Multiple critical vulnerabilities in Vizensoft Admin Panel

SEC Consult Vulnerability Lab Security Advisory < 20141029-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: Vizensoft Admin Panel

vulnerable version: 2014

fixed version: -

impact: critical

homepage: www.vizensoft.com

found: 2014-07-10

by: A. Antukh, A. Baranov

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor & product description:

=============================

Vizensoft is one of the major software vendors, especially aimed at medical

organizations in Korea.

 

A list of companies and organizations which are using their software, is available

on the official websites:

www.vizensoft.com/portfolio/index.jsp

www.vizenmedical.com/portfolio/index.jsp

 

"Vizensoft are doing business with online marketing professional IT companies

and individuals in need of a rapidly changing competitive world to discerning

corporate customer's success by providing capabilities of a high quality

Marketing Technology"

(translated from Korean)

 

Source: vizensoft.com/about/index.jsp

 

 

Business recommendation:

========================

Attackers are able to completely compromise the web application built upon

Vizensoft CMS as they can gain access to the system and database level and

manage the website as an admin without prior authentication!

 

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

 

It is assumed that further critical vulnerabilities exist.

 

 

Vulnerability overview/description:

===================================

1) Admin Backdoor Account

-------------------------

The MySQL database table "admin" contains a "vizensoft" admin user with user

id 1 with administrative access rights. This user account does NOT show up within

the "User administration" menu when logged in as administrator user account in

the web interface. Hence the password can't be changed there.

 

 

2) Authentication Bypass

------------------------

Unauthenticated attackers are able to gain full access to the administrator panel

and thus have total control over the web application, including content change,

reading e-mails, modifying users and abusing e-mail and SMS functionality.

 

 

3) Arbitrary File Upload

------------------------

At least two vulnerable pages exist where unauthenticated attackers are able

to upload arbitrary files on the server. Furthermore, due to insufficient

validation it is possible to bypass file extension checks and execute uploaded

files which leads directly to a complete server compromise.

 

 

4) Multiple Cross Site Scripting issues

---------------------------------------

Vizensoft CMS suffers from multiple cross-site scripting vulnerabilities,

which allow an attacker to steal other users' sessions, to impersonate other

users and to gain unauthorized access to the web interface and user messages.

 

 

5) Multiple unauthenticated SQL injection issues

------------------------------------------------

The web application framework suffers from multiple SQL injection vulnerabilities

that can be exploited without prior authentication!

 

By exploiting this vulnerability, an attacker gains access to all records

stored in the database with the privileges of the database user.

 

 

6) Source Code Disclosure

-------------------------

The default installation of Vizensoft CMS opens a large spectrum for information

gathering for the attacker. It is possible to disclose source code of the

application, configuration files and even steal passwords for direct connection

to the database.

 

 

7) Missing Password Policy

--------------------------

The password policy used in the CMS does not restrict the complexity of the

password in any way, which makes users of the application vulnerable to

possibly bad passwords and further attacks on their accounts such as guessing

and brute-forcing.

 

 

Proof of concept:

=================

The proof of concept information has been removed from this advisory as the

vendor failed to respond within 50 work days and does not provide a fix.

 

1) Admin Backdoor Account

-------------------------

The password hash MySQL-SHA1 of the hidden admin user vizensoft is:

[removed]

 

The user does not show up within the admin web interface even when logged in

as an administrator. Moreover, due to intentionally left backdoor login page,

it is possible to disclose the password thus making any system which is built on

Vizensoft CMS vulnerable.

Link to the backdoor page is presented below:

[removed]

 

Credentials for authentication are the following:

vizensoft:[removed]

 

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

2) Authentication Bypass

------------------------

Login form for admininstation panel of the Vizensoft CMS can be accessed by

following the next URL:

[removed]

 

If an attacker tries to access the admin panel without valid authentication,

a confirmation window, demanding to proceed to login form, is shown. This

confirmation window can be bypassed and the attacker then gains access to the

admin panel.

 

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

3) Arbitrary File Upload

------------------------

The following script can be accessed by an unauthenticated attacker in order

to upload arbitrary files to the [removed] directory:

[removed]

 

The common problem here is that the filename extension checks are only done on

client and not on the server side, which makes it extremely easy for an

attacker to circumvent it and upload a desired file anyway.

 

Moreover, due to vulnerable photo uploader packaged in a default installation of

Vizensoft CMS, it is possible to bypass default checks and upload any file on the

server in order to later execute it on the server and gain full access to the system.

HTML page serving to upload images is resided on the following URL:

[removed]

 

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

4) Multiple Cross Site Scripting issues

---------------------------------------

The following URLs are examples for reflected XSS (list is not complete):

[removed]

 

It is assumed that further scripts are vulnerable to XSS!

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

5) Multiple unauthenticated SQL injection issues

------------------------------------------------

The following sample request (no authentication needed!) will return concatenated

string AABB in the error message which proves the existence of SQL injection.

[removed]

 

Further exploitation allows an attacker to extract usernames and passwords from the

'admin' table. Since all password hashes are hashed using MySQL SHA-1 without a

salt and since the password policy is not strict, it's easy to brute-force extracted

passwords using standard means.

 

Further affected scripts and parameters (list not complete):

[removed]

 

It is assumed that further SQL injection vulnerabilities exist!

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

6) Source code disclosure

-------------------------

The following script can be used to retrieve the content of any file in web root

directory:

[removed]

 

For example, the following files (both configuration and default functional) can be

retrieved via this script:

[removed]

 

This is extremely dangerous, since some of them contain configuration

information for sql server such as connection string, username and cleartext

password. More files with hardcoded passwords can be obtained - for example,

[removed] contains hard-coded passwords for external services.

 

Detailed proof of concept exploits have been removed for this vulnerability.

 

 

7) Missing Password Policy

--------------------------

No proof of concept necessary.

 

 

Vulnerable / tested versions:

=============================

 

The vulnerabilities have been verified to exist in the latest version of

Vizensoft Admin Panel 2014. It is assumed previous releases are affected too.

 

 

Vendor contact timeline:

------------------------

2014-09-09: Contacted vendor through vizensoft@vizensoft.com, requesting encryption

keys and attaching responsible disclosure policy. No response.

2014-09-12: Contacted vendor through service@vizensoft.com, question@vizensoft.com,

info@vizensoft.com and support@vizensoft.com, requesting encryption

keys and attaching responsible disclosure policy. No response.

2014-10-20: Latest possible release date of 29/10/2014 reminder.

2014-10-29: SEC Consult releases security advisory.

 

 

Solution:

---------

It is recommended to suspend use of the product until the security update is

released and a detailed security review of the product has been performed.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF A. Antukh / @2014