SEC Consult Vulnerability Lab Security Advisory < 20130308-1 >
=======================================================================
title: Multiple high risk vulnerabilities (part 2)
product: GroundWork Monitor Enterprise
vulnerable version: 6.7.0
fixed version: none - optional technical bulletin released
impact: High
homepage: http://www.gwos.com
found: 2013-02-11
by: Johannes Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
------------------------------------------------------------------------------
"GroundWork Monitor is the leading open platform for monitoring the
availability and performance of enterprise business services, applications and
infrastructure. It can live and monitor both on premises and in the cloud. As
an open platform, it is easily integrated with common IT service management
processes and tools and is competitively and simply priced."
URL: http://www.gwos.com/features/
------------------------------------------------------------------------------
Business recommendation:
------------------------------------------------------------------------------
SEC Consult identified multiple vulnerabilities with high risk within the
components of the "GroundWork Monitor Enterprise" solution. The scope of the
test, where the vulnerabilities have been identified, was a very short
evaluation crash-test (~1 PD, part 2) which the software utterly failed. Some
components have been spot-checked, others have not been tested at all (e.g.
cloud components).
The recommendation of SEC Consult is to immediately switch off
existing GroundWork systems until further security measures and thorough
follow-up security tests have been implemented and performed.
------------------------------------------------------------------------------
Vulnerability overview/description:
------------------------------------------------------------------------------
The following vulnerability description has been categorized into the
components where the vulnerabilities have been identified.
1) NeDi component
~~~~~~~~~~~~~~~~~
In order to exploit the following vulnerabilities an attacker has to have
low privileged "user" access level rights within GroundWork. The NeDi
application itself thinks that an admin user has logged in and gives full access
rights!
1.1) Access to sensitive files
A low-privileged attacker is able to gain access to NeDi configuration files or
database dumps or Tomcat status context by just entering a URL.
1.2) Privilege escalation through command execution
A low privileged "user" account is able to access the "System File Overview"
feature of NeDi which allows editing of files and hence the execution of arbitrary
operating system commands.
Affected script:
/nedi/html/System-Files.php
1.3) Direct OS command injection
A low privileged "user" account is able to execute arbirary OS commands through
missing input validation within the "System / NeDi" menu functionality. NeDi allows
to scan internal IP addresses which can be exploited by a classic OS command
injection payload.
Affected script:
/nedi/html/System-NeDi.php
1.4) SQL injection & execution of arbitrary SQL statements
A low privileged "user" account can execute arbitrary SQL statements within
the current schema (nedi) of the PostgreSQL database and furthermore also exploit
SQL injection vulnerabilities.
Affected scripts:
/nedi/html/System-Export.php
/nedi/html/Devices-List.php
1.5) Open redirection
NeDi is affected by an open redirection vulnerability. If an authenticated victim
of the attack clicks on a special URL he will be redirected to a website controlled
by the attacker.
1.6) Multiple XSS vulnerabilities
The NeDi component suffers from multiple XSS vulnerabilities because no input
validation is being performed. An attacker is able to steal user accounts/sessions
and potentially gain higher privileges within GroundWork.
2) Cacti component
~~~~~~~~~~~~~~~~~~
In order to exploit the following vulnerabilities an attacker has to have
low privileged "user" access level rights within GroundWork.
2.1) Insufficient authorization
A low-privileged user is able to access and change all configuration settings
within the Cacti component including user accounts and passwords.
2.2) Bundled Cacti version is outdated
The Cacti version 0.8.7g that is bundled with GroundWork is already affected by
at least two known vulnerabilities (Cross-Site Request-Forgery and SQL injection).
3) Noma component
~~~~~~~~~~~~~~~~~
The following security flaws can only be exploited with a valid "admin" session,
but at least the cross-site request forgery flaw in combination with the
permanent XSS flaw can be exploited by outside attackers in order to gain
administrative access to GroundWork.
3.1) Cross-site request forgery
An attacker can use cross-site request forgery to perform arbitrary web requests
with the identity of the victim without being noticed by the victim. Although
responses to these requests are not delivered to the attacker, in many cases it
is sufficient to be able to compromise the integrity of the victim?s information
stored on the site or to perform certain, possibly compromising requests to
other sites.
3.2) Multiple reflected and permanent cross-site scripting
The Noma component suffers from multiple XSS vulnerabilities because no input
validation is being performed. An attacker is able to steal user accounts/sessions
and potentially gain higher privileges within GroundWork.
3.3) SQL injection
Due to insufficient input validation, the application allows the injection of
direct SQL commands. By exploiting the vulnerability, an attacker gains access
to all records stored in the database with the privileges of the web application
user.
