XSS & Memory Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >

=======================================================================

title: XSS & Memory Disclosure

product: NetIQ eDirectory NDS iMonitor

vulnerable version: 8.8 SP8, 8.8 SP7

fixed version: 8.8 SP8 HF 4,

fix available for versions 8.8 SP7 (8.8.7.4 HF 4,

8.8.7.6 HF 3)

CVE number: CVE-2014-5212, CVE-2014-5213

impact: High

homepage: www.netiq.com

found: 2014-10-29

by: W. Ettlinger

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-----------------------------

"eDirectory(TM) is a full-service, secure LDAP directory providing incredible

scalability and an agile platform to run your organization's identity

infrastructure and multi-platform network services."

 

URL: www.netiq.com/products/edirectory/

 

 

Business recommendation:

------------------------

An attacker without an account on the NetIQ eDirectory NDS iMonitor is able

to gain administrative access by luring an authenticated administrator to

visit an attacker-controlled web site. Moreover, an authenticated attacker

is able to retrieve internal data which potentially contains sensitive

data.

 

As the NetIQ eDirectory is often used to maintain a centralized user database

it is a very attractive target for an attacker. By compromising this system,

an attacker may be able to conduct further attacks on other systems.

 

SEC Consult recommends to immediately conduct a full security review of

this software, especially if used as a centralized user database.

 

 

Vulnerability overview/description:

-----------------------------------

1) Memory Disclosure (CVE-2014-5213)

Using crafted HTTP requests an administrative user can retrieve parts of the

virtual memory from the service. This potentially discloses secret data like

passwords.

 

2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)

A reflected cross site scripting vulnerability was identified. An attacker

could take over the user account of a valid administrator.

 

 

Proof of concept:

-----------------

1) Memory Disclosure (CVE-2014-5213)

When accessing the following URL as an authenticated user, parts of the virtual

memory can be retrieved:

https:// <host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images

 

2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)

The following URL demonstrates a reflected XSS flaw:

https:// <host>:8030/nds/search/data scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS

iMonitor version 8.8 SP8, which was the most recent version at the time of

discovery.

 

 

Vendor contact timeline:

------------------------

2014-10-29: Contacting security@netiq.com, sending responsible disclosure

policy and PGP keys

2014-10-29: Vendor redirects to security@novell.com, providing PGP keys

through Novell support page

2014-10-30: Sending encrypted security advisory to Novell

2014-10-30: Novell acknowledges the receipt of the advisory

2014-11-18: Novell: the vulnerabilities have been fixed by development; the

patches will be release end of November

2014-12-08: Novell: the release has been pushed to Dec. 8th

2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow;

The hotfix for 8.8.7.6 is still pending

2014-12-17: Verifying release of advisory; asking whether patches have been

released

2014-12-18: Novell: Patches have been released

2014-12-19: Coordinated release of security advisory

 

 

Solution:

---------

Update to the release 8.8.8.4 or apply fix for versions 8.8 SP 7.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF W. Ettlinger / @2014