|
MWR InfoSecurity work with the CPNI (Centre for the Protection of National Infrastructure) to publish security advisories (formerly known as UNIRAS Alerts) which we discover in the course of our work. These advisories disclose and discuss vulnerabilities in systems which are in widespread use. CPNI then liaise with the vendors to secure the application in question. The disclosure of these vulnerabilities gives CPNI the ability to provide timely information concerning potential IT security problems that could affect the Critical National Infrastructure community.
The work of CPNI is underpinned by the principle of responsible disclosure. Information is released to stakeholders at the appropriate time, with the aim of minimising any possible disruption from the threat.
Further information on the work of the CPNI can be found at www.cpni.gov.uk
Recent advisories produced by MWR InfoSecurity are listed below in date order. On this page you can also find recent presentations and White Papers from MWR InfoSecurity consultants.
May 06, 2008
White Paper: IBM Websphere MQ Security
The first in a series of white papers discussing IBM Websphere MQ security has been released by Martyn Ruks of MWR InfoSecurity.
IBM’s WebSphere MQ is a widely used and respected middleware application for
handling messaging within an enterprise network. Its popularity and level of
adoption arises from its robustness, scalability, functionality and compatibility with a
wide range of platforms and applications. Whilst the software has a large number of
security features the complexity of the environments within which it operates often
results in it being poorly configured. This environmental complexity and the richness
of the product’s feature set can make it an attractive target to attackers. In an era
when “front-end” web applications and “back-end” databases are subject to
increasingly intensive security testing the weakest link in an application can now
often be found in the middleware.
Applications that are not well documented within penetration testing manuals and
for which there is no well defined testing toolkit available can often be brushed over
during a penetration test. However, a skilled attacker will not concern themselves
with such limitations and could exploit any vulnerabilities that are present in the
system with devastating effect. This paper documents the results of research and
investigation into WebSphere MQ systems and introduces a methodology for
assessing the security of the software product from the perspective of a penetration
tester.
It has been discovered that Websphere MQ environments can be secured but this is
not a trivial process and a detailed understanding of the technology is required. The
information included within this document can be used to understand the
requirements of those people who are responsible for the security of such
environments.
April 24, 2008
Advisory: National Rail Live Enquiries Departure Board Gadget Vulnerability
The National Rail Live Departure Board gadget has been identified as being vulnerable to a script injection attack that could potentially allow remote attackers to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.
The National Rail Live Departure Board Sidebar gadget vulnerability is present because of a lack of sufficient sanitisation on arguments passed from the web server to the Sidebar gadget application.
The vendor has addressed this vulnerability and implemented a fix in version 1.1. This version has yet to be tested.
National Rail Live Enquiries Departure Board Gadget upgrade can be found in the following location:-
http://gallery.live.com/LiveItemDetail.aspx?li=aef90e44-18cf-4246-b1d9-4ab83e0e13db
April 16, 2008
White Paper: Security Implications of Windows Access Tokens
A white paper was published today by Luke Jennings of MWR InfoSecurity which discusses the security exposures that can occur due to the manner in which access tokens are implemented in the Microsoft® Windows Operating System.
A brief overview of the intended function, design and implementation of Windows access tokens is given, followed by a discussion of the relevant security consequences of their design. More specific technical details are then given on how the features of Windows access tokens can be used to perform powerful post-exploitation functions during penetration testing, along with a basic methodology for including an assessment of the vulnerabilities exposed through tokens in a standard penetration test.
Discussion is also included about why many corporate environments (assessed during penetration tests conducted by MWR InfoSecurity) have been found to not be operating in a manner which limits the risk of such issues. Finally, best practice advice is given on how to defend against these attacks.
It must be noted that the security issues discussed in this white paper do not represent a flaw in the Microsoft® Windows Operating System but are an expected consequence based on the design and implementation of Windows access tokens. The important point is that many corporate environments do not account for these issues within their security strategy and, consequently, the controls in many of these environments are not sufficient to withstand the techniques discussed here.
Additionally, it is acknowledged that the security implications of Windows access tokens have been discussed before both in general terms and to different degrees of technical detail. This document is not intended to present such discussions as being fundamentally new; instead it is intended to collate some of the existing knowledge, introduce some new findings and to demonstrate why many years after the general principles discussed were highlighted, many corporate environments are still vulnerable to these issues.
