Multiple high risk vulnerabilities in GroundWork Monitor Enterprise (part 2)

SEC Consult Vulnerability Lab Security Advisory < 20130308-1 >

=======================================================================

title: Multiple high risk vulnerabilities (part 2)

product: GroundWork Monitor Enterprise

vulnerable version: 6.7.0

fixed version: none - optional technical bulletin released

impact: High

homepage: www.gwos.com

found: 2013-02-11

by: Johannes Greil

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor/product description:

------------------------------------------------------------------------------

"GroundWork Monitor is the leading open platform for monitoring the

availability and performance of enterprise business services, applications and

infrastructure. It can live and monitor both on premises and in the cloud. As

an open platform, it is easily integrated with common IT service management

processes and tools and is competitively and simply priced."

 

URL: www.gwos.com/features/

 

 

------------------------------------------------------------------------------

Business recommendation:

------------------------------------------------------------------------------

SEC Consult identified multiple vulnerabilities with high risk within the

components of the "GroundWork Monitor Enterprise" solution. The scope of the

test, where the vulnerabilities have been identified, was a very short

evaluation crash-test (~1 PD, part 2) which the software utterly failed. Some

components have been spot-checked, others have not been tested at all (e.g.

cloud components).

 

The recommendation of SEC Consult is to immediately switch off

existing GroundWork systems until further security measures and thorough

follow-up security tests have been implemented and performed.

 

 

------------------------------------------------------------------------------

Vulnerability overview/description:

------------------------------------------------------------------------------

The following vulnerability description has been categorized into the

components where the vulnerabilities have been identified.

 

1) NeDi component

~~~~~~~~~~~~~~~~~

In order to exploit the following vulnerabilities an attacker has to have

low privileged "user" access level rights within GroundWork. The NeDi

application itself thinks that an admin user has logged in and gives full access

rights!

 

1.1) Access to sensitive files

A low-privileged attacker is able to gain access to NeDi configuration files or

database dumps or Tomcat status context by just entering a URL.

 

 

1.2) Privilege escalation through command execution

A low privileged "user" account is able to access the "System File Overview"

feature of NeDi which allows editing of files and hence the execution of arbitrary

operating system commands.

 

Affected script:

/nedi/html/System-Files.php

 

 

1.3) Direct OS command injection

A low privileged "user" account is able to execute arbirary OS commands through

missing input validation within the "System / NeDi" menu functionality. NeDi allows

to scan internal IP addresses which can be exploited by a classic OS command

injection payload.

 

Affected script:

/nedi/html/System-NeDi.php

 

 

1.4) SQL injection & execution of arbitrary SQL statements

A low privileged "user" account can execute arbitrary SQL statements within

the current schema (nedi) of the PostgreSQL database and furthermore also exploit

SQL injection vulnerabilities.

 

Affected scripts:

/nedi/html/System-Export.php

/nedi/html/Devices-List.php

 

 

1.5) Open redirection

NeDi is affected by an open redirection vulnerability. If an authenticated victim

of the attack clicks on a special URL he will be redirected to a website controlled

by the attacker.

 

 

1.6) Multiple XSS vulnerabilities

The NeDi component suffers from multiple XSS vulnerabilities because no input

validation is being performed. An attacker is able to steal user accounts/sessions

and potentially gain higher privileges within GroundWork.

 

 

 

2) Cacti component

~~~~~~~~~~~~~~~~~~

In order to exploit the following vulnerabilities an attacker has to have

low privileged "user" access level rights within GroundWork.

2.1) Insufficient authorization

A low-privileged user is able to access and change all configuration settings

within the Cacti component including user accounts and passwords.

 

2.2) Bundled Cacti version is outdated

The Cacti version 0.8.7g that is bundled with GroundWork is already affected by

at least two known vulnerabilities (Cross-Site Request-Forgery and SQL injection).

 

 

 

3) Noma component

~~~~~~~~~~~~~~~~~

The following security flaws can only be exploited with a valid "admin" session,

but at least the cross-site request forgery flaw in combination with the

permanent XSS flaw can be exploited by outside attackers in order to gain

administrative access to GroundWork.

 

3.1) Cross-site request forgery

An attacker can use cross-site request forgery to perform arbitrary web requests

with the identity of the victim without being noticed by the victim. Although

responses to these requests are not delivered to the attacker, in many cases it

is sufficient to be able to compromise the integrity of the victim’s information

stored on the site or to perform certain, possibly compromising requests to

other sites.

 

 

3.2) Multiple reflected and permanent cross-site scripting

The Noma component suffers from multiple XSS vulnerabilities because no input

validation is being performed. An attacker is able to steal user accounts/sessions

and potentially gain higher privileges within GroundWork.

 

 

3.3) SQL injection

Due to insufficient input validation, the application allows the injection of

direct SQL commands. By exploiting the vulnerability, an attacker gains access

to all records stored in the database with the privileges of the web application

user.

 

 

 

------------------------------------------------------------------------------

Proof of concept:

------------------------------------------------------------------------------

Detailed proof of concept URLs and exploits have been removed from this

advisory as the underlying security issues will not be fixed by GroundWork and

only be addressed by authentication and authorization changes.

 

 

1) NeDi component

~~~~~~~~~~~~~~~~~

1.1) Access to sensitive files

Access config files:

[...]

