Eleytt Research www.eleytt.com Overview: ==================== Michal Bucko, Eleytt, www.eleytt.com/michal.bucko Tomasz Polis, Eleytt Credit: ==================== Michal Bucko, Eleytt, www.eleytt.com/michal.bucko Mateusz Jurczyk (in cooperation with Eleytt Research, for Gadu-Gadu "emots.txt" vulnerability) Vulnerability Table =================== 1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site Scripting Vulnerabilities 2. IBM Tivoli Provisioning Manager Express Remote Username Enumeration Weakness 3. Computer Associates eTrust Threat Management Console IP Address HTML Injection Weakness 4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service Vulnerability 5. Gadu-Gadu Remote User Addition Vulnerability Vulnerability found by Mateusz Jurczyk (j00ru) working with Eleytt Research ============================================================= Disclaimer: Eleytt Research cooperates with external security researchers. 6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability Vulnerability Details ========================= ========================= 1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site Scripting Vulnerabilities =========================================================== IBM Tivoli Provisioning Manager Express (http://127.0.0.1/tpmx) is vulnerable to multiple cross-site scripting vulnerabilities, e.g. assess modification, user-id etc. are not properly sanitized. This might lead to remote java script code execution (cookie theft, redirection, HTML injection etc.) Error processing is also vulnerable to cross-site scripting. 2. IBM Tivoli Provisioning Manager Express Remote Username Enumeration Weakness ======================================================= IBM Tivoli Provisioning Manager Express is vulnerable to remote username enumeration vulnerability. When trying to create a new user with 'username' value that already exists, one receives certain information about the problem. The problem is even more serious as the login page is not crawler-protected, thus automated brute-force attacks on certain acccounts might be possible. This might lead to further attacks based on the information obtained. 3. Computer Associates eTrust Threat Management Console IP Address HTML Injection Weakness ==================================================== IP Address (and various other) are prone to HTML injection weakness. No exploit is required. Further investigation has not been performed, other weaknesses might also be possible. 4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service Vulnerability ========================================================= Improper "skin" attribute handling by the (by default) registered protocol handler (gadu-gadu protocol "gg") leads to resource consumption based denial of service conditions. Gadu Gadu cannot be running on the remote machine, only installed. The vulnerability might be exploited via a web browser. The attacker should entice the unaware victim to open a specially crafted link. More verbose information has been provided directly to Gadu-Gadu. 5. Gadu-Gadu Remote Unspecified User Addition Vulnerability ======================================================== Popular communicator allows remote user addition as the result of improper protocol handling (protocol handler "gg" is registered by default). The vulnerability might be exploited via a web browser. The attacker should lead to unaware victim opening the specially crafted link. It might be also possible to send gadu-gadu request from unauthorized users, but this has not been proven nor confirmed yet. This vulnerability might also allow to perform denial of service attacks under certain conditions. More verbose information has been provided directly to respective software vendor. Eleytt Research cooperates with external security researchers! ============================================================== ============================================================== 6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability ============================================================ The vulnerability has already been disclosed by a 3rd party security research team, in cooperation with Eleytt Research. Mateusz Jurczyk (j00ru) in cooperation with Eleytt Research is credited with the discovery of the vulnerability. This vulnerability has already been disclosed and vendor has been given provided with information. Meet Our Business Continuity Program! ===================================== Eleytt offers Eleytt Business Continuity Program. What is it? - Long-term continous security audits - Security consulting and training - Security policy compliance issues For more information, please refer to eleytt.com, http://www.eleytt.com Eleytt - Company Information ============================ Eleytt Corporation is specialized in penetration testing, vulnerability development, advanced reverse engineering and exploitation techniques. Eleytt provides various security-related services: risk assessment, security policy, security assurance, incident management, web application security testing, continuous security assurance programs. Eleytt provides security audits for financial institutions and e-commerce. Eleytt provides an in-depth security analysis - experienced security experts analyze your source code, analyze your application, analyze your web application. Eleytt runs security programs for financial institutons and e-commerce. We have the mission to improve the security level of software and web applications. It is us who help you implement more secure applications. We help you understand the risk and deploy security solutions. We help you avoid costly business disruptions. These are the questions, which might help you understand how we work: ===================================================================== Want to get your web site checked for security vulnerabilities? Your server requires real penetration testing? Interested in Eleytt Business Continuity Program? Interested in Eleytt Application Security Program? For more information, please use: http://www.eleytt.com DISCLAIMER ========== This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.