SEC Consult Vulnerability Lab Security Advisory < 20120220-1 >
=======================================================================
title: Multiple Vulnerabilities in ELBA5
product: ELBA 5
vulnerable version: ELBA 5.4.1
5.5.0 R00004 build 0778
fixed version: partially in 5.5.0 R00004 build 0778
all issues in 5.5.0 R5
impact: Medium
homepage: www.elba.at
found: 13.01.2012
by: Povilas Tumenas / SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
ELBA electronic banking is a multi-user, multi-protocol banking application.
For details, see www.elba.at.
Vulnerability overview/description:
-----------------------------------
1) The ELBA application v5.4.1 listens on a remotely reachable port that is
used for network testing purposes. It uses java serialization for its protocol
without any encryption or authentication. This can be abused to leak the
username of a currently logged on user. Disclosed usernames can be used in
further attacks on different services and/or ease bruteforcing of user
accounts.
Furthermore, if ELBA receives an invalid serialized method name an assertation
fails and a message box with an attacker controlled value is displayed and the
user is forced to shut down the application. This can be abused to disrupt the
work of a user, or as a part of a social engineering attack as it is possible
to make the message box display a message controllable by the attacker.
2) Due to insufficient input validation, the application
injection of direct SQL commands. By exploiting the vulnerability, an attacker
gains access to all records stored in the database. In this instance of SQL
injection, the vulnerability can additionally be used to get access to other
user accounts and their data.
During the creation of an account group by a non-sysadmin user the account
group name is not validated and is used in a SQL query. This allows for the
injection of arbitrary SQL code. The account group creation can be accessed
from the menu -> Master Data -> More -> Account Groups.
Proof of concept:
-----------------
1.a) Denial of Service:
A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.
After sending the malicious payload ELBA would display a message box that
would force the user to quit the application. Please also note that the port
under which ELBA listens for serialized communication changes every time the
application starts, but it can be easily found remotely by port scanning.
1.b) Information Disclosure:
A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.
The currently logged on username "SYSADMIN" is visible in the received data
after sending the malicious payload.
Please also note that the port under which ELBA listens for serialized
communication changes every time the application starts, but it can be easily
found remotely by port scanning.
2) Account Group Creation SQL-Injection:
To prove this issue it is sufficient to click the "New" button and enter a value
that would result in an invalid SQL query as the name of the account group.
The description field can be anything, and either one or both of the
checkboxes must be selected. If you try to create this new account group, then
the SQL server terminates and an error message is displayed, because the SQL
query with an invalid syntax was executed. If a user enters a value that
results in a valid SQL query then the account group creation is successful.
This attack does not work with the sysadmin account, because when using the
sysadmin account a prepared statement is used for account group creation.
Vulnerable / tested versions:
-----------------------------
1) Information Disclosure and DoS are only exploitable in ELBA v5.4.1
2) ELBA 5.5.0 R00004 build 0778
Vendor contact timeline:
------------------------
2012-01-20: Contacting vendor through software@racon-linz.at.
2012-01-23: Vendor responds with contact of CISO.
2012-01-23: Contacting CISO with advisory.
2012-01-26: Vendor has verified vulnerability #2 and pointed out, that only
version v5.4.1 is affected by vulnerability #1.
2012-01-26: Verification of affected version of vulnerability #1 and update of
advisory accordingly.
2012-01-27: Vulnerability #2 will be fixed with next release (version 5.5.0 R5)
on February 13th.
2012-02-13: Sending updated advisory to vendor
2012-02-20: Public release
Solution:
---------
1) The network testing functionality has been disabled or removed in
ELBA 5.5.0. Upgrade to the newest version.
2) According to the vendor, the SQL injection has been fixed in ELBA 5.5.0 R5.
Upgrade to the new release.
Workaround:
-----------
1) In order to mitigate the vulnerability, firewall rules can be set to
prevent unauthorized access to the port used for network testing.
2) Do not give a user the privilege to create account groups.
Advisory URL:
-------------
www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
EOF PTU / @2012