==================================================== Security Research Advisory Vulnerability name: Entuity EotS Multiple Input Validation Vulnerabilities Advisory number: LC-2008-08 Advisory URL: http://www.ikkisoft.com ==================================================== 1) Affected Software * Entuity EotS 5.1 (EYE core version=5.1.2P39) Note: Other versions may also be affected. ==================================================== 2) Severity Severity: Medium Local/Remote: Remote ==================================================== 3) Summary Eye of the Storm (EYE) is a network management software composed of several modules and components (web-based frontend, Java Web Start standalone client, network services and other). From the vendor's website: "Eye of the Storm (EYE) is a network management suite that combines performance, fault and inventory management through a single user interface. EYE provides service providers, systems integrators, network specialists, planners, application owners and business managers with the information they need to manage complex and dynamic networks." The "EotS Web Console" is prone to several input validation vulnerabilities ranging from XSS, URL arbitrary redirection and client side code execution. ==================================================== 4) Vulnerability Details Due to a lack in the input validation mechanism of the web frontend, the "EotS Web Console" is vulnerable to multiple input validation attacks. (a) Cross Site Scripting Several reflected and DOM-based XSS are present. Please refer to http://en.wikipedia.org/wiki/Cross-site_scripting for additional references regarding this kind of vulnerability. Example 1: http:///webUI/wrapper.do?url= Example 2: POST /EOS/cgi/nph-devmod-action HTTP/1.1 {...} SelectDeviceName=&changeField= %3Balert%28123%29%3B%2F%2F&radio1=device&Submit+to+CGI=Submit Example 3: http:///EOS/cgi/nph-portreport?query=ReportTitle= (b) URL arbitrary redirection http:///webUI/wrapper.do?url= If a user is tricked into following a malicious link, an attacker may force an arbitrary URL redirection to a third party website. This issue may be abused in order to setup phishing traps. (c) Client Side Code Execution The "Eye of the Storm" system provides a flexible application based on Java Web Start technology. The application enables its users to start the Entuity software directly from the Internet using a common web browser. The "http:///EOS/cgi/EYELauncher" CGI program generates personalized JNLP files. JavaWS uses them to invoke a standalone Java application with the proper parameters and configuration. An aggressor may abuse this online CGI by generating malicious JNLP files containing arbitrary commands. Since the CGI does not apply any kind of input filtering, it is possible to pollute the content of the parameters. These arbitrary commands are included within the JNLP file (EYELauncher.jnlp) and then passed to "com.entuity.eos.client.startup.EYELauncher.main(String args[])" by the Java Web Start framework in the client side. In particular circumstances, the application may invoke the "executeEYEClient(String, String, String, String, String)" method, which can be used to exploit a vulnerable "com.entuity.util.BrowserLauncher.openURL(String)" method executing a "Runtime.getRuntime().exec()" call. The execution of the vulnerable method is triggered by an exception while the "com.entuity.eos.client.startup.EYELauncher.main(String args[])" method runs "com.entuity.eos.client.startup.EYEMain.main(String args[])". EYELauncher handles the exception by requesting a new JNLP file from the server with the insecure "openURL" call. No reliable way to trigger this exception was identified, thus the exploitability of this finding is likely low. To locally test the vulnerability is possible to use the following code: <--- cut here ---> import com.entuity.eos.client.startup.EYELauncher; public class EOTS_poc1 { public static void main(String[] args) { String arguments[]={"--user=aaa","--host=aaa","--httpProtocol=file:///C:\\WINNT\\system32\\cmd.exe?"}; EYELauncher.main(arguments); } } <--- cut here ---> ==================================================== 5) Exploit Proof-Of-Concepts are provided as well: (a) http:///webUI/wrapper.do?url=/%27;alert(123);// (b) http:///webUI/wrapper.do?url=www.google.com (c) http:///EOS/cgi/EYELauncher?--user=aaa;--host=aaa;--httpProtocol=file:///C:\\WINNT\\system32\\cmd.exe? ==================================================== 6) Fix Information It is likely that a vendor fix is necessary to resolve all issue. ==================================================== 7) Time Table 15/12/2008 - Vendor notified. 15/12/2008 - Vendor response. ??/??/???? - Vendor patch release. ??/??/???? - Public disclosure. ==================================================== 8) Credits Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com ==================================================== 9) Legal Notices The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community. There are no warranties with regard to this information. The author does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Permission is hereby granted for the redistribution of this alert, provided that the content is not altered in any way, except reformatting, and that due credit is given. This vulnerability has been disclosed in accordance with the RFP Full-Disclosure Policy v2.0, available at: http://www.wiretrip.net/rfp/policy.html ====================================================