lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Sep 2017 21:32:20 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Zoho Site24x7 for Android Didn’t Properly Validate SSL

Original post here:
https://wwws.nightwatchcybersecurity.com/2017/09/27/zoho-site24x7-mobile-network-poller-for-android-didnt-properly-validate-ssl-cve-2017-14582/

TITLE

Zoho Site24x7 Mobile Network Poller for Android Didn’t Properly
Validate SSL [CVE-2017-14582]

SUMMARY

Zoho Site24x7 Mobile Network Poller for Android did not properly
validate SSL certificates, and accepted self-signed certificates. This
can potentially result in exposure of sensitive data including
usernames and passwords to an MITM attacker. The vendor fixed this
issue and users should install the latest version (1.1.5 or above).
MITRE has assigned CVE-2017-14582 to track this issue.

DETAILS

Zoho Corporation is a SAAS provider of business applications including
a service called Site 24×7 for monitoring uptime of websites. As part
of this service, the vendor makes available an Android application
that can act as a mobile poller to monitor and feed data into the Site
24×7 service. This application requires a Zoho account to use it.

While performing network level testing, we discovered that the calls
made by the application to the server during login did not properly
validate SSL and accepted self-signed certificates. This potentially
exposed the usernames and passwords of those using the app to an MITM
attacker.

To replicate the issue on v1.1.4:
1. Install the application on the device.
2. Setup an MITM proxy but do not install the SSL certificate on the
device (we used PacketCapture).
3. Start the proxy. At this point all network traffic will be going
through the proxy with the SSL traffic being encrypted by a
self-signed certificate which is not trusted by the device.
4. Go back to the app, and try to login.
5. Flick away the application.
6. Go back to the proxy and observe captured traffic.

All testing was done on Android 7 and application version 1.1.4.
Network captures were performed using an on-device proxy
(PacketCapture) without a trusted SSL certificate.

VENDOR RESPONSE

The issue was reported to the vendor via their bug bounty program. The
vendor fixed the issue in v1.1.5 and released the fixed application in
Google Play.

REFERENCES

CVE ID: CVE-2017-14582
Google Play Link:
https://play.google.com/store/apps/details?id=com.site24x7.android.agent
Zoho Bug Reference # ZVE-2017-0879

BOUNTY INFORMATION

This bug satisfied the requirements of the Zoho Bounty program and a
bounty payment is pending.

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-09-10: Initial report to the vendor
2017-09-18: Vendor is working on a fix
2017-09-20: Fixed version released to the Play store
2017-09-20: Re-test on the fixed version
2017-09-23: Request for publication sent
2017-09-27: Request for publication granted
2017-09-27: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists