[UNIX] Ipswitch WhatsUp SQL Injection Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/23/05

  • Next message: SecuriTeam: "[EXPL] phpBB Multiple User Registeration DoS (Exploit)"
    To: list@securiteam.com
    Date: 23 Jun 2005 13:13:38 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Ipswitch WhatsUp SQL Injection Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ipswitch.com/Products/WhatsUp/professional/index.html>
    Ipswitch's WhatsUp is "a network management solution for small and mid
    sized organizations".

    Remote exploitation of a SQL injection vulnerability in Ipswitch Inc.'s
    WhatsUp Professional allows remote attackers to gain administrative access
    to the application.

    DETAILS

    Vulnerable Systems:
     * Ipswitch WhatsUp Gold Professional version 2005 SP1

    Immune Systems:
     * Ipswitch WhatsUP Professional 2005 SP1a

    The main logon screen for the web based front end does not properly
    validate input, allowing for SQL injection attacks to occur. SQL commands
    can be submitted through the "User Name" and "Password" fields on the
    default login page.

    The web front end is not enabled by default and must be running for the
    application to be vulnerable. It can be enabled under the "Configure",
    "Program Options" menu by checking the "Enable web server on port [80]"
    checkbox.

    Exploit code for this vulnerability is unnecessary; the following SQL
    injection attacks can be executed in the "User Name" field of the
    http://[target]/NmConsole/Login.asp page:

    Reset the Admin user password with a blank password:
    - 'UPDATE WebUser SET sPassword=DEFAULT WHERE sUserName='Admin'--

    Elevate Guest user privileges to Admin privileges:
    - 'UPDATE WebUser SET nUserRightsMask=-1 WHERE sUserName='guest'--

    Successful exploitation allows unauthenticated remote attackers to gain
    administrative access to the WhatsUp Professional application. SQL
    injection attacks can be used to either elevate the privileges of the
    Guest user or to change/erase the password of the Admin user. Either
    approach will provide a remote attacker with full administrative access to
    the application. By default, the Guest user is enabled but has limited
    access to the application and the account has a blank password.

    Workaround:
    Disabling the web front end to WhatsUp Gold Professional 2005 (SP1) will
    prevent the ability to exploit this vulnerability. It can be disabled
    under the "Configure", "Program Options" menu by unchecking the "Enable
    web server on port [80]" checkbox.

    Vendor response:
    This vulnerability is addressed in WhatsUP Pro 2005 SP1a.

    A change log detailing changes in SP1a is available at:
     
    <http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699>
    http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1250>
    CAN-2005-1250

    Disclosure Timeline:
     * 25.04.05 - Initial vendor notification
     * 10.05.05 - Initial vendor response
     * 22.06.05 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] phpBB Multiple User Registeration DoS (Exploit)"

    Relevant Pages

    • [UNIX] Alstrasoft Epay Pro Directory Traversal
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Epay Pro comes with a ready out of the box ... allowing remote attackers to access sensitive ... EPay's Pro vulnerability caused by an improper validation of user-supplied ...
      (Securiteam)
    • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
      (Securiteam)
    • [UNIX] SCO Multiple Local Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
      (Securiteam)
    • [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled by ...
      (Securiteam)
    • [UNIX] Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Two security vulnerabilities have been recently discovered in Tikiwiki, ... Remote exploitation of an input validation vulnerability in Tikiwiki ... allows attackers to gain access to arbitrary files on the vulnerable ...
      (Securiteam)