick@xxxxxxxxxxx )

Thanks to the CA Security team for their quick response.

Disclosure timeline:
21-Jan-2006 - Vulnerabilities discovered.
04-Aug-2006 - Sent to Computer Associates Security Advisor.
04-Aug-2006 - Vendor response & verification.
19-Sep-2006 - Vendor patch release.
22-Sep-2006 - Public disclosure.

EOF

Prev by Date: Eskolar CMS Remote Sql Injection
Next by Date: ContentKeeper Authenticated Access Password Disclosure
Previous by thread: Eskolar CMS Remote Sql Injection
Next by thread: ContentKeeper Authenticated Access Password Disclosure
Index(es):
- Date
- Thread