[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] ServersCheck Monitoring Software v8.8.x - Multiple Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] ServersCheck Monitoring Software v8.8.x - Multiple Web Vulnerabilities
- From: "research@xxxxxxxxxxxxxxxxxxxxx" <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Sep 2011 11:54:35 +0200
Hello,
after a vendor notification we fixed some content inside of the advisory
because of some mistakes.
Updates:
[+] Appliance is not affected only the software
[+] The verified bug versions are now included
[+] Text update
[+] Severity
Title:
======
ServersCheck Monitoring 8.8.10 - Multiple Web Vulnerabilities
Date:
=====
2011-09-27
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=93
VL-ID:
=====
93
Introduction:
=============
ServersCheck is a Belgian based and privately owned technology company founded
in 2003.
It is most known in the Network Administrator community for its software
program monitoring the availability and performance of
servers and other networked devices. Next to this it also offers environmental
sensors; providing monitoring from both the inside
and the outside.
ServersCheck Monitoring ist, ein Werkzeug zum Überwachen, Melden und Warnen der
Netzwerk- und Systemverfügbarkeit,
das auf Windowsrechnern läuft. Zusätzlich zur Überwachung von normalen
Netzwerkgeräten kann dieses Programm auch die
Umgebung der Geräte auf Temperatur, Luftfeuchtigkeit, Überschwemmung,
überwachen. ServersCheck Software läuft als
lokaler Dienst und wird über ein Browserbasierendes Interface administriert.
Zusätzliche Funktionen enthalten Warnmeldungen
und stellen Statistiken von langlaufenden Aufzeichnungen grafisch dar.
Appliance:
Die ServersCheck Monitoring Appliance ist eine komplette Browser und SMS
basierte Lösung um Serverräume zu überwachen.
Dieses kleine, leistungsfähige, kostengünstige Gerät kann bis zu 250 Einheiten
beaufsichtigen.
Es ist klein: Es paßt auf Ihre Handfläche.
(Copy of the Vendor Homepage: http://www.serverscheck.com/ &
http://www.serverscheck.de/monitoring-appliance/)
Abstract:
=========
Vulnerability-Lab Team discovered multiple Vulnerabilities on ServersCheck
Monitoring Software v8.8.10 & v8.8.6.
Report-Timeline:
================
2011-09-27: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
ServersCheck Monitoring Software v8.8.10 & v8.8.6
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium(+)
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on
application-side of Serverscheck.
The remote vulnerability allows local low privileged user accounts or remote
attackers to manipulate specific sections, areas or
content requests via Java or HTML script code injection.
Vulnerable Module(s): (Persistent)
[*] New Team / Team List
[*] New User / User List
[*] Windows Account Edits /
Windowsbenutzer Berechtigungsnachweis
[*] Rules Size Add
[*] MSN Accounts Rules & copied
Functions
[*] ServersCheck
Protokolldateibetrachter: scan.txt
[*] SNMP Trapkonfiguration
[*] Axis Camera - Add & Configuration
[*] Neue Überwachungsregel /
Observation Rules
[*] User Diagram / Add
[*] ODBC Protocol
[*] SMS TEST SCRIPT
Picture(s):
../2.png
../3.png
1.2
Multiple non-persistent input validation vulnerabilities are detected on
application-side of Serverscheck.
The vulnerability allows an attacker to hijack customer/admin sessions.
Successful exploitation requires high user inter action.
Vulnerable Module(s):
[*] Downtime
[*] Linenumber
[*] ID
[*] Checks2def (Footer/Header)
[*] Timeline
[*] Definere Einstellungen zur
Dienstanmeldung
[*] Device Graphs
[*] View Graphs
[*] Rules History
Picture(s):
../1.png
1.3
A cross site request forgery vulnerability is detected on the Dienstanmeldung
formular.
Attackers can force a logon via cross site request forgery attack.
Vulnerable Module(s):
[*] Einstellungen zur Dienstanmeldung
1.4
Attackers can create own masks to send mass notifcations on a vendor phone
number without any restrictions by the application itself.
Vulnerable Module(s):
[*] SMS- & Pager
(http://localhost:1272/smstest.html? &2 :)
Proof of Concept:
=================
The different vulnerabilities can be exploited by local low privileged user
accounts, software users or remote attackers.
For demonstration or reproduce ...
1.1
Code Review: Input Validation Vulnerabilities (Persistent)
http://localhost:1272/userslist.html?