The paper is based upon research originally presented by the author at Defcon 15 [1] and Chaos Computer Congress (CCC) 2007 [2].
April 15, 2008
Advisory: IBM Informix Pre-Authentication Stack Overflow
An advisory has been released today by MWR Infosecurity relating to a Pre-authentication stack overflow in IBM Informix.
The IBM Informix Database service is vulnerable to a stack based buffer overflow which can be exploited remotely before the authentication has been completed.
The vulnerability would enable an attacker to execute arbitrary code on the system with the privileges of the Informix user. By default, this account is a member of the administrators group on a Microsoft Windows system.
The code responsible for parsing the parameters within the first packet of the protocol handshake does not validate the number of arguments it accepts. This results in the ability to overflow a stack buffer which in turn allows arbitrary code to be executed.
The vendor has released updates to resolve this issue, please refer to the following links.
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.
April 04, 2008
Advisory: Watchguard Firebox User Enumeration vulnerability
An advisory has been published today by MWR InfoSecurity relating to a user enumeration vulnerability present in Watchguard Firebox software prior to Version 10. The vendor has released a patch to address the issue which may be downloaded from https://www.watchguard.com/archive/softwarecenter.asp.
The impact of this vulnerability is that password guessing attacks can be performed much more efficiently by conducting them only against those usernames known to be valid. Additionally, these usernames may be valid on other systems and may also aid social engineering attacks.
April 03, 2008
Advisory: Interwoven WorkSite - Active X Control Remote Code Execution
Worksite is a document management and email management solution from Interwoven Inc (Interwoven). Some of the functionality of the application is made available through ActiveX controls which are distributed within the iManFile.cab file. The ActiveX controls were found to be unsafe and permit code to be executed remotely by an attacker who is able to direct a user to a website containing exploit code.
The most serious of these vulnerabilities could enable an attacker to execute arbitrary code on a user’s computer remotely. This code would be executed with the permissions of the user logged into the system. However, other vulnerabilities are present.
The vendor has addressed this vulnerability in their latest service pack (WorkSite Web 8.2 SP1 P2) available from http://worksitesupport.interwoven.com.
March 28, 2008
Advisory: IBM Websphere MQ
An advisory was published today relating to IBM Websphere MQ Security Exit Authentication Bypass vulnerability. The vendor has released a fix pack that addresses these issues.
The Websphere MQ service can be used to transfer messages between systems and
applications. It is possible to protect the channels within the Queue Manager with a security
exit which requires that an authentication check be passed before a connection can be
established. A method of bypassing this authentication has been discovered which would
enable unauthorised access to be gained
March 28, 2008
Advisory: IBM Websphere MQ MCAUSER
The Websphere MQ service can be used to transfer messages between systems and
applications. It is possible to lock down access to channels by setting an invalid MCAUSER. A
method of bypassing this authorisation control has been discovered which would enable
unauthorised access to be gained.
The vendor has released a fix for this vulnerability and download details are available within the advisory.
March 07, 2008
Advisory: Elastic Path Arbitrary File Systems Access
An advisory has been released today by MWR InfoSecurity relating to Elastic Path ecommerce software versions 4.1 and 4.1.1.
Multiple input validation vulnerabilities were identified within the Elastic Path application. As a result, directory traversal was possible allowing unrestricted file system access to the remote server. The impact of the vulnerabilities could enable an attacker to upload and download files from arbitrary locations on the affected system.
The vendor has released a patch to address these vulnerabilities. To obtain the patch users must contact the vendor at support@elasticpath.com or
http://www.elasticpath.com/support/.
Click on the title link to view the full advisory.
February 07, 2008
Advisory: ITN News Sidebar Gadget
An advisory has been released today by MWR InfoSecurity relating to the ITN News Windows Vista sidebar gadget which is vulnerable to a script injection attack that could allow remote attackers to execute commands on the target system.
The vendor has addressed this vulnerability and implemented a fix in version 1.23.
The full advisory, including a link to the upgrade can be viewed here.
January 15, 2008
Advisory: Meridio Cross Site Scripting Vulnerability
Meridio Document and Records Management has been identified as being vulnerable to an
embedded Cross Site Scripting attack that could potentially allow remote attackers to inject
JavaScript into the application. This would then be executed within the context of the
browser of the application user.
