lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <557D8C44.10504@musalbas.com>
Date: Sun, 14 Jun 2015 15:14:28 +0100
From: Mustafa Al-Bassam <mus@...albas.com>
To: fulldisclosure@...lists.org
Subject: [FD] E-Detective Lawful Interception System - multiple security
	vulnerabilities

Advisory:	E-Detective Lawful Interception System
		multiple security vulnerabilities
Date:		14/06/2015
CVE:		unassigned
Authors:	Mustafa Al-Bassam (https://musalbas.com)
		slipstream/RoL (https://twitter.com/TheWack0lian)
Software:	Decision Group E-Detective Lawful Interception System
Vendor URL:	http://www.edecision4u.com/

Software description:

"E-Detective is a real-time Internet interception, monitoring and
forensics system that captures, decodes, and reconstructs various types
of Internet traffic. It is commonly used for organization Internet
behavioral monitoring, auditing, record keeping, forensics analysis, and
investigation, as well as, legal and lawful interception for lawful
enforcement agencies such as Police Intelligence, Military Intelligence,
Cyber Security Departments, National Security Agencies, Criminal
Investigation Agencies, Counter Terrorism Agencies etc."

Vulnerabilities:

1) Unauthenticated Local File Disclosure
Proof-of-concept:
https://github.com/musalbas/edetective-poc/blob/master/pwned-detective.py

The /common/download.php in the web root allows for an unauthenticated
user to read any file on the system that the web user has access to.
This includes database credentials and any traffic intercepts captured
by the system.

The "file" parameter is "protected" by inadequate "cipher": base64
followed by rot40, which is trivially reversible.

2) Authenticated Remote Code Execution

The restore feature in the "config backup" page extracts a .tar file
encrypted with OpenSSL blowfish into the root directory (/) as root.

The .tar file should be encrypted with the static key "/tmp/.charlie".
Yes, that's the actual key - they pass the wrong argument to OpenSSL.
They used -k instead of -kfile, thus the key is the path of the key file
rather than the contents of the key file.

This enables an attacker to upload a shell into the web root, or
overwrite any system files such as /etc/shadow.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