<table border="0" cellpadding="0" cellspacing="0" class="tabdata" width='98%'>
<tr bgcolor="#ff9900">
<td width=90%><b>Benutzername</b></td>
<td align=center><b>Zugriffsrechte</b></td>
<td align=center><b>Löschen</b></td></tr>
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a
href='/usersettingsedit.html?username=
>"<INSERT SCRIPTCODE HERE!>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE
>HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href='' onclick="return deleteit('0');"><img
src='/output/images/delete.gif?' border=0></a></td>
</tr><tr ><td style='padding-left:3px;padding-right:3px;'><a
href='/usersettingsedit.html
?username=>"<iframe src=http://test.de>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href='' onclick="return deleteit('1');"><img
src='/output/images/delete.gif?' border=0></a></td>
</tr></table><br><form action=usersadd.html method=post><td><input type=hidden
name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
http://localhost:1272/downtime.html
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
Downtime Bericht >"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br><div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
http://localhost:1272/windowsaccountslist.html
<table border="0" cellpadding="0" cellspacing="0" class="tabdata">
<tr bgcolor="#ff9900">
<td><b>Benutzername</b></td>
<td align=center><b>Löschen</b></td>
</tr>
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a
href='/windowsaccountsedit.html?id=
1269018355&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
<td align=center><a href='' onclick="return deleteit('1269018355');"><img
src='/output/images/delete.gif?' border=0></a></td>
</tr></table><br>
<form action=windowsaccountsedit.html method=post><td><input type=hidden
name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
http://localhost:1272/msnsettings.html
<div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
<script langauge="JavaScript" src="/output/js/overlib.js?"></script>
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
Konfiguriere MSN Warnung
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br>Sie müssen ein MSN Konto festlegen, von dem das MSN basierten Warnungen
geschickt werden.<br>
<script language="JavaScript">
alert('Einstellungen gespeichert');
</script><div id='stylized' class='settingsform'>
<form method=post action=msnsettings.html name=msn>
<input type=hidden name=setting value='MSN'>
<label>MSN Konto Name</label><input type=text name=account size=30
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"><br>
<label>MSN Konto Passwort</label><input type=password name=password size=10
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"<br>
<br><br><input type=submit class='buttonok' value="EINSTELLUNGEN SPEICHERN"
></form></div>
<br><br></table><br><br> </td></tr></table>
http://localhost:1272/enterprisesettings2.html
<form method=post action=enterprisesettings2.html>
<input type=hidden name=setting value='SNMPTRAP'>
<input type=hidden name=stop value=''>
<label>IP, an die die Traps gesendet werden</label><input type=text
name=newsetting0 size=30 value="127.0.0.1" >
<a onmouseover="return overlib('Geben Sie eine IP Adresse oder einen
Domänennamen ein, an welche die Traps gesendet
werden', LEFT);" onmouseout="return nd();"><img src="/output/images/info.gif?"
border=0 alt='Info'></a><br>
<label>Port</label><input type=text name=newsetting1 size=30 value=">"<INSERT
OWN PERSISTENT SCRIPTCODE HERE!!!><br>
<label>Der Community String.</label><input type=text name=newsetting2 size=30
value="" ><br>
<br><br><input type=hidden value="127.0.0.1<X>>"<INSERT OWN PERSISTENT
SCRIPTCODE HERE!!!>" name=previoussetting><input type=hidden value=""
name=check><input type=submit class='buttonok' value="EINSTELLUNGEN SPEICHERN"
> <input type=button
value="SENDUNG VON SNMP TRAPS BEENDEN" class='buttonnok'
Onclick="this.form.stop.value=1; this.form.submit();"></form></div>
<br><br></table><br><br> </td></tr></table>
http://localhost:1272/settings.html?setting=LOGGING&;
<label>Datenbank Vorlagen</label><select name=odbctemplate
onchange="javascript:changetemplate();">
<option value="">Wähle eine Datenbank Vorlage</option>
<option value="Driver={Oracle ODBC
Driver};Dbq=myDBName;Uid=myUsername;Pwd=myPassword">Oracle ODBC Driver</option>
<option value="Driver={Microsoft ODBC for
Oracle};Server=OracleServer.world;Uid=myUsername;Pwd=myPassword">Microsoft
Oracle ODBC Driver</option>
<option value="Driver={INFORMIX 3.30 32
BIT};Host=hostname;Server=myserver;Service=service-name;Protocol=olsoctcp;Database=mydb;UID=username;PWD=myPwd
">Informix 3.30 ODBC Driver</option>
<option value="Driver={Pervasive ODBC Client
Interface};ServerName=srvname;dbq=">Pervasive ODBC Driver</option>
<option value="Driver={SQL Server}; Server=(local); Database=myDBName; UID=sa;
PWD=;">MS SQL ODBC Driver</option>
<option value="Driver={SQL Server Native Client 10.0}; Server=enter_IP_here;
Database=enter_db_name_here; UID=enter_account_name_here;
PWD=enter_password_here;">MS SQL 2008</option>
