exploit the possibilities

Ncentral 8.x Insecure Access / Unsalted Passwords / CSRF

Ncentral 8.x Insecure Access / Unsalted Passwords / CSRF
Posted Dec 1, 2012
Authored by Cartel

Ncentral versions 8.0.x through 8.2.0-1152 suffer from insecure SOAP access that leads to an unprivileged SSH session, poor trust based authentication leading to database compromise, plain text password storage, cross site request forgery, and other vulnerabilities.

tags | exploit, vulnerability, csrf
MD5 | bd6762908c11158971c44652bae34a36

Ncentral 8.x Insecure Access / Unsalted Passwords / CSRF

Change Mirror Download

RA001: Multiple vulnerabilities in Ncentral versions
8.0.x - 8.2.0-1152

RA001-1a: Insecure SOAP access leads to unprivileged SSH session
The Remote Desktop Support feature of Ncentral is enabled by default.
The normal manner of use is as follows:

1. A customer browses to the front page, clicks the Start Session
button and fills in his or her details.
2. Provided a user is logged into N-central with remote availability
enabled, the customer is prompted to
download an EXE.
2. They then download the remote support agent EXE and run it.
3. The agent communicates with n-central over SOAP and sets up an SSH
session for tunneling the actual remote
support session.

If an attacker spoofs the SOAP messages sent by the agent EXE, he or
she will be offered a SSH username and private
key that can then be used to gain an unprivileged SSH session on the
ncentral server itself. While the account
cannot interact with the system (shell is set to /bin/false), by using
SSH tunneling the attacker can target
services that would not normally be accessible due to firewalling,
such as the database service.

RA001-1b: PostgresQL Trust based authentication for localhost leads to
database compromise

Using the SSH credentials gained in 1a. above, an attacker can create
a SSH tunnel between his or her local machine
and the Ncentral server's PostgreSQL instance by using the arguments
-L 5432: The attacker can then
connect his or her own psql client to the ncentral server"s database
by using the command:

$ psql -U postgres -d mickey -h localhost

As the connection is trusted (due to the origin being localhost), the
attacker gains superuser privileges on the
ncentral database. He or she can then acquire the hashed user account
passwords by selecting all rows from the
"luser" table (see below), or reset a password/create a new account
with SO admin privilege by using the
update/insert commands. However such an attack does not immediately
lead to escalation due to the use of a custom
database connection pool and in memory cache ("DMS").

RA001-1b-1: Unsalted passwords can potentially lead to superuser compromise

It was noted that the "luser" table stores user passwords in an
unsalted form. A well equipped attacker
may be able to brute force the unsalted password hashes for one of the
superuser accounts.

RA001-1c: Plain text password storage for the openfire user leads to
root compromise

Using the database connection gained in 1b above, an attacker can
acquire the admin password for the openfire
service by selecting from the "xmpp" table. The password is stored in
plain text. Using the SSH connection from 1a,
the attacker can access the openfire admin console running on port
9090 of the ncentral server.

By logging in as the openfire "admin" user, an attacker can upload a
malicious plugin into the openfire service,
leading to a root shell compromise on the ncentral server. This can
then be used to flush the "luser" table in the
DMS service, which will update the passwords in memory allowing the
attacker to login to the NCUI with SO Admin
privileges, allowing him or her to make wide ranging changes to the
configuration of Ncentral.

RA001-2: Insecure backup URLs can lead to remote root/SO compromise

An insecure URL access vulnerability exists in the NAC allowing an
unauthenticated user to download the system
backup tarball. By default, the system will back up every night at
00:15, making a tarball available for download at
the URL


where YYYYMMDDHHMM is the date and time when the backup process
completed. By taking yesterday's date and iterating
the hour and minute values from 0000, an attacker can download the
system backup tarball without providing any

The system backup tarball, among other things, contains a complete
database dump and the system shadow file. An
attacker could brute force the hashes in the database dump (see 1b-1
above), or attack the system shadow hashes and
potentially gain a privileged SSH account on the system.

3: Cross site request forgery via the NCUI can lead to SO Admin compromise

The main web UI is vulnerable to CSRF attacks. By luring a logged in
SO Admin level user to a URL with the following
malicious image tag embedded:

<img src="https://ncentral/addAccountActionStep1.do?page=1&pageName=add_account&email=test%40redacted.co.nz

an attacker can create his or her own SO level user in the system,
with no additional interaction from the
admin required.

Disclosure Timeline

December 2011: vulnerabilities discovered.
April 2012: reported to vendor.
June-July 2012: Ncentral 9 is released, all reported flaws are fixed
with no attribution or public announcement
November 17 2012: exploit demonstrated at Kiwicon 6
November 19 2012: N-Able spokesman is quoted as saying:

"At N-able, we take any security-related issue very seriously, and
work hard to ensure that any security-related
issues brought to our attention are resolved as quickly as possible.
N-able does not have a 'Rescue Me' option
on the N-central platform, and to our knowledge, nobody on our team
has been in communication with SC Magazine
with regard to this story. As such, we believe that our name was
incorrectly referenced in this story," [1]

December 1, 2012: advisory posted to full-disclosure, and
simultaneously published on the web at the following URL:


No exploit code is released at this time.

[1] from http://www.crn.com/news/managed-services/240142354/hacker-exposes-msp-platform-vulnerability.htm

About N-Able

N-able Technologies is the global leading provider of complete IT
management and Automation solutions for
Managed Service Providers (MSPs). N-able's award-winning N-central® is
the industry’s #1 RMM and MSP Service Automation
Platform. N-able has a proven track record of helping MSPs standardize
and automate the setup and delivery of IT services
in order to achieve true scalability.



Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By