Multiple Vulnerabilities in ELBA5

SEC Consult Vulnerability Lab Security Advisory < 20120220-1 >

=======================================================================

title: Multiple Vulnerabilities in ELBA5

product: ELBA 5

vulnerable version: ELBA 5.4.1

5.5.0 R00004 build 0778

fixed version: partially in 5.5.0 R00004 build 0778

all issues in 5.5.0 R5

impact: Medium

homepage: www.elba.at

found: 13.01.2012

by: Povilas Tumenas / SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

ELBA electronic banking is a multi-user, multi-protocol banking application.

For details, see www.elba.at.

 

 

Vulnerability overview/description:

-----------------------------------

1) The ELBA application v5.4.1 listens on a remotely reachable port that is

used for network testing purposes. It uses java serialization for its protocol

without any encryption or authentication. This can be abused to leak the

username of a currently logged on user. Disclosed usernames can be used in

further attacks on different services and/or ease bruteforcing of user

accounts.

Furthermore, if ELBA receives an invalid serialized method name an assertation

fails and a message box with an attacker controlled value is displayed and the

user is forced to shut down the application. This can be abused to disrupt the

work of a user, or as a part of a social engineering attack as it is possible

to make the message box display a message controllable by the attacker.

 

 

2) Due to insufficient input validation, the application

injection of direct SQL commands. By exploiting the vulnerability, an attacker

gains access to all records stored in the database. In this instance of SQL

injection, the vulnerability can additionally be used to get access to other

user accounts and their data.

During the creation of an account group by a non-sysadmin user the account

group name is not validated and is used in a SQL query. This allows for the

injection of arbitrary SQL code. The account group creation can be accessed

from the menu -> Master Data -> More -> Account Groups.

 

 

Proof of concept:

-----------------

1.a) Denial of Service:

 

A python script has been developed in order to exploit this issue. This

proof-of-concept code will not be published.

 

After sending the malicious payload ELBA would display a message box that

would force the user to quit the application. Please also note that the port

under which ELBA listens for serialized communication changes every time the

application starts, but it can be easily found remotely by port scanning.

 

 

1.b) Information Disclosure:

 

A python script has been developed in order to exploit this issue. This

proof-of-concept code will not be published.

 

The currently logged on username "SYSADMIN" is visible in the received data

after sending the malicious payload.

 

Please also note that the port under which ELBA listens for serialized

communication changes every time the application starts, but it can be easily

found remotely by port scanning.

 

 

2) Account Group Creation SQL-Injection:

To prove this issue it is sufficient to click the "New" button and enter a value

that would result in an invalid SQL query as the name of the account group.

 

The description field can be anything, and either one or both of the

checkboxes must be selected. If you try to create this new account group, then

the SQL server terminates and an error message is displayed, because the SQL

query with an invalid syntax was executed. If a user enters a value that

results in a valid SQL query then the account group creation is successful.

 

This attack does not work with the sysadmin account, because when using the

sysadmin account a prepared statement is used for account group creation.

 

 

Vulnerable / tested versions:

-----------------------------

1) Information Disclosure and DoS are only exploitable in ELBA v5.4.1

2) ELBA 5.5.0 R00004 build 0778

 

 

Vendor contact timeline:

------------------------

2012-01-20: Contacting vendor through software@racon-linz.at.

2012-01-23: Vendor responds with contact of CISO.

2012-01-23: Contacting CISO with advisory.

2012-01-26: Vendor has verified vulnerability #2 and pointed out, that only

version v5.4.1 is affected by vulnerability #1.

2012-01-26: Verification of affected version of vulnerability #1 and update of

advisory accordingly.

2012-01-27: Vulnerability #2 will be fixed with next release (version 5.5.0 R5)

on February 13th.

2012-02-13: Sending updated advisory to vendor

2012-02-20: Public release

 

 

Solution:

---------

1) The network testing functionality has been disabled or removed in

ELBA 5.5.0. Upgrade to the newest version.

 

2) According to the vendor, the SQL injection has been fixed in ELBA 5.5.0 R5.

Upgrade to the new release.

 

 

Workaround:

-----------

1) In order to mitigate the vulnerability, firewall rules can be set to

prevent unauthorized access to the port used for network testing.

 

2) Do not give a user the privilege to create account groups.

 

 

Advisory URL:

-------------

www.sec-consult.com/vulnerability-lab/

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF PTU / @2012