SEC Consult Vulnerability Lab Security Advisory < 20141029-0 > ======================================================================= title: Multiple critical vulnerabilities product: Vizensoft Admin Panel vulnerable version: 2014 fixed version: - impact: critical homepage: http://www.vizensoft.com found: 2014-07-10 by: A. Antukh, A. Baranov SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor & product description: ============================= Vizensoft is one of the major software vendors, especially aimed at medical organizations in Korea. A list of companies and organizations which are using their software, is available on the official websites: http://www.vizensoft.com/portfolio/index.jsp http://www.vizenmedical.com/portfolio/index.jsp "Vizensoft are doing business with online marketing professional IT companies and individuals in need of a rapidly changing competitive world to discerning corporate customer's success by providing capabilities of a high quality Marketing Technology" (translated from Korean) Source: http://vizensoft.com/about/index.jsp Business recommendation: ======================== Attackers are able to completely compromise the web application built upon Vizensoft CMS as they can gain access to the system and database level and manage the website as an admin without prior authentication! It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist. Vulnerability overview/description: =================================== 1) Admin Backdoor Account ------------------------- The MySQL database table "admin" contains a "vizensoft" admin user with user id 1 with administrative access rights. This user account does NOT show up within the "User administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there. 2) Authentication Bypass ------------------------ Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the web application, including content change, reading e-mails, modifying users and abusing e-mail and SMS functionality. 3) Arbitrary File Upload ------------------------ At least two vulnerable pages exist where unauthenticated attackers are able to upload arbitrary files on the server. Furthermore, due to insufficient validation it is possible to bypass file extension checks and execute uploaded files which leads directly to a complete server compromise. 4) Multiple Cross Site Scripting issues --------------------------------------- Vizensoft CMS suffers from multiple cross-site scripting vulnerabilities, which allow an attacker to steal other users' sessions, to impersonate other users and to gain unauthorized access to the web interface and user messages. 5) Multiple unauthenticated SQL injection issues ------------------------------------------------ The web application framework suffers from multiple SQL injection vulnerabilities that can be exploited without prior authentication! By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the database user. 6) Source Code Disclosure ------------------------- The default installation of Vizensoft CMS opens a large spectrum for information gathering for the attacker. It is possible to disclose source code of the application, configuration files and even steal passwords for direct connection to the database. 7) Missing Password Policy -------------------------- The password policy used in the CMS does not restrict the complexity of the password in any way, which makes users of the application vulnerable to possibly bad passwords and further attacks on their accounts such as guessing and brute-forcing. Proof of concept: ================= The proof of concept information has been removed from this advisory as the vendor failed to respond within 50 work days and does not provide a fix. 1) Admin Backdoor Account ------------------------- The password hash MySQL-SHA1 of the hidden admin user vizensoft is: [removed] The user does not show up within the admin web interface even when logged in as an administrator. Moreover, due to intentionally left backdoor login page, it is possible to disclose the password thus making any system which is built on Vizensoft CMS vulnerable. Link to the backdoor page is presented below: [removed] Credentials for authentication are the following: vizensoft:[removed] Detailed proof of concept exploits have been removed for this vulnerability. 2) Authentication Bypass ------------------------ Login form for admininstation panel of the Vizensoft CMS can be accessed by following the next URL: [removed] If an attacker tries to access the admin panel without valid authentication, a confirmation window, demanding to proceed to login form, is shown. This confirmation window can be bypassed and the attacker then gains access to the admin panel. Detailed proof of concept exploits have been removed for this vulnerability. 3) Arbitrary File Upload ------------------------ The following script can be accessed by an unauthenticated attacker in order to upload arbitrary files to the [removed] directory: [removed] The common problem here is that the filename extension checks are only done on client and not on the server side, which makes it extremely easy for an attacker to circumvent it and upload a desired file anyway. Moreover, due to vulnerable photo uploader packaged in a default installation of Vizensoft CMS, it is possible to bypass default checks and upload any file on the server in order to later execute it on the server and gain full access to the system. HTML page serving to upload images is resided on the following URL: [removed] Detailed proof of concept exploits have been removed for this vulnerability. 4) Multiple Cross Site Scripting issues --------------------------------------- The following URLs are examples for reflected XSS (list is not complete): [removed] It is assumed that further scripts are vulnerable to XSS! Detailed proof of concept exploits have been removed for this vulnerability. 5) Multiple unauthenticated SQL injection issues ------------------------------------------------ The following sample request (no authentication needed!) will return concatenated string AABB in the error message which proves the existence of SQL injection. [removed] Further exploitation allows an attacker to extract usernames and passwords from the 'admin' table. Since all password hashes are hashed using MySQL SHA-1 without a salt and since the password policy is not strict, it's easy to brute-force extracted passwords using standard means. Further affected scripts and parameters (list not complete): [removed] It is assumed that further SQL injection vulnerabilities exist! Detailed proof of concept exploits have been removed for this vulnerability. 6) Source code disclosure ------------------------- The following script can be used to retrieve the content of any file in web root directory: [removed] For example, the following files (both configuration and default functional) can be retrieved via this script: [removed] This is extremely dangerous, since some of them contain configuration information for sql server such as connection string, username and cleartext password. More files with hardcoded passwords can be obtained - for example, [removed] contains hard-coded passwords for external services. Detailed proof of concept exploits have been removed for this vulnerability. 7) Missing Password Policy -------------------------- No proof of concept necessary. Vulnerable / tested versions: ============================= The vulnerabilities have been verified to exist in the latest version of Vizensoft Admin Panel 2014. It is assumed previous releases are affected too. Vendor contact timeline: ------------------------ 2014-09-09: Contacted vendor through vizensoft@vizensoft.com, requesting encryption keys and attaching responsible disclosure policy. No response. 2014-09-12: Contacted vendor through service@vizensoft.com, question@vizensoft.com, info@vizensoft.com and support@vizensoft.com, requesting encryption keys and attaching responsible disclosure policy. No response. 2014-10-20: Latest possible release date of 29/10/2014 reminder. 2014-10-29: SEC Consult releases security advisory. Solution: --------- It is recommended to suspend use of the product until the security update is released and a detailed security review of the product has been performed. Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Antukh / @2014