| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Sep 2017 21:32:20 -0400 From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com> To: fulldisclosure@...lists.org Subject: [FD] Zoho Site24x7 for Android Didn’t Properly Validate SSL Original post here: https://wwws.nightwatchcybersecurity.com/2017/09/27/zoho-site24x7-mobile-network-poller-for-android-didnt-properly-validate-ssl-cve-2017-14582/ TITLE Zoho Site24x7 Mobile Network Poller for Android Didn’t Properly Validate SSL [CVE-2017-14582] SUMMARY Zoho Site24x7 Mobile Network Poller for Android did not properly validate SSL certificates, and accepted self-signed certificates. This can potentially result in exposure of sensitive data including usernames and passwords to an MITM attacker. The vendor fixed this issue and users should install the latest version (1.1.5 or above). MITRE has assigned CVE-2017-14582 to track this issue. DETAILS Zoho Corporation is a SAAS provider of business applications including a service called Site 24×7 for monitoring uptime of websites. As part of this service, the vendor makes available an Android application that can act as a mobile poller to monitor and feed data into the Site 24×7 service. This application requires a Zoho account to use it. While performing network level testing, we discovered that the calls made by the application to the server during login did not properly validate SSL and accepted self-signed certificates. This potentially exposed the usernames and passwords of those using the app to an MITM attacker. To replicate the issue on v1.1.4: 1. Install the application on the device. 2. Setup an MITM proxy but do not install the SSL certificate on the device (we used PacketCapture). 3. Start the proxy. At this point all network traffic will be going through the proxy with the SSL traffic being encrypted by a self-signed certificate which is not trusted by the device. 4. Go back to the app, and try to login. 5. Flick away the application. 6. Go back to the proxy and observe captured traffic. All testing was done on Android 7 and application version 1.1.4. Network captures were performed using an on-device proxy (PacketCapture) without a trusted SSL certificate. VENDOR RESPONSE The issue was reported to the vendor via their bug bounty program. The vendor fixed the issue in v1.1.5 and released the fixed application in Google Play. REFERENCES CVE ID: CVE-2017-14582 Google Play Link: https://play.google.com/store/apps/details?id=com.site24x7.android.agent Zoho Bug Reference # ZVE-2017-0879 BOUNTY INFORMATION This bug satisfied the requirements of the Zoho Bounty program and a bounty payment is pending. CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-09-10: Initial report to the vendor 2017-09-18: Vendor is working on a fix 2017-09-20: Fixed version released to the Play store 2017-09-20: Re-test on the fixed version 2017-09-23: Request for publication sent 2017-09-27: Request for publication granted 2017-09-27: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists