what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PTK 1.0.5 Cross Site Scripting / Unrestricted Access

PTK 1.0.5 Cross Site Scripting / Unrestricted Access
Posted Mar 30, 2012
Authored by anonymous

PTK version 1.0.5 suffers from cross site scripting and direct access bypass vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | 73db2993ed1cf68f7e922d7bd762d40bda60592e0f603e13367647097dc3daa2

PTK 1.0.5 Cross Site Scripting / Unrestricted Access

Change Mirror Download
# Exploit Title: Multiple PTK DFlabs failures to restrict access to sensitive data
# Author: Anonymous
# Software Link: http://sourceforge.net/projects/ptk-forensics/files/ptk-1.x/ptk-1.0.5/ptk-1.0.5.tar.gz/download
# Version: 1.0.5
# Tested on: Ubuntu

--[A]-- Introduction

PTK DFlabs forensics is an alternative framework for the TSK suite (The
SleuthKit). The following vulnerabilities where discovered in the PTK
DFlabs (ptk-1.0.5.tar.gz) free version. Professional PTK DFlabs versions
might also be affected (Not tested).

--[B]-- Advisory

Sensitive log files, evidences (disk ".dd" images /ram images etc..) and
reports can be retrieved without being authenticated to the PTK DFlabs web
application.

1) Unrestricted Logs Access

Unauthenticated users can download PTK DFlabs logs by guessing their names
since no kind of authorization/authentication check is performed by PTK
DFlabs.
The PTK DFlabs web application saves data in the /log folder. An example of
the path and of the log names is the following:

http://localhost/ptk/log/audit.log
http://localhost/ptk/log/20120304.log

The "audit" log contains information about PTK registered users (e.g.
Investigators). The username disclosure can be used by attackers to perform
more easily a password brute force attack.

PTK DFlabs generates also a log about every day activities using the
following standard: year + month + day + ".log"
This "daily log" contains information about "cases" (a sort of project) and
about the name of the evidences (disk/ram images etc..).

An attacker can use the following script to generate valid log file names
and then download them:

echo
http://localhost/ptk/log/2012{01,02,03,04,05,06,07,08,09,10,11,12}{01,02,03,04,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31}.log|
tr " " "\n" | awk '{print "wget " $1}' | sh

This is an extract from the audit.log file generated by the PTK DFlabs that
discloses the usernames since it can be retrieved without being
authenticated:

04/03/2012 , 10:23:57 , admin , Http request may be crafted , Unauthorized
access to new_investigator
04/03/2012 , 10:03:06 , peter , Http request may be crafted , Login error

This is an extract from the "daily log" (e.g. 20120304.log) generated by
PTK DFlabs that discloses the name of the "case" and the name of the
evidences (disk/ram images etc..):

04/03/2012 , 14:20:23 , test , Http request may be crafted , Login error
04/03/2012 , 14:20:33 , admin , Http request may be crafted , User logged in
04/03/2012 , 14:20:53 , admin , Http request may be crafted , Investigators
modified for case caso1
04/03/2012 , 14:22:39 , admin , Http request may be crafted , New image
memoria added
04/03/2012 , 14:23:47 , admin , Http request may be crafted , Analysis
started on image memoria

2) Unrestricted Evidences Access

Since PTK DFlabs saves forensics evidences (disk .dd images, ram images
etc..) in a not secure manner thus allowing a direct and not authenticated
access, an attacker can use information contained into the "daily log"
generated by PTK DFlabs to retrieve the name of the "case" and the name of
the evidences (disk/ram images etc..) in order to download them from the
/images/ folder.

PTK DFlabs uses the following naming convection to save evidences (disk .dd
images, ram images etc..): case name + _ + image name + . + 3 numbers

As example, the lines of the "daily log" reported in this PoC
(20120304.log) they permit to an attacker to build the path to dowload
every evidences (disk/ram images etc..).
In this example the "case" name is "caso1" and the name of the evidence
(disk/ram images etc..) is "memoria". The attacker has only to interlock
the case and the image name and he has to fuzz the "extension" (3 number
long) in order to download, without being authenticated, every evidences
(disk/ram images etc..).

An example of a valid request is:

http://localhost/ptk/images/caso1_memoria.001

3) Unrestricted Reports Access

Since PTK DFlabs saves even reports in a not secure manner an attacker not
authenticated to the PTK DFlabs web application can retrieve every PTK
DFlabs report from the /report/ folder.
The naming convention for PTK DFlabs reports is: year + month + day + _ +
hour + . + minute + . + second + _ + case name + .pdf

An example of a valid request is:

http://localhost/ptk/report/20120304_16.08.21_caso1.pdf

Note that the attacker only needs to brute force the date and the time
values since the name of the "case" (caso1) can be recovered from log files.

4) Input validation: Reflected XSS

Furthermore also user input is not properly managed and the failure is
exacerbated by the lack of the HttpOnly in the Set-Cookie directive.
An authenticated user while analyzing a disk/ram image can trigger an XSS
with the following request:

Request:

GET
/ptk/lib/modal_bookmark.php?arg1=6&arg2=null&arg3=1&arg4=No|aaa%20-%20No|Memory%20at%20offset%20No.%20Found%20using%20keyword:%20aaa8f8fe"><script>alert(document.cookie)</script>c6692100772


5) Lack of HttpOnly

A Set-Cookie done by PTK DFlabs:

Set-Cookie: PHPSESSID=5sl9ktt7e7qrvbklacurq1drf3; path=/

--[C]-- Lulz

Now, a funny offprint about the supposed security/hardening of PTK DFLabs (
http://ptk.dflabs.com/news.html):

"PTK makes an extensive User Auth Check since its beta version" - DFlabs
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close