<option value="Driver={Microsoft Access Driver (*.mdb)}; DBQ=C:myDBName.mdb">MS
Access ODBC Driver</option>
<option value="Driver={Microsoft Excel Driver (*.xls)};DBQ=physical path to
.xls file; DriverID=278;">MS Excel ODBC Driver</option>
<option value="Driver={Microsoft Text Driver (*.txt;*.csv)};DefaultDir=physical
path to .txt file;">Text ODBC Driver</option>
<option value="DRIVER={MySQL ODBC 3.51
Driver};SERVER=;DATABASE=;USER=;Password=">mySQL ODBC 3.51</option>
</select><br><label>ODBC Verbindungsstring</label><input type=text
name=newsetting0 size=50 value=">"<INSERT SCRIPTCODE HERE!>" ><br><br>
<label>Speichere Werte in der Datenbank</label><input type=checkbox
name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!><X><X><X><X>" name=previoussetting><input
type=hidden value="ODBC" name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"
Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div><br><br></table><br><br> </td></tr></table>
<label>ODBC Verbindungsstring</label><input type=text name=newsetting0 size=50
value=">"<iframe src=http://vulnerability-lab.com width=600 height=600>"
><br><br><label>Speichere Werte in der Datenbank</label><input type=checkbox
>name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!><X><X><X><X>" name=previoussetting><input type=hidden value="ODBC"
name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"
Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div>
References:
http://localhost:1272/userslist.html?
http://localhost:1272/teamslist.html?
http://localhost:1272/windowsaccountsedit.html
http://localhost:1272/bulkedit.html?
http://localhost:1272/msnsettings.html
http://localhost:1272/enterprisesettings2.html
http://localhost:1272/settings.html?setting=LOGGING&;
1.2
Code Review: Input Validation Vulnerabilities (Non Persistent)
http://localhost:1272/checks2def.html
<form action=checks3other.html method=post name=checksdef onSubmit='return
checkrequired(this)'>
<input type=hidden name=linenumber value=">"<NON-PERSITENT SCRIPTCODE
HERE!>"><input type=hidden name=type value="">
<input type=hidden name=addcheck value=""><input type=hidden name=editsettings
value="1">
<input type=hidden name=uidrule value="1171011122">
<input type=hidden name=id value="1171011122">
<input type=hidden name=required_label value="1171011122">
<input type=hidden name=devicegraphs value=""><tr>
<td>Überwachungregel Bezeichnung</td><td><input type=text size=35
name=namevisible value="WINDOWSHEALTH" style='width:250px;'></td><td>
</td></tr><tr><td>Geräte-Name</td><td>
http://localhost:1272/check2alerts.html
<form method=post action=checks2alerts.html name=alerts target="main"><td>
<td><input type=hidden value=""
name=linenumber><input type=hidden value="" name=check> <input type=button
value='FEHLER MELDUNGEN' alt="/checks2alerts.html?
linenumber=&check=&type=down&KeepThis=true&TB_iframe=true&height=400&width=850"
title='Bearbeite Alarme für den FEHLER
– Status' class='thickbox buttonalertsdown'></td></form>
<form method=post action="" name=alerts target="main" ><td> </td><td><input
class='buttonnok' type=submit value="
REGEL LöSCHEN" onclick="return deleteit('>"<NON-PERSITENT SCRIPTCODE
HERE!','');" onmouseover="return overlib('Durch klicken auf dieses Icon können
Sie die Überwachungsregel löschen. Diese Operation kann nicht rückgängig
gemacht werden.', LEFT);" onmouseout="return nd();"></td></form>
</tr></table></div><br><br>
http://localhost:1272/viewalerts.html
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
Regel Historie >"<NON-PERSITENT SCRIPTCODE HERE!> (<a
href="/viewfile.html?file=\checkslogs\1171011122.log">1171011122</a>)
</strong></font><hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:
progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',
endColorStr='white', gradientType='1')">
<br>
http://localhost:1272/downtime.html
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
Downtime Bericht >"<NON-PERSITENT SCRIPTCODE HERE!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br><div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
Non Persistent References:
http://localhost:1272/checks2def.html?id=
http://localhost:1272/checks2def.html?id=1171011122&linenumber=6&check=
http://localhost:1272/checks2def.html?id=1171011122&linenumber=
http://localhost:1272/downtime.html?label=
http://localhost:1272/downtime.html?label=1171011122&keyz=1171011122WINDOWSHEALTH&labelvisible=
http://localhost:1272/timeline/timeline.html?xml=
http://localhost:1272/devicegraphs.html?device=
http://localhost:1272/viewgraphs.html?label=
http://localhost:1272/viewalerts.html?label=1171011122&labelvisible=
1.3
Code Review: Cross Site Request Forgery (Force|Non Persistent)
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div
style="padding-left:5px;padding-right:5px;padding-top:10px;padding-bottom:10px;width:90%">
<img src="/output/images/generalsettings.jpg" border="0" align="left">
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
Definere Einstellungen zur Dienstanmeldung.
