exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Klinzmann A-A-S XSRF / Code Execution

Klinzmann A-A-S XSRF / Code Execution
Posted May 13, 2009
Authored by Felipe Daragon | Site syhunt.com

The Klinzmann Application Access Server suffers from cross site request forgery, command execution, default password, and insecure password storage vulnerabilities.

tags | exploit, vulnerability, csrf
advisories | CVE-2009-1464, CVE-2009-1465, CVE-2009-1466
SHA-256 | e216edbf657d61bdb2e559c269b7118db00d7f30c8cb83b7248238c64f6b103d

Klinzmann A-A-S XSRF / Code Execution

Change Mirror Download
Syhunt: A-A-S (Application Access Server) Multiple Security Vulnerabilities

Advisory-ID: 200905111
Discovery Date: 3.23.2009
Release Date: 5.11.2009
Affected Applications: A-A-S 2.0.48 and possibly older versions
Class: XSRF (Cross Site Request Forgery) Arbitrary Command Execution,
Undocumented Default Password, Insecure Password Storage
Status: Vendor informed. No fix available
Vendor: Klinzmann
Vendor URL: http://www.klinzmann.name/a-a-s/index_en.html
Advisory URL: http://www.syhunt.com/advisories/?id=aas-multiple

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following CVEs to these vulnerabilities:
* CVE-2009-1464 - index.aas job parameter XSRF Arbitrary Command
Execution Vulnerability
* CVE-2009-1465 - Default Admin Password Vulnerability
* CVE-2009-1466 - Insecure Password and Port Keyword Storage Vulnerability

----------------------------------------------------------------

Overview:
The Application Access Server is a popular freeware remote
administration tool that allows to start and stop applications or
services over the Internet using a Web-based client. It also allows to
uninstall applications, remotely shutdown and retrieve various
information about the current system the server is running on. It claims
to be able to "black list" aggressors and run in "Stealth mode", thus
evading port scanners.

The A-A-S server also supports DynDNS.org, which allows aliasing the
server IP to a static hostname.

Description:
The Application Access Server is vulnerable to extremely dangerous XSRF
(Cross Site Request Forgery) attacks. A remote attacker can use the XSRF
flaw to take control over the system running the A-A-S server. The issue
is triggered when a web page containing a malicious JavaScript code is
viewed. Such malicious code can automatically make requests to the AAS
server on the user's behalf.

Two additional vulnerabilities affect the Application Access Server: an
undocumented default password and insecure password storage. Technical
details are included below.

----------------------------------------------------------------

Details:
1) index.aas job parameter XSRF (Cross Site Request Forgery)
Arbitrary Command Execution

Example 1 - Arbitrary Command Execution / File Upload
See: http://www.syhunt.com/advisories/aashack.txt

This exploit demonstration code automatically makes sequential requests
to the AAS server on the user's behalf (if the user is logged in to the
server), disabling undesired services, uploading and launching a file on
the target machine. It has been successfully tested on IE 7.0 and
Firefox 3.08. Should work on any browser that has javascript enabled

Please note that the server's security features like host access list
and port modes (Silent or Stealth) will not protect against the XSRF
flaw if enabled.

Example 2 - Arbitrary Command Execution:
<img src="http://[AAS IP or DYNDNS
HOST]:6262/index.aas?job=command&action=[command]">
This for example would launch the Calculator:
/index.aas?job=command&action=calc.exe

Example 3 - Stopping Services:
<img src="http://[AAS IP or DYNDNS
HOST]:6262/index.aas?job=setservice&action=stop&select=[servicename]">
This for example would disable Automatic Updates:
/index.aas?job=setservice&action=stop&select=wuauserv

Example 4 - Killing Processes:
<img src="http://[AAS IP or DYNDNS
HOST]:6262/index.aas?job=killprocess&select=[exename]">
Example:
/index.aas?job=killprocess&select=notepad.exe

Additional commands are available via the job parameter.

2) Default Admin Password Vulnerability
By default, A-A-S installs with a default admin account. The account has
an undocumented default password of "wildbat" and all the security
rights enabled. These default rights allow to execute any commands on
the machine.

3) Insecure Password and Port Keyword Storage Vulnerability
A-A-S passwords and the port keyword (used to connect to the server when
in Stealth or Silent mode) are stored as a base64 string in the
"aas.ini" file, contained in the A-A-S install directory, with no
encryption at all. This allows the password or port keyword to be easily
retrieved.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted, immediately responded and will be releasing a
fix soon.

As a workaround to the XSRF vulnerability, the vendor recommends
limiting the security rights in the user settings screen for each user:
- Disable the "Allow own command" option (command execution will not be
possible after this option is disabled).
- If possible also disable the "Enable kill process", "Start/Stop
service" and "Run application" rights.

Avoid completely navigating to other websites while logged in to the
Application Access Server.

Never start the server using its default settings (as explained above
machines running a default A-A-S may be easily compromised). Change the
password of the admin account first.

----------------------------------------------------------------

Credit:
Felipe Aragon
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2009 Syhunt Cyber Security Company

Disclaimer:
The information in this advisory is provided "as is" without warranty of
any kind. Details provided are strictly for educational and defensive
purposes.

Syhunt is not liable for any damages caused by direct or indirect use of
the information provided by this advisory.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close