 

If a legitimate user dumped some database contents through standard NeDi

functionality, it will be reachable directly with "user" rights:

 

[...]

 

Tomcat Status

[...]

 

 

1.2) Privilege escalation through command execution

The following component allows editing of files of a given whitelisted array.

At least one of the whitelisted files is a PHP file which can be edited and

accessed through the webserver:

 

Step a) Access start URL

[...]

 

Step b) Go to menu "[...]":

[...]

 

Step c) Edit "[...]" and enter payload:

[...]

 

Step d) Execute arbitrary OS commands:

[...]

 

 

1.3) Direct OS command injection

Affected URL:

[...]

 

Affected parameters, at least: [...]

Payload:

[...]

 

 

1.4) SQL injection & execution of arbitrary SQL statements

Execute arbitrary SQL statements with "[...]" parameter:

[...]

 

It has not been investigated whether changes to the NeDi database will affect

or propagate to other GroundWork components!

 

Unfiltered input in at least "[...]" parameter:

[...]

 

1.5) Open redirection

[...]

 

1.6) Multiple XSS vulnerabilities

[...]

 

 

2) Cacti component

~~~~~~~~~~~~~~~~~~

2.1) Insufficient authorization

A low-privileged user is able to access/change all configuration settings, e.g.:

[...]

 

2.2) Bundled Cacti version is outdated

[...]

 

 

3) Noma component

~~~~~~~~~~~~~~~~~

3.1) Cross-site request forgery

Store permanent XSS payload via CSRF attack:

[...]

 

Delete arbitrary entries via CSRF:

[...]

 

 

3.2) Multiple reflected and permanent cross-site scripting

Permanent XSS:

[...]

 

Reflected XSS:

[...]

 

 

3.3) SQL injection

[...]

 

 

 

------------------------------------------------------------------------------

Vulnerable / tested versions:

------------------------------------------------------------------------------

The vulnerabilities have been tested in the currently latest available version

v6.7.0.

 

SEC Consult tested the pre-installed Ubuntu image 6.7.0-br287-gw157 with a

GroundWork Monitor Core test license.

 

 

SEC Consult strongly assumes that many further vulnerabilities exist and previous

GroundWork versions are affected too.

 

 

------------------------------------------------------------------------------

Vendor contact timeline:

------------------------------------------------------------------------------

2013-02-12: Contacting vendor via direct email contact (after trying to

establish contact since 14th January, see advisory part 1)

2013-02-13: Vendor, info from engineering: patch for 27th February planned;

Patch only addresses few issues (Referer checks) and not critical

vulnerabilities

SEC Consult: proper fixes needed, not a "workaround patch"

2013-02-26: Vendor: Email reply regarding conference call

2013-02-28: Conference call

2013-03-04: GroundWork provides optional technical bulletin for review

2013-03-05: SEC Consult states that the optional technical bulletin is not

enough and does not fix the underlying issues within source code

Informing US-CERT about the status and pending release

2013-03-06: Contacting local CERT teams

2013-03-06: GroundWork informs their customers

2013-03-07: Release of optional technical bulletin by GroundWork

2013-03-08: SEC Consult releases coordinated security advisory without proof

of concept

 

 

------------------------------------------------------------------------------

Solution:

------------------------------------------------------------------------------

GroundWork does not offer patches for the identified security vulnerabilities.

 

An optional technical bulletin is available by GroundWork that restricts

access to GroundWork components by adding a SSO authentication layer for the

affected components. Furthermore, configuration changes are suggested by

GroundWork that disable "user" privilege access for some applications and

require "admin" access rights in the future:

 

kb.groundworkopensource.com/display/SUPPORT/SA6.7.0-1+Some+web+components+allow+bypass+of+role+access+controls

 

 

This recommendation by GroundWork is not sufficient and therefore not

suggested by SEC Consult. In order to mitigate the risk, the vulnerabilities

have to be fixed within the source code.

 

 

In secure environments, such as operating centers where this software is

for instance used, it is highly undesirable to use insecure applications.

 

 

------------------------------------------------------------------------------

Workaround:

------------------------------------------------------------------------------

Implement the suggestions of the technical bulletin. Keep in mind that the

underlying security issues are not being addressed by the bulletin.

 

Furthermore, use additional measures to secure the application, e.g. but not

limited to strict network segmentation. Only allow administrators to access

the server. Secure all accounts with strong passwords & disable standard

accounts.

 

 

 

------------------------------------------------------------------------------

Advisory URL:

------------------------------------------------------------------------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

blog.sec-consult.com

 

EOF Johannes Greil / @2013