SEC Consult Vulnerability Lab Security Advisory < 20120220-1 >
=======================================================================
              title: Multiple Vulnerabilities in ELBA5
            product: ELBA 5
 vulnerable version: ELBA 5.4.1
                     5.5.0 R00004 build 0778
      fixed version: partially in 5.5.0 R00004 build 0778
               all issues in 5.5.0 R5
             impact: Medium
           homepage: http://www.elba.at/
              found: 13.01.2012
                 by: Povilas Tumenas / SEC Consult Vulnerability Lab 
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
ELBA electronic banking is a multi-user, multi-protocol banking
application. For details, see http://www.elba.at. 


Vulnerability overview/description:
-----------------------------------
1) The ELBA application v5.4.1 listens on a remotely reachable port
that is used for network testing purposes. It uses java serialization
for its protocol without any encryption or authentication. This can be
abused to leak the username of a currently logged on user. Disclosed
usernames can be used in further attacks on different services and/or
ease bruteforcing of user accounts.
Furthermore, if ELBA receives an invalid serialized method name an
assertation fails and a message box with an attacker controlled value
is displayed and the user is forced to shut down the application. This
can be abused to disrupt the work of a user, or as a part of a social
engineering attack as it is possible to make the message box display a
message controllable by the attacker.


2) Due to insufficient input validation, the application <v5.5.0 R5
allows the injection of direct SQL commands. By exploiting the
vulnerability, an attacker gains access to all records stored in the
database. In this instance of SQL injection, the vulnerability can
additionally be used to get access to other user accounts and their
data. During the creation of an account group by a non-sysadmin user
the account group name is not validated and is used in a SQL query.
This allows for the injection of arbitrary SQL code. The account group
creation can be accessed from the menu -> Master Data -> More ->
Account Groups.


Proof of concept:
-----------------
1.a) Denial of Service:

A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.

After sending the malicious payload ELBA would display a message box
that would force the user to quit the application. Please also note
that the port under which ELBA listens for serialized communication
changes every time the application starts, but it can be easily found
remotely by port scanning.


1.b) Information Disclosure:

A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.

The currently logged on username "SYSADMIN" is visible in the received
data after sending the malicious payload.

Please also note that the port under which ELBA listens for serialized 
communication changes every time the application starts, but it can be
easily found remotely by port scanning.


2) Account Group Creation SQL-Injection:
To prove this issue it is sufficient to click the "New" button and
enter a value that would result in an invalid SQL query as the name of
the account group.

The description field can be anything, and either one or both of the 
checkboxes must be selected. If you try to create this new account
group, then the SQL server terminates and an error message is
displayed, because the SQL query with an invalid syntax was executed.
If a user enters a value that results in a valid SQL query then the
account group creation is successful.

This attack does not work with the sysadmin account, because when using
the sysadmin account a prepared statement is used for account group
creation.


Vulnerable / tested versions:
-----------------------------
1) Information Disclosure and DoS are only exploitable in ELBA v5.4.1
2) ELBA 5.5.0 R00004 build 0778


Vendor contact timeline:
------------------------
2012-01-20: Contacting vendor through software@racon-linz.at.
2012-01-23: Vendor responds with contact of CISO.
2012-01-23: Contacting CISO with advisory.
2012-01-26: Vendor has verified vulnerability #2 and pointed out, that
            only version v5.4.1 is affected by vulnerability #1.
2012-01-26: Verification of affected version of vulnerability #1 and
            update of advisory accordingly.
2012-01-27: Vulnerability #2 will be fixed with next release (version
            5.5.0 R5) on February 13th. 
2012-02-13: Sending updated advisory to vendor
2012-02-20: Public release


Solution:
---------
1) The network testing functionality has been disabled or removed in 
ELBA 5.5.0. Upgrade to the newest version.

2) According to the vendor, the SQL injection has been fixed in ELBA
5.5.0 R5. Upgrade to the new release.


Workaround:
-----------
1) In order to mitigate the vulnerability, firewall rules can be set to 
prevent unauthorized access to the port used for network testing. 

2) Do not give a user the privilege to create account groups.


Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF PTU / @2012