Thursday, July 2, 2015

Update on CVE-2014-9141: Thomson Reuters Fixed Assets CS <= 13.1.4

Received notification from vendor today:

"We appreciate your report and attention on the connectbgdl.exe vulnerability.  We are scheduled to address this with our next major release, 2015.1.0, scheduled for November of 2015.  This will be our first opportunity to address it since it came to our attention following our last major release of 2014.1.0 in November of 2014.  As of this point in time, we have seen no reports of this vulnerability being exploited within our customers' systems."

This patch should be immediately applied when released. Steps to remediate this vulnerabilityshould be taken until the next major release.


Update on CVE-2015-2081 : Multiple Vulnerabilities in Datto Siris and Alto



Interesting post on the DATTO vulnerabilities we had discovered in February (and some additional items that were not covered in our post):
http://silentbreaksecurity.com/tearing-apart-a-datto/
Our investigation turned up a vulnerable webserver as well. As part of that, we investigated some of the pages and services available. We decided to keep these findings private with the vendor and publishing as a CVE at the time and we did so. As another security researcher has posted some of these findings as well and rooted the box publicly, we're releasing this as it's useful for remediation of additional issues that are present on the device.
The below pages and information were available from the webserver embedded, without authentication.

Potentially Dangerous Information Leakage:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
 All of these help determine what is running the webserver and versioning behind it.



/admin.php
/test.php
/esx.php
/home.php
/tech.php
/network.php
/report.php
/filters.php
/test.php
/status.php
/ticket.php
/ajax.php
/virtualization.php
/logout.php
/agent.php
/permissions.php
/push.php 
Session Expired when visited. This suggests the request is processed and the server may be vulnerable to cookie stealing or session hijacking 
 

/includes
/scripts
/registration
Access is Forbidden. Not a internal message or error, suggests the same finding as above. 


/lib
/log
/sc
/api
/vendor
/junk
Significant amount of PHP scripts for launching just about any function on the device, unauthenticated. Extremely critical to fix. Can be used to establish a reverse shell, a foothold in the server or any number of attacks against the device and data.


/status
Processes, blank page.

/tmp
Temp directory, reveals sensitive information. For example, the desktop screenshot gives username, system name, OS version, internal directory structure and software information

/cgi-bin
Internal 500 error. Useful if structure can be determined.

/images
Useful for determining what software and attack surfaces are available. For example, Ajax is vulnerable and it can be determined with this directory that it's installed and available.

/scripts/jquery.js
/index.php
/scripts/jquery-ui.js
/scripts/prototype.js
/log/
/scripts/scriptaculous.js
/scripts/setup.js
/scripts/common.js
/scripts/network.js
/scripts/base64.js
/scripts/adminSettings.js
/scripts/ga_stats.js
Can view/download JavaScript code, extremely useful for any number of attacks.


/index2.php
Reveals a lot of private information about the box. May be by design.


/about (and its subdirectories)
Significant amount of useful information for determining software loads, versioning


/branding
Empty. Available to view

/debian
internal structure, software loads and setup scripting.

/css
All of the css sheets. Very useful for a number of attacks. 

The vendor was made aware of these issues in February and stated they were working on remediation.