PasswordManager Pro 6.1 Script Injection Vulnerability

2009.12.25
Credit: scip
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2009-4387
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

PasswordManager Pro 6.1 Script Injection Vulnerability scip AG Vulnerability ID 4063 (12/15/2009) http://www.scip.ch/?vuldb.4063 I. INTRODUCTION "Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises." More information is available on the official product web site at the following URL[1]: http://www.manageengine.com/products/passwordmanagerpro/ II. DESCRIPTION Stefan Friedli at scip AG (Switzerland) found an input validation error within the current release, which enabled an attacker to perform various web-based attacks. The processing method for the search function fails to perform proper input validation on the data that is being submitted via HTTP GET. The parameter "searchtext" lacks validation and is therefore vulnerable to script injection. While there is a basic input filterting method in place, it fails to detect more advanced (e.g. encoded) payloads. Other parts of the application might be affected too. This vulnerability has been tested on version 6.1, other versions might be affected as well. III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit these vulnerabilities. The target application does actually check for certain patterns and prevents an attacker from using easy exploiting strings containing substrings like "script", "javascript", "alert" or similar. However, we consider this to be an imperfect mechanism that is unable to prevent an attack using a more sophisticated payload. For a selection, you might want to check RSnakes popular XSS Cheat Sheet[2], which contains several patterns not being detected by the filter in place, allowing you execute any arbitrary, externally hosted payload. Exploitation can be performed using any medium, that is able to perform a GET request. Under certain circumstances, it is even possible to attack unauthenticated user, as the payload will be kept in the users session until authentication data has been entered. We exploited the vulnerability for a customer in order to proof the possibility to capture usernames and passwords. One of the possibilities mentioned above is, to embed a remote flash file and grant it the permission to execute script code. IV. IMPACT Impact of the vulnerability depends on the stored data. PMP is often used for corporate password management and contains highly sensitive information. Therefore, a high amount of damage might be caused by successful exploitation and follow-up attacks. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. Usually the mathematical or logical symbols for less-than (<) and greater-than (>) are required to propose a HTML tag. In some cases single (') or double quotes (") are required to inject the code in a given HTML statement. Some implementation of security systems are looking for well-known attack tags as like <script> and attack attributes onMouseOver too. However, these are usually not capable of identifying highly optimized payload. VI. SOLUTION Move to version 6104 or after http://forums.manageengine.com/#Topic/49000003740390 VII. VENDOR RESPONSE The issue is due to the filter applying case sensitive checks to the attack strings and the situation of such a string with different cases of characters was not handled. (09.12.2009; ManageEngine) VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/?vuldb.4063 IX. DISCLOSURE TIMELINE 2009/09/28 Identification of the vulnerability 2009/10/-- ManageEngine supplies hotfix for affected customer 2009/12/07 scip AG starts public disclosure process by informing ManageEngine 2009/12/07 ManageEngine acknowledges vulnerability and disclosure timeline 2009/12/09 ManageEngine announces patch within 5 days, sends official vendor response statement 2009/12/15 ManageEngine releases official patch 2009/12/15 scip AG releases public advisory X. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] PMP Official Vendor Information, ManageEngine http://www.manageengine.com/products/passwordmanagerpro/ A2. LEGAL NOTICES Copyright (c) 2002-2009 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.

References:

http://www.vupen.com/english/advisories/2009/3540
http://www.scip.ch/?vuldb.4063
http://www.manageengine.com/products/passwordmanagerpro/release-notes.html
http://www.securityfocus.com/bid/37336
http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt
http://secunia.com/advisories/37765


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top