SEC Consult Vulnerability Lab Security Advisory < 20141029-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Vizensoft Admin Panel
vulnerable version: 2014
fixed version: -
impact: critical
homepage: www.vizensoft.com
found: 2014-07-10
by: A. Antukh, A. Baranov
SEC Consult Vulnerability Lab
=======================================================================
Vendor & product description:
=============================
Vizensoft is one of the major software vendors, especially aimed at medical
organizations in Korea.
A list of companies and organizations which are using their software, is available
on the official websites:
www.vizensoft.com/portfolio/index.jsp
www.vizenmedical.com/portfolio/index.jsp
"Vizensoft are doing business with online marketing professional IT companies
and individuals in need of a rapidly changing competitive world to discerning
corporate customer's success by providing capabilities of a high quality
Marketing Technology"
(translated from Korean)
Source: vizensoft.com/about/index.jsp
Business recommendation:
========================
Attackers are able to completely compromise the web application built upon
Vizensoft CMS as they can gain access to the system and database level and
manage the website as an admin without prior authentication!
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
It is assumed that further critical vulnerabilities exist.
Vulnerability overview/description:
===================================
1) Admin Backdoor Account
-------------------------
The MySQL database table "admin" contains a "vizensoft" admin user with user
id 1 with administrative access rights. This user account does NOT show up within
the "User administration" menu when logged in as administrator user account in
the web interface. Hence the password can't be changed there.
2) Authentication Bypass
------------------------
Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,
reading e-mails, modifying users and abusing e-mail and SMS functionality.
3) Arbitrary File Upload
------------------------
At least two vulnerable pages exist where unauthenticated attackers are able
to upload arbitrary files on the server. Furthermore, due to insufficient
validation it is possible to bypass file extension checks and execute uploaded
files which leads directly to a complete server compromise.
4) Multiple Cross Site Scripting issues
---------------------------------------
Vizensoft CMS suffers from multiple cross-site scripting vulnerabilities,
which allow an attacker to steal other users' sessions, to impersonate other
users and to gain unauthorized access to the web interface and user messages.
5) Multiple unauthenticated SQL injection issues
------------------------------------------------
The web application framework suffers from multiple SQL injection vulnerabilities
that can be exploited without prior authentication!
By exploiting this vulnerability, an attacker gains access to all records
stored in the database with the privileges of the database user.
6) Source Code Disclosure
-------------------------
The default installation of Vizensoft CMS opens a large spectrum for information
gathering for the attacker. It is possible to disclose source code of the
application, configuration files and even steal passwords for direct connection
to the database.
7) Missing Password Policy
--------------------------
The password policy used in the CMS does not restrict the complexity of the
password in any way, which makes users of the application vulnerable to
possibly bad passwords and further attacks on their accounts such as guessing
and brute-forcing.
Proof of concept:
=================
The proof of concept information has been removed from this advisory as the
vendor failed to respond within 50 work days and does not provide a fix.
1) Admin Backdoor Account
-------------------------
The password hash MySQL-SHA1 of the hidden admin user vizensoft is:
[removed]
The user does not show up within the admin web interface even when logged in
as an administrator. Moreover, due to intentionally left backdoor login page,
it is possible to disclose the password thus making any system which is built on
Vizensoft CMS vulnerable.
Link to the backdoor page is presented below:
[removed]
Credentials for authentication are the following:
vizensoft:[removed]
Detailed proof of concept exploits have been removed for this vulnerability.
2) Authentication Bypass
------------------------
Login form for admininstation panel of the Vizensoft CMS can be accessed by
following the next URL:
[removed]
If an attacker tries to access the admin panel without valid authentication,
a confirmation window, demanding to proceed to login form, is shown. This
confirmation window can be bypassed and the attacker then gains access to the
admin panel.
Detailed proof of concept exploits have been removed for this vulnerability.
3) Arbitrary File Upload
------------------------
The following script can be accessed by an unauthenticated attacker in order
to upload arbitrary files to the [removed] directory:
[removed]
The common problem here is that the filename extension checks are only done on
client and not on the server side, which makes it extremely easy for an
attacker to circumvent it and upload a desired file anyway.
Moreover, due to vulnerable photo uploader packaged in a default installation of
Vizensoft CMS, it is possible to bypass default checks and upload any file on the
server in order to later execute it on the server and gain full access to the system.
HTML page serving to upload images is resided on the following URL:
[removed]
Detailed proof of concept exploits have been removed for this vulnerability.
4) Multiple Cross Site Scripting issues
---------------------------------------
The following URLs are examples for reflected XSS (list is not complete):
[removed]
It is assumed that further scripts are vulnerable to XSS!
Detailed proof of concept exploits have been removed for this vulnerability.
5) Multiple unauthenticated SQL injection issues
------------------------------------------------
The following sample request (no authentication needed!) will return concatenated
string AABB in the error message which proves the existence of SQL injection.
[removed]
Further exploitation allows an attacker to extract usernames and passwords from the
'admin' table. Since all password hashes are hashed using MySQL SHA-1 without a
salt and since the password policy is not strict, it's easy to brute-force extracted
passwords using standard means.
Further affected scripts and parameters (list not complete):
[removed]
It is assumed that further SQL injection vulnerabilities exist!
Detailed proof of concept exploits have been removed for this vulnerability.
6) Source code disclosure
-------------------------
The following script can be used to retrieve the content of any file in web root
directory:
[removed]
For example, the following files (both configuration and default functional) can be
retrieved via this script:
[removed]
This is extremely dangerous, since some of them contain configuration
information for sql server such as connection string, username and cleartext
password. More files with hardcoded passwords can be obtained - for example,
[removed] contains hard-coded passwords for external services.
Detailed proof of concept exploits have been removed for this vulnerability.
7) Missing Password Policy
--------------------------
No proof of concept necessary.
Vulnerable / tested versions:
=============================
The vulnerabilities have been verified to exist in the latest version of
Vizensoft Admin Panel 2014. It is assumed previous releases are affected too.
Vendor contact timeline:
------------------------
2014-09-09: Contacted vendor through vizensoft@vizensoft.com, requesting encryption
keys and attaching responsible disclosure policy. No response.
2014-09-12: Contacted vendor through service@vizensoft.com, question@vizensoft.com,
info@vizensoft.com and support@vizensoft.com, requesting encryption
keys and attaching responsible disclosure policy. No response.
2014-10-20: Latest possible release date of 29/10/2014 reminder.
2014-10-29: SEC Consult releases security advisory.
Solution:
---------
It is recommended to suspend use of the product until the security update is
released and a detailed security review of the product has been performed.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF A. Antukh / @2014