The impact of this attack is only limited by the creativity of the attacker exploiting this
vulnerability. The most dangerous form of XSS involves hostile code being permanently
stored within the application. This means the embedded code would be executed by every
user accessing the affected page and this is the case in this instance.
Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.
December 17, 2007
Advisory: Plogger SQL Injection
An SQL injection vulnerability was identified in Plogger, a popular open source PHP photo
gallery.
CPNI (The Centre for the Protection of National Infrastructure) have been informed of this vulnerability. The vendor has also been informed and has released a code fix which is available from change set 489.
The vulnerability would enable an attacker to inject arbitrary SQL statements. SQL injection
inference techniques were used to develop a proof of concept exploit that could be used to
access any field from the Plogger database (and potentially any field of any database
accessible by the database user Plogger is configured to use).
October 15, 2007
Advisory: IBM Lotus Domino "If-Modified-Since" Stack Overflow
The IBM Lotus Domino Web Server service is vulnerable to a stack based buffer overflow which can be exploited remotely. Upon reporting this issue to IBM it was discovered that this was a known issue which had been resolved in a number of previous releases and Fix Packs. However, the previously reported issue did not correctly assess the impact of the vulnerability or provide a description that allowed the vulnerability of a given system to be accurately assessed.
September 27, 2007
White Paper: Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista
This white paper discusses the potential impact of the new Sidebar Gadgets feature of the Microsoft® Windows Vista™ Operating System. It also examines the requirements for its secure rollout and describes in detail different types of attacks and their consequences. Remedial actions and best practice recommendations are also included in this document.
September 17, 2007
Advisory:Merak Webmail XSS
The Merak Mail Server provides a web based interface called IceWarp which
allows users to send and retrieve emails using a web browser. However, email content is not
sufficiently sanitised which can result in the execution of arbitrary scripts. On accessing the
web interface of the application the user is assigned two session IDs. An attacker could
harvest these sessions IDs by sending specially crafted emails to users. The session IDs would
be transmitted to the attacker when the users opened the malicious emails. With this
information the attacker would be able to gain access to the users’ accounts.
August 13, 2007
Tools: MQ Jumping
The tools described by Martyn Ruks for MQ jumping at DefCon 15 can be downloaded from here.
August 03, 2007
Presentation: DefCon Websphere MQ
On Friday 3rd August 2007 MWR InfoSecurity presented a talk about the security of the IBM Websphere MQ software at DefCon 15 in Las Vegas. The presentation from the Websphere MQ talk can be downloaded using the link provided here
April 26, 2007
Advisory: Elastic Path - Administrative Session Hijacking through Embedded XSS
Elastic Path has been identified to be vulnerable to an embedded Cross Site Scripting (XSS) attack that could potentially allow remote attackers to hijack a legitimate adminstrator's session cookie. An attacker could exploit this vulnerability to gain unauthorised access to the Elastic Patch Commerce Manager and obtain administrative privileges.
April 04, 2007
Advisory: Cache Sample Page XSS
The sample Cache Server pages shipped with the Cache database contain a number of Cross Site Scripting(XSS)vulnerabilities. These could enable an attacker to target users of a web application deployed on the same system.
February 27, 2007
Advisory: Communigate XSS
The CommuniGate Pro application provides a web based application allowing users to retrieve emails using a web browser. However, email content is not sufficiently sanitised and can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned a session ID, by sending a specially crafted email an attacker would be able to trick the user into transmitting their session ID to the attacker
January 10, 2007
Advisory: Cisco IOS Invalid DLSw Handshake Denial of Service
Data Link Switching is primarily used for transporting SNA communications across an IP network. Support for this protocol is provided by Cisco networking devices as part of IOS although it is not enabled by default. In specific configurations an attacker could use the DLSw service to trigger a reload of the router's configuration resulting in a Denial of Service condition.
November 28, 2006
Advisory:Crystal Reports Weak Sessions
Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user's IP address. This combination allows an attacker to hijack any currently authenticated users' sessions from any location.
August 05, 2006
Presentation: DefCon 14 IBM Networking
Presentation given by Martyn Ruks at DefCon 14 (2006) on testing IBM Network Security.
|
 |
