[NT] Intellisol XPede Exposes Passwords

From: support@securiteam.com
Date: 03/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 23 Mar 2002 17:38:01 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Intellisol XPede Exposes Passwords
------------------------------------------------------------------------

SUMMARY

 <http://www.workforceroi.com/solutions/pa/index.shtml> Intellisol XPede
is a browser-based time and expense entry and project cost management
module designed to connect a remote workforce on a real-time basis.
Intellisol Project Accounting is designed for any professional service
organization such as consulting, software development, law, architecture,
engineering, PR/advertising and more with between 10 and 500 million
dollars in revenue and up to 500 employees, and integrates with Microsoft
Great Plains Business Solutions financial suites. Two security
vulnerabilities has been discovered in the way XPede handle users'
passwords.

DETAILS

Vulnerable systems:
XPede version 4.1
XPede version 7.x series

Vulnerability #1:
XPede's cookies store users password "ciphered" in a very weak manner (a
mix of shifts and permutations), recovering a clear text password from
there is really trivial making users remotely vulnerable from cross site
scripting based attacks, various MSIE bugs while users are locally
vulnerable as well, by accessing the local file system (i.e. the cookie
file) when, for instance, a user decide to use someone else's computer or
is using a computer for which he shares Administrator rights with other.

Vulnerability #2:
Passwords are shown in a clear form into the "session timeout"
re-authentication popup source. The dangerous guilty JavaScript snippet
simulates a "remember password" option and tests if it was checked to
automatically fill up the form's password field. The clear password is
shown as is, in the JavaScript source code, whatever the user decided to
do with the option. Indeed, a user can have a false sense of safety,
leaving his host even few seconds without having filled up the
authentication popup and therefore exposing his password to everybody
lurking at the source and, once again, is remotely vulnerable to the same
MSIE bugs mentioned above.

Temporary workarounds:
For vulnerability #1:
Clear all cookies via MSIE "Tools/Internet Options/General/Delete Cookies"
right after a session has ended to avoid local attack and patch your
browser with the latest security fixes if it was not already done.

For vulnerability #2:
Do not expose the authentication popup to unwise eyes (login or quit the
application) and again, patch your browser for remote attacks.

Vendor status:
The vendor has been contacted on March 13 and as far as it is known, he is
currently working on a patch, in the meantime, you may want to use the
above workarounds.

Proof of concept (password recovery from cookies)
#!/usr/bin/perl
# Xdeep.pl, search for and decipher XPede passwords stored in these damn
cookies
# Pr00f of concept, not to be used for illegal purposes.
#
# Author: Gregory Duchemin Aka c3rb3r // March 2002
#
#output format

format STDOUT =
+ Userid: @<<<<<<< $userid
+ Realname: @<<<<<<<<<<<<<<<<<<<<<<<<< $realname
+ Company: @<<<<<<<<<<<<<<<<<<<< $company
+ Encoded password: @<<<<<<<<<<<<<<<<<<<< $password

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #160
    ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
    (Focus-Microsoft)