[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Dell PacketTrap PSA 7.1 - Multiple Persistent Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Dell PacketTrap PSA 7.1 - Multiple Persistent Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jul 2013 03:56:27 +0100
Title:
======
Dell PacketTrap PSA 7.1 - Multiple Persistent Vulnerabilities


Date:
=====
2013-07-18


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=790


VL-ID:
=====
790


Common Vulnerability Scoring System:
====================================
5.6


Introduction:
=============
Purpose built for IT professionals and other service businesses. Streamline the 
management of projects, clients, staff, assets, and billing. 
Software should be intuitive and easy-to-use, not complicated and confusing. 
That`s why packetTrap has created an easy to use yet powerful 
interface that even your techs enjoy using. Whether you are using spreadsheets 
and sticky notes or clunky software, companies like yours 
will surely benefit from the significant time savings and a dramatic increase 
in profitability. With packetTrap PSA, you now have an 
integrated solution that delivers an end-to-end business management solution 
with real advantages over other options. Service Request Tracking 
- Team Scheduling - Customer and Contact Management - Customer Portal - Mobile 
Friendly - QuickBooks Integration Equipment Tracking Contract 
Management - Email Dropbox - SSL Security.

(Copy of the Vendor Homepage: http://www.packettrap.com/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple persistent web 
vulnerabilities in the DELL packetTrap PSA v7.1 web application.


Report-Timeline:
================
2013-01-24:     Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed)
2013-02-06:     Vendor Notification (Dell Security Team)
2013-02-08:     Vendor Response/Feedback (Dell Security Team)
2013-**-**:     Vendor Fix/Patch (Developer Team)
2013-07-18:     Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
DELL
Product: PacketTrap PSA 7.1


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
Multiple persistent input validation vulnerabilities are detected in the DELL 
packetTrap PSA v7.1 web application.
The bug allows remote attackers to implement/inject own malicious script code 
on the application side of the system (persistent).
Exploitation of persistent issues mostly requires a low privilege application 
user account and an user interaction click or input.

The 1st persistent web vulnerability is located in the contracts module when 
processing to request a via POST method manipulated 
txtContractName parameter. The vulnerability allows remote attackers to inject 
own malicious script code with persistent vector 
in a vulnerable value which is also in use by the contract module when 
processing to display (list) the context (output). 
The result is the persistent execution of script code in the contract overview 
listing. 

The 2nd persistent web vulnerability is located in the Equipment Item module 
when processing to request a via POST method manipulated 
lblPurchaseInfo parameter. The vulnerability allows remote attackers to inject 
own malicious script code with persistent vector 
in a vulnerable value which is also in use by the Equipment Item module when 
processing to display (list) the context (output). 
The result is the persistent execution of script code in the Equipment Item 
listing. 

The 3rd persistent web vulnerability is located in the Import Customer 
Equipment Records module when processing to request a via 
POST method manipulated gridItem parameter. The vulnerability allows remote 
attackers to inject own malicious script code with 
persistent vector in a vulnerable value which is also in use by the Import 
Customer Equipment Records module when processing to 
display (list) the context (output). The result is the persistent execution of 
script code in the Import Customer Equipment Records listing. 

The 4th part of the persistent web vulnerabilities are located in the Labor 
Rate module when processing to request via POST method 
manipulated lblItemNo, lblDescription, lblAccountName & lblNotes parameters. 
The vulnerabilities allow remote attackers to inject 
own malicious script code with persistent vector in a vulnerable value which is 
also in use by the Labor Rate module when processing to 
display (list) the context (output). The result is the persistent execution of 
script code in the Labor Rate listing. 

The 5th part of the persistent web vulnerabilities are located in the Materials 
Item module when processing to request via POST method 
manipulated lblMfrName, lblMfrItemNo, lblMfrDescription, lblAccountName & 
lblNotes parameters. The vulnerabilities allow remote attackers 
to inject own malicious script code with persistent vector in a vulnerable 
value which is also in use by the Materials Item module when 
processing to display (list) the context (output). The result is the persistent 
execution of script code in the Materials Item listing. 

The 6th part of the persistent web vulnerabilities are located in the New 
customer module when processing to request via POST method 
manipulated lblPrimaryContact & lblPrimaryLocation parameters. The 
vulnerabilities allow remote attackers to inject own malicious script code 
with persistent vector in a vulnerable value which is also in use by the New 
customer module when processing to display (list) the context (output). 
The result is the persistent execution of script code in the New customer 
listing. 

The 7th persistent web vulnerability is located in the  Report module when 
processing to request a via POST method manipulated 
lblPageTitle parameter. The vulnerability allows remote attackers to inject own 
malicious script code with persistent vector 
in a vulnerable value which is also in use by the Report module when processing 
to display (list) the context (output). 
The result is the persistent execution of script code in the  Report overview 
listing.

Exploitation of the vulnerability requires a low privilege web-application user 
account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking 
(manager/admin) with persistent vector, persistent phishing, 
persistent external redirects to malware, exploits or scripts and persistent 
manipulation of module context.


