exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sysPass 1.0.9 Insecure Direct Object Reference

sysPass 1.0.9 Insecure Direct Object Reference
Posted Dec 7, 2015
Authored by Daniele Salaris | Site syss.de

sysPass versions 1.0.9 and below allow for system backups to be downloaded by an external attacker.

tags | exploit
SHA-256 | 3f4f1197fb6b356561f3a5d4c13b670af0b0739a649d539b75953ebc8ae7b8d5

sysPass 1.0.9 Insecure Direct Object Reference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-046
Product: sysPass
Manufacturer: http://cygnux.org/
Affected Version(s): 1.0.9 and below
Tested Version(s): 1.0.9
Vulnerability Type: Insecure Direct Object References (CWE-932)
Exposure of Backup File to an Unauthorized Control
Sphere (CWE-530)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-06-10
Solution Date: 2015-10-26
Public Disclosure: 2015-12-07
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

sysPass is an web-based Password Manager written in PHP and Ajax with a
built-in multiuser environment.

The web application is prone to a security vulnerability that allows an
unauthorized attacker to download existing backup files containing
sensitive data.

The software manufacturer describes the web application as follows
(see [1]):

"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:

* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The backup functionality of the web-based password manager sysPass
creates the following two backup files that are stored within the
application's backup folder:

* sysPass_db.sql
* sysPass.tar.gz

The file sysPass_db.sql contains a full database dump and the file
sysPass.tar.gz contains all contents of the sysPass web application
folder.

An unauthorized attacker can simply download these two existing backup
files via the following URLs:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

Thus, an external attacker without valid user credentials can gain
unauthorized access to all configuration and application data of the
password manager sysPass. With access to this data, an attacker can
perform further attacks in order to recover user credentials of sysPass
users or to decrypt encrypted password information contained within the
database.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URLs can be used to download existing backup files of the
password manager sysPass from an external attacker's perspective:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

For example:

http://syspass.org/demo/backup/sysPass_db.sql
http://syspass.org/demo/backup/sysPass.tar.gz

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The reported security vulnerabilities have been fixed in a new software
release. Update to the new software version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-08: Vulnerability discovered
2015-06-10: Vulnerability reported to manufacturer
2015-10-26: Release of new software version that addresses the reported
security issues. Discussed security fix with manufacturer.
2015-12-07: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of sysPass - sysadmin password manager
http://wiki.syspass.org/en/start
[2] SySS Security Advisory SYSS-2015-046
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Daniele Salaris of the SySS GmbH.

E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td
T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJleJGS0Zrggwx
ktKMN09N/GH0PohrPI4+JFFE6Eolmhlf5PkVRFU8X8Z9orqD8s8NqcHg8P4e5FJy
Dey/+SD9SlbH/ICjxlkjaGXOlCqSHT3mQqhALaKSwikUN3v/YlzVaYwGnUwsYsVt
arZTqKf6c2Sk8LAwZTWLbm6EB/FxuATObV+tblHd/KOcaDhmp0ykL8r1Mve/XQTw
NX3aH9yXoRcpHjCSFa6QK89d4dY4Pv9ejpyMATcYmbLa4hEMZ421cAkJuFobHiCg
MtlHXcVhNn7K+8ogxFk5EKyMEIRYUWqsmh6ZfW9F1qJ5jVezqjYdCmPdUeHlZ66u
Mk2ikWNu3IkSv0fQy0HVzEvzHlbgzWYvWVaLCVwwS9s4JZTDvKF9E+xAeK2iC9Ul
OOM1RgYcY57dFL7M6dY6OpMM8xapbJHtYjEC8ammfc9rhRIHQO4evBXGufs5vmc0
hWHIRLuF4rx0bja4qAbxK6l+7lWdgaPSHDOW7I2v+NUdjvPKcjndsAOB9FiK+jhI
+Q09ybOMLEzICOlo3VhRwyaEc7X+HZRdTEijU3piV6nxKyhiCI2AVuMRKjJyV3pc
tz8Q0g6YqzlFi8VnPgSV
=YMqY
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close