[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Authenex A-Key/ASAS Web Management Control 3.1.0.2 (latest) - Time-based SQL Injection
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "submit@xxxxxxxxxx" <submit@xxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Authenex A-Key/ASAS Web Management Control 3.1.0.2 (latest) - Time-based SQL Injection
- From: Jose Carlos de Arriba <jcarriba@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Sep 2011 12:38:13 -0500
============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-002
- Original release date: September 21, 2011
- Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground
Security
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot)
com)
- Severity: 9.7/10 (Base CVSS Score)
============================================================
I. VULNERABILITY
-------------------------
Authenex A-Key/ASAS Web Management Control 3.1.0.2 (latest) - Time-based SQL
Injection.
II. BACKGROUND
-------------------------
Authenex provides enterprises and enterprise IT managers and staff with a wide
range of products that help keep both their networks and data secure. Authenex
solutions enable users to securely and efficiently access network assets and
personal, sensitive data anytime, anywhere. The Authenex suite of applications
can be leveraged by a variety of USB and non-USB tokens.
III. DESCRIPTION
-------------------------
The Authenex Web Management Control allows users of Authenex A-Key (OTP Tokens
for 2-factor authentication) and ASAS products to manage their OTP tokens and
change user information (credentials, activate tokens, etc).
The Authenex Strong Authentication System (ASAS®) is a network security
application that provides strong (two-factor) authentication for LAN, remote,
VPN and web access. The ASASR System helps keep your networks secure by
requiring your users to use their A-Key™ tokens to authenticate via One-Time
Password (OTP) whenever they want remote or LAN access to networks, web sites,
portals, OWA servers, etc. The ASASR System utilizes an authentication server
and database, as well as the A-Key™ token as the basis for the most secure,
easy to use, simple to administer and cost-effective two-factor authentication
solution available today.
The A-Key™ 4800 tokens are USB tokens that enable users to store data in
encrypted memory (4 or 8 gigabytes) and safely take that data wherever they go.
All data on an A-Key™ token is safe from unauthorized use and from theft. The
A-Key™ token is password-protected and all data is encrypted. Also, the token
has brute force penetration protection: if someone tries to log in to the token
and fails a predefined number of times, the token will self-erase. This feature
resides at the hardware level and cannot be altered.
IV. PROOF OF CONCEPT
-------------------------
http://authenexportal/akeyActivationLogin.do
POST DATA: rgstcode=1111111111111111&username=a'; WAITFOR DELAY '0:0:30'--
V. BUSINESS IMPACT
-------------------------
An attacker would be able access the Authenex database, dump all the OTP
tokens, users information including credentials, etc.
Also, depending upon the database configuration the attacker would be able to
access other databases or get a shell on the system.
VI. SYSTEMS AFFECTED
----------------------
Authenex Web Management Console 3.1.0.2, (latest version available according to
the vendor).
Authenex ASAS 3.1.0.2
Authenex ASAS 3.1.0.3 (latest version available).
Prior versions and other products using the Web Management Console for A-key
Tokens may be affected.
VII. SOLUTION
-------------------------
- Apply the security patches available at http://support.authenex.com/
VIII. REFERENCES
-------------------------
http://www.authenex.com/
http://www.foregroundsecurity.com/
http://www.painsec.com
Authenex customers can download the Security Bulletins and patches related to
this vulnerabilty at http://support.authenex.com/
IX. CREDITS
-------------------------
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at)
foregroundsecurity (dot) com, dade (at) painsec (dot) com).
X. REVISION HISTORY
-------------------------
- September 21, 2011: Initial release.
XI. DISCLOSURE TIMELINE
-------------------------
July 26, 2011: Vulnerability discovered by Jose Carlos de Arriba.
September 7, 2011: Vendor contacted by phone.
September 7, 2011: Security advisory sent to vendor providing the vulnerability
details.
September 9, 2011: Vendor contacted us to notify the availability of a patch
and to request as to check it.
September 9, 2011: Vulnerability fix checked and fixed.
September 16, 2011: Security Update released by vendor.
September 21, 2011: Security advisory released.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba (at) foregroundsecurity (dot.) com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/