Trustwave's SpiderLabs Security Advisory TWSL2010-007:
Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-007.txt
Published: 2010-12-10 Version: 1.0
Vendor: Oracle Passlogix (http://www.passlogix.com/)
Product: Passlogix v-GO Self-Service Password Reset and OEM versions
Version(s) affected: Versions prior to 7.0A - note that no currently supported
release is affected
Internet Explorer Versions Vulnerable: IE6, IE7
Product description:
Passlogix v-GO SSPR provides users with a fast, secure way to regain access to
their computer by automating Windows password reset. Users can reset their
password or unlock their Windows account directly from their locked out
workstation, so that they can get to their applications within seconds - without
having to pick up the telephone or go to another workstation.
Credit: Garrett Held of Trustwave's SpiderLabs
CVE: CVE-2010-4506
Finding:
When a user clicks the button on the login window to reset their Windows
or AD password, a locked-down IE browser shows a form to answer questions
before allowing a reset. If for any reason an invalid SSL Certificate is
used by the password reset site, the resulting Internet Explorer alert will
ask if the user would like to accept, deny, or view the details. By
navigating through the windows using the following method, a user can execute
a program without authentication.
When the certificate error popup is shown there will be three tabs:
"General", "Details", and "Certification Path" Choose the "Details" tab then
click on the "Copy to File" button that is now shown in the bottom right.
This will cause a "Certificate Export" wizard to appear.
Click the "Next >" button until you reach the "File To Export" page
(third page) which displays a "Browse" button. Click this and a "Save As"
dialog box will appear which also allows you to navigate the filesystem. You
can now browse the file system for executables such as "explorer.exe" and
launch an application by right clicking the file and selecting "Open".
While an SSL certificate left to expire may create this problem, other
methods may be used to induce certificate failures, such as:
* Man-In-The-Middle attack, which requires network access to spoof the
router and relay any certificate back to client except a valid one.
* System settings change, such as a future date, which would not match the
certificate.
Vendor Response:
Vendor confirmed this vulnerability was patched in version 7.0A, released in
November of 2009.
Remediation Steps:
This issue was addressed with the release of v-GO SSPR 7.0A. Passlogix has since
been acquired by Oracle, and the current release is Oracle ESSO 11.1.1.2.0.
Please note that this vulnerability does not affect any currently supported or
available versions.
Vendor Communication Timeline:
11/1/10 - Vendor contacted
11/8/10 - Vendor confirmed vulnerability was addressed with release of 7.0A
12/3/10 - Vendor notified of release date
12/10/10 - Advisory released
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management solutions
to businesses and government entities throughout the world. For organizations
faced with today's challenging data security and compliance environment,
Trustwave provides a unique approach with comprehensive solutions that include
its flagship TrustKeeper compliance management software and other proprietary
security solutions. Trustwave has helped thousands of organizations--ranging
from Fortune 500 businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their network
infrastructure, data communications and critical information assets. Trustwave
is headquartered in Chicago with offices throughout North America, South
America, Europe, Africa, China and Australia. For more information, visit
https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for incident
response and forensics, ethical hacking and application security tests for
Trustwave's clients. SpiderLabs has responded to hundreds of security incidents,
performed thousands of ethical hacking exercises and tested the security of
hundreds of business applications for Fortune 500 organizations. For more
information visit https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without warranty
of any kind. Trustwave disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Trustwave or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply.