[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSOw+AdaHN0jk5+RKckdukr3kUQqQS-kEfvmi8OX+LOJZw@mail.gmail.com>
Date: Wed, 27 Sep 2017 21:32:20 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Zoho Site24x7 for Android Didn’t Properly Validate SSL
Original post here:
https://wwws.nightwatchcybersecurity.com/2017/09/27/zoho-site24x7-mobile-network-poller-for-android-didnt-properly-validate-ssl-cve-2017-14582/
TITLE
Zoho Site24x7 Mobile Network Poller for Android Didn’t Properly
Validate SSL [CVE-2017-14582]
SUMMARY
Zoho Site24x7 Mobile Network Poller for Android did not properly
validate SSL certificates, and accepted self-signed certificates. This
can potentially result in exposure of sensitive data including
usernames and passwords to an MITM attacker. The vendor fixed this
issue and users should install the latest version (1.1.5 or above).
MITRE has assigned CVE-2017-14582 to track this issue.
DETAILS
Zoho Corporation is a SAAS provider of business applications including
a service called Site 24×7 for monitoring uptime of websites. As part
of this service, the vendor makes available an Android application
that can act as a mobile poller to monitor and feed data into the Site
24×7 service. This application requires a Zoho account to use it.
While performing network level testing, we discovered that the calls
made by the application to the server during login did not properly
validate SSL and accepted self-signed certificates. This potentially
exposed the usernames and passwords of those using the app to an MITM
attacker.
To replicate the issue on v1.1.4:
1. Install the application on the device.
2. Setup an MITM proxy but do not install the SSL certificate on the
device (we used PacketCapture).
3. Start the proxy. At this point all network traffic will be going
through the proxy with the SSL traffic being encrypted by a
self-signed certificate which is not trusted by the device.
4. Go back to the app, and try to login.
5. Flick away the application.
6. Go back to the proxy and observe captured traffic.
All testing was done on Android 7 and application version 1.1.4.
Network captures were performed using an on-device proxy
(PacketCapture) without a trusted SSL certificate.
VENDOR RESPONSE
The issue was reported to the vendor via their bug bounty program. The
vendor fixed the issue in v1.1.5 and released the fixed application in
Google Play.
REFERENCES
CVE ID: CVE-2017-14582
Google Play Link:
https://play.google.com/store/apps/details?id=com.site24x7.android.agent
Zoho Bug Reference # ZVE-2017-0879
BOUNTY INFORMATION
This bug satisfied the requirements of the Zoho Bounty program and a
bounty payment is pending.
CREDITS
Advisory written by Yakov Shafranovich.
TIMELINE
2017-09-10: Initial report to the vendor
2017-09-18: Vendor is working on a fix
2017-09-20: Fixed version released to the Play store
2017-09-20: Re-test on the fixed version
2017-09-23: Request for publication sent
2017-09-27: Request for publication granted
2017-09-27: Public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists