what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure

NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure
Posted Dec 20, 2014
Authored by Wolfgang Ettlinger | Site sec-consult.com

NetIQ eDirectory NDS iMonitor versions 8.8 SP8 and 8.8 SP7 suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-5212, CVE-2014-5213
SHA-256 | 42f12d914fa5417e9b3009fd6a0222ff5662fe88ac1c59cf41efc6d5318502e6

NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >
=======================================================================
title: XSS & Memory Disclosure
product: NetIQ eDirectory NDS iMonitor
vulnerable version: 8.8 SP8, 8.8 SP7
fixed version: 8.8 SP8 HF 4,
fix available for versions 8.8 SP7 (8.8.7.4 HF 4,
8.8.7.6 HF 3)
CVE number: CVE-2014-5212, CVE-2014-5213
impact: High
homepage: https://www.netiq.com/
found: 2014-10-29
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-----------------------------
"eDirectory(TM) is a full-service, secure LDAP directory providing incredible
scalability and an agile platform to run your organization's identity
infrastructure and multi-platform network services."

URL: https://www.netiq.com/products/edirectory/


Business recommendation:
------------------------
An attacker without an account on the NetIQ eDirectory NDS iMonitor is able
to gain administrative access by luring an authenticated administrator to
visit an attacker-controlled web site. Moreover, an authenticated attacker
is able to retrieve internal data which potentially contains sensitive
data.

As the NetIQ eDirectory is often used to maintain a centralized user database
it is a very attractive target for an attacker. By compromising this system,
an attacker may be able to conduct further attacks on other systems.

SEC Consult recommends to immediately conduct a full security review of
this software, especially if used as a centralized user database.


Vulnerability overview/description:
-----------------------------------
1) Memory Disclosure (CVE-2014-5213)
Using crafted HTTP requests an administrative user can retrieve parts of the
virtual memory from the service. This potentially discloses secret data like
passwords.

2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)
A reflected cross site scripting vulnerability was identified. An attacker
could take over the user account of a valid administrator.


Proof of concept:
-----------------
1) Memory Disclosure (CVE-2014-5213)
When accessing the following URL as an authenticated user, parts of the virtual
memory can be retrieved:

https://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images

2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)
The following URL demonstrates a reflected XSS flaw:

https://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS
iMonitor version 8.8 SP8, which was the most recent version at the time of
discovery.


Vendor contact timeline:
------------------------
2014-10-29: Contacting security@netiq.com, sending responsible disclosure
policy and PGP keys
2014-10-29: Vendor redirects to security@novell.com, providing PGP keys
through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-11-18: Novell: the vulnerabilities have been fixed by development; the
patches will be release end of November
2014-12-08: Novell: the release has been pushed to Dec. 8th
2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow;
The hotfix for 8.8.7.6 is still pending
2014-12-17: Verifying release of advisory; asking whether patches have been
released
2014-12-18: Novell: Patches have been released
2014-12-19: Coordinated release of security advisory


Solution:
---------
Update to the release 8.8.8.4 or apply fix for versions 8.8 SP 7.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF W. Ettlinger / @2014

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close