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"> <br>
ServersCheck läuft als ein Dienst auf diesem Computer. Standardmäßig laufen
alle Dienste von Windows unter dem lokalen Systemkonto.
Ein Dienst hat Zugang auf die Maschine, wo er gerade läuft, aber es ist ihm ein
Remotezugriff andere Computer untersagt. Für Windows
basierende Checks (Plattenspeicherplatz, Speicher, CPU...), muss der
ServersCheck Monitoring-Dienst unter einem Windows Admin-Konto laufen.<br><br>
Setze hier die Domäne oder den System-Admin Benutzernamen mit Passwort. Zum
Auslassen dieser Option bitte leer lassen.<br><br>
<form action=popup_service2.html method=post name=service setting><table
cellpadding=5><tr><td>
Administrator Benutzername</td><td align=right>
<input type=text size=20 name=user></td></tr><tr><td>
Administrator Passwort</td><td align=right>
<input type=password size=20 name=pass></td></tr></table>
<br><br><input type=submit class='buttonok' value=">> AKTUALISIERUNG" > <input
type=button class='buttonnok'
value="SKIP" Onclick="window.location='/popup1.html';">
</form></div></div><br><br>
http://localhost:1272/viewlogfile2.html?file=scan.txt&;
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
ServersCheck Protokolldateibetrachter: scan.txt
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px;
filter:progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',
endColorStr='white', gradientType='1')"><br>
<a href="/emptyfile.html?file=logging\scan.txt&">Leere Datei</a>
<a href="/emptyfile.html?file=logging\scan.txt&delete=true&">Löschen
Protokolldatei</a>
<hr noshade width=100%><ul><font color=black>
# Fri Mar 19 17:37:52 2010 Scanning ><iframe src=http://vulnerability-lab.com
width=600 height=600>..: Ping Failed
<br></font></ul></div><br><br> </BODY></HTML>
or ...
<HTML>
<HEAD>
<TITLE>ServersCheck 21 Day Evaluation Edition - version 8.0.8</TITLE>
<META http-equiv=content-type content="text/html">
<LINK HREF="/output/css/serverscheck.css" rel="stylesheet" type="text/css">
<LINK HREF="/output/css/thickbox.css" rel="stylesheet" type="text/css"
media="screen" />
<script type="text/javascript" src="/output/js/jquery.js"></script>
<script type="text/javascript" src="/output/js/thickbox.js"></script>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD><!-- DE -->
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black
style="font-size: 16px;"><strong>
ServersCheck Protokolldateien</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"><br>
Um die Protokolldatei anzusehen, klicken Sie auf den Hyperlink, um sie zu
öffnen.<br><ul>
<li><a
href="/viewlogfile2.html?file=graphs-errors.log&">graphs-errors.log</a></li>
<li><a
href="/viewlogfile2.html?file=monitoring_manager_2010-3-19.log&">monitoring_manager_2010-3-19.log</a></li>
<li><a
href="/viewlogfile2.html?file=statuschange_2010-3-19.log&">statuschange_2010-3-19.log</a></li>
<li><a href="/viewlogfile2.html?file=watcher.log&">watcher.log</a></li>
</ul></div><br><br> </BODY></HTML>
Risk:
=====
1.1 - The security risk of the persistent vulnerabilities are estimated as
medium(+).
1.2 - The security risk of the non-persistent vulnerabilities are estimated as
low(+).
1.3 - The security risk of the cross site request forgery attack is estimated
as low(+).
1.4 - The security risk of the sms misconfiguration/bug is estimated as low(+).
Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages,
of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright ©
2011|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx or support@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/