Vulnerable Module(s):
                                [+] Contract - PacketTrap PSA
                                [+] Equipment Item - PacketTrap PSA
                                [+] Import Customer Equipment Records - 
PacketTrap PSA
                                [+] Labor Rate - PacketTrap PSA
                                [+] Materials Item - PacketTrap PSA
                                [+] New customer - PacketTrap PSA
                                [+] Report x ApplicationName - PacketTrap PSA

Vulnerable Parameter(s):
                                [+] txtContractName
                                [+] lblPurchaseInfo
                                [+] gridItem
                                [+] lblItemNo, lblDescription, lblAccountName & 
lblNotes
                                [+] lblMfrName, lblMfrItemNo, 
lblMfrDescription, lblAccountName & lblNotes
                                [+] lblPrimaryContact & lblPrimaryLocation
                                [+] lblPageTitle

Affected Section(s):
                                [+]  Contract Overview & Edit - Listing
                                [+]  Equipment Item Overview & Edit - Listing
                                [+]  Import Customer Equipment Records Overview 
- Listing
                                [+]  Labor Rate Details - Listing
                                [+]  Materials Item Overview - Listing
                                [+]  New customer Account Details - Listing
                                [+]  Report - Listing


Proof of Concept:
=================
The persistent script code inject vulnerabilities can be exploited by low 
privileged group user accounts with low required user interaction.
For demonstration or reproduce ...


Review: Contract Overview & Edit - Listing

<div class="objectHead">
<h1>Contract: <span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT 
CODE!]></span></h1>
<h2><a 
href="https://vl.packettrappsa.com/customers/customer.aspx?customerId=33628564";><span
 id="lblCustomerName">Sample Customer</span></a></h2>
</div>

... &

<td style="width:130px;" class="formLabel">Contract Name:</td>
<td style="width:auto;">
<span id="txtContractName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span>
</td>
</tr>


Review: Equipment Item Overview & Edit - Listing

<td class="formLabel">
Purchase Info.:
</td>
<td>
<span id="lblPurchaseInfo">Purchased on Dec 11, 2012 from "><[PERSISTENT 
INJECTED SCRIPT CODE!]></span>
</td>
</tr>


Review: Import Customer Equipment Records Overview - Listing

</tr><tr class="gridItem" valign="top">
<td><!--?php</td-->
</td></tr><tr class="gridItem" valign="top">
<td>phpinfo();</td> O_O
</tr><tr class="gridItem" valign="top">
<td>?></td>
</tr><tr class="gridItem" valign="top">
<td>><[PERSISTENT INJECTED SCRIPT CODE!](</td">
</tr>
</table>


Review: Labor Rate Details - Listing

<td class="formLabel">
Name/No.:</td>
<td>
<span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span>
</td>
</tr>
<tr>
<td class="formLabel">Description:</td>
<td>
<span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>

... &

<td class="formLabel">Account Name:</td>
<td>
<span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>


Review: Materials Item Overview - Listing

<span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]">
</td>
</tr>
<tr>
<td class="formLabel">
Description:</td>
<td>
<span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>

... &

<table border="0" cellpadding="4" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td style="width:130px;" class="formLabel">Manufacturer:</td>
<td style="width:auto;">
<span id="lblMfrName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr><td class="formLabel">Mfr. Item No.:</td>
<td>
<span id="lblMfrItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr><td class="formLabel">Mfr. Item Desc.:</td>
<td>
<span id="lblMfrDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>


... &


<tr><td class="formLabel">Account Name:</td>
<td>
<span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td class="formLabel">Id:</td>
<td>
<span id="lblItemId">33583304</span></td>
</tr>
<tr>
<td class="formLabel">Created:</td>
<td>
<span id="lblCreated">by the storm on Dec 9, 2012 at 5:11 PM</span></td>
</tr>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td class="formLabel">Notes:</td>
<td>
<span id="lblNotes">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>



Review: New customer Account Details - Listing

<tbody><tr>
<td style="width: 130px;">
<strong>Primary Contact:</strong>
</td>
<td style="width: auto;">
<span id="lblPrimaryContact"><a 
href="https://vl.packettrappsa.com/customers/contact.aspx?customerId=33628565&;
contactId=33637457">"><iframe src=http://www. "><iframe src=http://www.</a>, () 
-, 
<a href="mailto:";><[PERSISTENT INJECTED SCRIPT CODE!]>">"><[PERSISTENT INJECTED 
SCRIPT CODE!]></a></span>
</td>
</tr>
<tr>
<td>
<strong>Primary Location:</strong>
</td>
<td>
<span id="lblPrimaryLocation"><a 
href="https://vl.packettrappsa.com/customers/location.aspx?customerId=33628565&;
locationID=33649992">"><[PERSISTENT INJECTED SCRIPT CODE!]</a>, "><[PERSISTENT 
INJECTED SCRIPT CODE!]> 
(<a 
href="https://vl.packettrappsa.com/tools/getMap.aspx?customerLocationId=33649992";
 class="map-link">Get Map</a>)</span>
</td>
</tr>
</tbody>


Review: Report - Listing

<div class="ReportHeader">
<h1><span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></h1>
</div>
    
<div class="ReportBody">
<input name="TempSortCol" id="TempSortCol" type="hidden">
<input name="TempSortOrder" id="TempSortOrder" type="hidden">

<div id="ReportParameters" class="ReportParameters2">
<div id="StandardFilters_ReportParameters">

<div class="ParameterGroupHead">
<span class="ui-corner-tr">Time Frame</span>
</div>


Risk:
=====
The security risk of the persistent input validation vulnerabilities are 
estimated as high(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[ibrahim@xxxxxxxxxxxxxxxxx]
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
[bkm@xxxxxxxxxxxxxxxxx]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx               - admin@xxxxxxxxxxxxxxxxx
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: [Full-disclosure] Dell PacketTrap MSP RMM 6.6.x - Multiple Persistent Web Vulnerabilities
Next by Date: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
Previous by thread: [Full-disclosure] Dell PacketTrap MSP RMM 6.6.x - Multiple Persistent Web Vulnerabilities
Next by thread: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
Index(es):
- Date
- Thread