[NEWS] Xpede Found to Contain Multiple Vulnerabilities

From: support@securiteam.com
Date: 04/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 21 Apr 2002 21:23:40 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Xpede Found to Contain Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.workforceroi.com/solutions/pa/index.shtml> Intellisol Xpede
is a browser-based time and expense entry and project cost management
module designed to connect a remote workforce on a real-time basis.
Multiple security vulnerabilities have been found in the product allowing
compromising of sensitive information, and of the Windows administrator
account. The latter in turn would allow for the complete compromise of the
remote server.

DETAILS

Vulnerable systems:
Xpede version 4.1

Vulnerability #1:
Access to the /admin directory is not restricted by any ACL allowing
anyone with a valid Xpede user account to issue requests to the Xpede's
administration tools (located under /admin/ directory).

The /admin/adminproc.asp does not require any administrative
authentication prior to processing any request from the user. A request
from a regular Xpede account directed at the /admin/adminproc.asp page
without any parameters will cause the enumeration of all user accounts
giving (showing their usernames, email, and full name). This would give a
potential attacker a good starting point for social engineering and
account attacks (brute force attacks).

However, this is not the worse that can happen, this because the
/admin/adminproc.asp performs most of the administration tasks offering
the ability to remotely change, delete, and add users (and their
passwords).

While authenticated as a regular Xpede user, it is possible to issue
malicious requests and virtually takeover the administrator account (or
any other account).

Vulnerability #2:
An anonymous (A user not providing any valid Xpede account) request to
/admin/datasource.asp will return an HTML form revealing the SQL account
name used by Xpede to perform all its SQL queries. The lose of the SQL
account password would give an intruder the opportunity to completely take
over the SQL server and probably compromise other corporate databases that
use the same SQL account for SQL access.

Vulnerability #3:
The /utils/sprc.asp script that is used by every user to perform various
timesheets related tasks contains a very dangerous option called "Qry".
This option allows an attacker to send formal SQL commands (without any
kind of filtering) to the SQL server.

For instance, while every Xpede users passwords including administrator
are stored in the XPD00002 table inside the DYNAMICS database, an intruder
injecting a request like "SELECT * FROM DYNAMICS..XPD00002" will be able
to retrieve an exhaustive list of all Xpede passwords including
administrator's password. This would allow an attacker to impersonate
anyone inside the company.

Vulnerability #4:
When a user submits an expense claim, Xpede will save it in the temporary
directory called /reports/temp. This directory should not be obviously
indexable (i.e. access to the directory root should not return a listing
of all the files stored underneath it), this of course for security
reasons. Further security is provided by creating these files with
filenames that as random as possible. The filename structure currently
used by Xpede will be prefixed by a "expenserpt" followed by five random
chars and an '.htm' suffix. These five chars are chosen within the range
of [0-9A-F] (For example: expenserpt0AF4E.htm). No authentication is
required to access these files. Anyone is allowed to anonymously download
these and try to guess what filenames exist by initiating a bruteforcing
attack on all possible filenames (You should note that the number of
possible combination needed to be verified is 1,048,576).

Vulnerability #5:
After submitting a time*** with Xpede, a user has to sign it before
his/her project manager can approve it. At this point the user is shown a
screen displaying the new time*** details to be signed through the
ts_app.htm page (called by ts_app_process.asp). By randomly choosing a TSN
number (TSN number indicts the number of the time*** currently being
processed) and accessing the following URL:
http://xpede.target.com/approval/ts_app.htm?TSN=anyTSNnumber
It is possible to view other people's timesheets. TSN numbers are
incremented every time they are created, therefore finding a valid number
and decrementing from that number and down, will reveal all previous
timesheets (The timesheet contains sensitive information such as project
names, working hours, and price tags).

Temporary workarounds:
Despite the fact that most of these vulnerabilities actually require that
the ASP files be fixed and that obviously the whole product needs some
sort of fundamental change in its global design for accessing data, we
will try to provide some possible workarounds to try to help mitigate the
risk.

Note that vulnerability #1 and #3 may be the two most dangerous
vulnerabilities you may wish to fix right now.

Generic workaround:
Do not use any privileged SQL user, but rather create a specific regular
user for the Xpede database. Make sure you suppressed any rights form this
user from accessing any other databases. Ensure you have patched your
Microsoft SQL server against "xp_formatstrings" attacks and that proper
authorizations requirements are set for master..xprocedures. Protect your
Microsoft SQL server behind a firewall and disallow the port number it is
binded to from being accessible from the outside.

As always we suggest you use NTLM1 based authentication in your web site
to ensure that only "NT authenticated" users are accessing the system
rather than only relying on Xpede authentication process (and as shown
above, its inadequate authentication process). In this manner, you will
probably limit the potential risk to your population of legitimate users.

Vulnerability #1 and #2:
Change permissions for /admin directory, use NTLM1 authentication and give
access to the directory only to the "Xpede admin" NT account. Choose a
hard to guess password for your Xpede SQL account (This will stop the
datasource.asp security vulnerability).

Vulnerability #3:
Unknown at this time.

Vulnerability #4:
Disallow index browsing on the whole site, this is especially true for the
/reports/temp/ directory. Stop all requests being directed to
/reports/temp directory at your Firewall, NIDS or your web server if
possible.

Vulnerability #5:
Unknown at this time.

Vendor status:
Intellisol/Workforceroi support team was contacted three times, on April 4
& 5 and 15, but they have chosen not reply.

ADDITIONAL INFORMATION

The information has been provided by <mailto:c3rb3r@sympatico.ca>
Cerberus Vulgaris.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.