==================================================== Security Research Advisory Vulnerability name: Entuity EotS CGI Information Disclosure Advisory number: LC-2008-09 Advisory URL: http://www.ikkisoft.com ==================================================== 1) Affected Software * Entuity EotS 5.1 (EYE core version=5.1.2P39) Note: Other versions may also be affected. ==================================================== 2) Severity Severity: Medium Local/Remote: Remote ==================================================== 3) Summary Eye of the Storm (EYE) is a network management software composed of several modules and components (web-based frontend, Java Web Start standalone client, network services and other). From the vendor's website: "Eye of the Storm (EYE) is a network management suite that combines performance, fault and inventory management through a single user interface. EYE provides service providers, systems integrators, network specialists, planners, application owners and business managers with the information they need to manage complex and dynamic networks." The "EotS Web Console" is prone to an information disclosure vulnerability due to an improper authorization mechanism which permits to retrieve the complete system configuration as well as the backend credentials in plain-text. ==================================================== 4) Vulnerability Details Due to a flaw in the authorization mechanism, it is possible to retrieve sensitive information using a simple HTTP request. Even if the application does not permit to access HTML pages and other resources without authentication, it is still possible to invoke and execute some CGI programs. An unauthenticated user may directly invoke the "/EOS/cgi/printSysConfig" CGI program and get the complete system configuration, application configuration, paths, Java runtime options, environment variables as well as the clear-text credentials of the MySQL backend used by the application to store all data. This specific CGI available in the webroot was discovered on analyzing the connection handshake of the standalone Java client. In order to show the range of the exposed information, we provide several examples: [..] dbdir=C:\\Entuity\\database\\data activeuser=Administrator database.eosdb=HOST=127.0.0.1;UID=root;PWD=;db=EOSdb;PORT=3306 reporting.xsltcommand=C:\\Entuity\\install\\JRE\\bin\\java -Xmx500000000 -cp C:\\Entuity\\lib\\xml\\;C:\\Entuity\\lib\\xml\\xalan\\xalan.jar; C:\\Entuity\\lib\\xml\\xalan\\xml-apis.jar; C:\\Entuity\\lib\\xml\\xalan\\xercesImpl.jar nice org.apache.xalan.xslt.Process 1 -INCREMENTAL env.server_software=Apache/2.2.2 (Win32) backup.bin=C:\\Entuity\\database\\bin\\ backup.export=C:\\Entuity\\database\\bin\\mysqldump -u root -h 127.0.0.1 -P 3306 -q -f -l --add-drop-table entuity_config=C:\\Entuity\\etc\\entuity.cfg [..] In addition, other CGI programs are accessible as well. As an unauthenticated user: "/EOS/cgi/menuBar" - menu bar used by the web application itself As a low privileges user: "/EOS/cgi/licenseStat" - software license status "/EOS/cgi/nph-dev-view" - list of monitored hosts "/EOS/cgi/nph-checkeots" - status information, versions "/EOS/cgi/hostFindWrap" - search form for the monitored hosts database ==================================================== 5) Exploit Attackers may exploit this finding through a common browser. ==================================================== 6) Fix Information Since the "printSysConfig" CGI seems to be used by the Java Web Start application to retrieve the configuration properties, this resource cannot be removed. It is likely that a vendor fix is stricly necessary to resolve this issue. ==================================================== 7) Time Table 15/12/2008 - Vendor notified. 15/12/2008 - Vendor response. ??/??/???? - Vendor patch release. ??/??/???? - Public disclosure. ==================================================== 8) Credits Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com ==================================================== 9) Legal Notices The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community. There are no warranties with regard to this information. The author does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Permission is hereby granted for the redistribution of this alert, provided that the content is not altered in any way, except reformatting, and that due credit is given. This vulnerability has been disclosed in accordance with the RFP Full-Disclosure Policy v2.0, available at: http://www.wiretrip.net/rfp/policy.html ====================================================