------------------------------------------------------------------------------
Proof of concept:
------------------------------------------------------------------------------
Detailed proof of concept URLs and exploits have been removed from this
advisory as the underlying security issues will not be fixed by GroundWork and
only be addressed by authentication and authorization changes.
1) NeDi component
~~~~~~~~~~~~~~~~~
1.1) Access to sensitive files
Access config files:
[...]
If a legitimate user dumped some database contents through standard NeDi
functionality, it will be reachable directly with "user" rights:
[...]
Tomcat Status
[...]
1.2) Privilege escalation through command execution
The following component allows editing of files of a given whitelisted array.
At least one of the whitelisted files is a PHP file which can be edited and
accessed through the webserver:
Step a) Access start URL
[...]
Step b) Go to menu "[...]":
[...]
Step c) Edit "[...]" and enter payload:
[...]
Step d) Execute arbitrary OS commands:
[...]
1.3) Direct OS command injection
Affected URL:
[...]
Affected parameters, at least: [...]
Payload:
[...]
1.4) SQL injection & execution of arbitrary SQL statements
Execute arbitrary SQL statements with "[...]" parameter:
[...]
It has not been investigated whether changes to the NeDi database will affect
or propagate to other GroundWork components!
Unfiltered input in at least "[...]" parameter:
[...]
1.5) Open redirection
[...]
1.6) Multiple XSS vulnerabilities
[...]
2) Cacti component
~~~~~~~~~~~~~~~~~~
2.1) Insufficient authorization
A low-privileged user is able to access/change all configuration settings, e.g.:
[...]
2.2) Bundled Cacti version is outdated
[...]
3) Noma component
~~~~~~~~~~~~~~~~~
3.1) Cross-site request forgery
Store permanent XSS payload via CSRF attack:
[...]
Delete arbitrary entries via CSRF:
[...]
3.2) Multiple reflected and permanent cross-site scripting
Permanent XSS:
[...]
Reflected XSS:
[...]
3.3) SQL injection
[...]
------------------------------------------------------------------------------
Vulnerable / tested versions:
------------------------------------------------------------------------------
The vulnerabilities have been tested in the currently latest available version
v6.7.0.
SEC Consult tested the pre-installed Ubuntu image 6.7.0-br287-gw157 with a
GroundWork Monitor Core test license.
SEC Consult strongly assumes that many further vulnerabilities exist and previous
GroundWork versions are affected too.
------------------------------------------------------------------------------
Vendor contact timeline:
------------------------------------------------------------------------------
2013-02-12: Contacting vendor via direct email contact (after trying to
establish contact since 14th January, see advisory part 1)
2013-02-13: Vendor, info from engineering: patch for 27th February planned;
Patch only addresses few issues (Referer checks) and not critical
vulnerabilities
SEC Consult: proper fixes needed, not a "workaround patch"
2013-02-26: Vendor: Email reply regarding conference call
2013-02-28: Conference call
2013-03-04: GroundWork provides optional technical bulletin for review
2013-03-05: SEC Consult states that the optional technical bulletin is not
enough and does not fix the underlying issues within source code
Informing US-CERT about the status and pending release
2013-03-06: Contacting local CERT teams
2013-03-06: GroundWork informs their customers
2013-03-07: Release of optional technical bulletin by GroundWork
2013-03-08: SEC Consult releases coordinated security advisory without proof
of concept
------------------------------------------------------------------------------
Solution:
------------------------------------------------------------------------------
GroundWork does not offer patches for the identified security vulnerabilities.
An optional technical bulletin is available by GroundWork that restricts
access to GroundWork components by adding a SSO authentication layer for the
affected components. Furthermore, configuration changes are suggested by
GroundWork that disable "user" privilege access for some applications and
require "admin" access rights in the future:
https://kb.groundworkopensource.com/display/SUPPORT/SA6.7.0-1+Some+web+components+allow+bypass+of+role+access+controls
This recommendation by GroundWork is not sufficient and therefore not
suggested by SEC Consult. In order to mitigate the risk, the vulnerabilities
have to be fixed within the source code.
In secure environments, such as operating centers where this software is
for instance used, it is highly undesirable to use insecure applications.
------------------------------------------------------------------------------
Workaround:
------------------------------------------------------------------------------
Implement the suggestions of the technical bulletin. Keep in mind that the
underlying security issues are not being addressed by the bulletin.
Furthermore, use additional measures to secure the application, e.g. but not
limited to strict network segmentation. Only allow administrators to access
the server. Secure all accounts with strong passwords & disable standard
accounts.
------------------------------------------------------------------------------
Advisory URL:
------------------------------------------------------------------------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
http://blog.sec-consult.com
EOF Johannes Greil / @2013