lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABw-CDHWrkmzhNxXaxEzPOQHQtH71vV=X0aBhOVEhP88_Cd-6w@mail.gmail.com>
Date: Wed, 6 Mar 2013 12:13:50 -0600
From: Just Bugs <sometimesbugs@...il.com>
To: bugtraq@...urityfocus.com
Subject: Verax NMS Authenication Bypass (CVE-2013-1350)

Verax NMS Authenication Bypass (CVE-2013-1350)

I. BACKGROUND
----------------------
Verax NMS provides a service-oriented, unified
management & monitoring of networks, applications
and infrastructure enabling quick problem detection,
root-cause analysis, reporting and automating recovery,
reducing costs and shortening downtimes of IT service delivery.

Source: http://www.veraxsystems.com/en/products/nms

II. DESCRIPTION
----------------------
Verax NMS suffers from multiple authentication and
authorization flaws which allow a remote attacker to
add and delete users, change the passwords of other users,
and access other critical application data.  These issues
stem from unauthenticated methods, such as userGroupService.getAllGroups(),
which fail to validate that the user either 1) has ownership or
access rights to the requested objects/resources and 2) fails to
confirm whether or not the caller has properly authenticated to the
application and still maintains a valid session.

The below Python code can be used to test vulnerable installations.  If
successful, the response will contain an array of user objects which
includes all user details, such as username, password, e-mail address, etc.
----------------------
 #!/usr/bin/python

 #just based on http://www.pyamf.org/tutorials/general/client.html#basic-example
 from pyamf import AMF0, AMF3
 from pyamf.remoting.client import RemotingService

 client = RemotingService('http://installationurl/enetworkmanagementsystem-fds/messagebroker/amf',
amf_version=AMF3)
 service = client.getService('userService')

 print service.getAllUsers()
----------------------

III. AFFECTED PRODUCTS
----------------------
All versions of Verax NMS prior to 2.1.0 are vulnerable.

IV. RECCOMENDATION
----------------------
Users should upgrade to version 2.1.0 of Verax NMS.

V. CREDIT
----------------------
This vulnerability was discovered by Andrew Brooks.

VI. REFERENCES
----------------------
CVE-2013-1350
http://download.veraxsystems.com/download/nms-2.1.0-release-notes.txt

VII. TIMELINE
----------------------
1/10/2013 - Vendor notified
1/11/2013 - Vendor acknowledges bug report
2/20/2013 - Vulnerability remediated and pushed to mainline

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