[UNIX] Ipswitch WhatsUp SQL Injection Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/23/05

  • Next message: SecuriTeam: "[EXPL] phpBB Multiple User Registeration DoS (Exploit)"
    To: list@securiteam.com
    Date: 23 Jun 2005 13:13:38 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Ipswitch WhatsUp SQL Injection Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ipswitch.com/Products/WhatsUp/professional/index.html>
    Ipswitch's WhatsUp is "a network management solution for small and mid
    sized organizations".

    Remote exploitation of a SQL injection vulnerability in Ipswitch Inc.'s
    WhatsUp Professional allows remote attackers to gain administrative access
    to the application.

    DETAILS

    Vulnerable Systems:
     * Ipswitch WhatsUp Gold Professional version 2005 SP1

    Immune Systems:
     * Ipswitch WhatsUP Professional 2005 SP1a

    The main logon screen for the web based front end does not properly
    validate input, allowing for SQL injection attacks to occur. SQL commands
    can be submitted through the "User Name" and "Password" fields on the
    default login page.

    The web front end is not enabled by default and must be running for the
    application to be vulnerable. It can be enabled under the "Configure",
    "Program Options" menu by checking the "Enable web server on port [80]"
    checkbox.

    Exploit code for this vulnerability is unnecessary; the following SQL
    injection attacks can be executed in the "User Name" field of the
    http://[target]/NmConsole/Login.asp page:

    Reset the Admin user password with a blank password:
    - 'UPDATE WebUser SET sPassword=DEFAULT WHERE sUserName='Admin'--

    Elevate Guest user privileges to Admin privileges:
    - 'UPDATE WebUser SET nUserRightsMask=-1 WHERE sUserName='guest'--

    Successful exploitation allows unauthenticated remote attackers to gain
    administrative access to the WhatsUp Professional application. SQL
    injection attacks can be used to either elevate the privileges of the
    Guest user or to change/erase the password of the Admin user. Either
    approach will provide a remote attacker with full administrative access to
    the application. By default, the Guest user is enabled but has limited
    access to the application and the account has a blank password.

    Workaround:
    Disabling the web front end to WhatsUp Gold Professional 2005 (SP1) will
    prevent the ability to exploit this vulnerability. It can be disabled
    under the "Configure", "Program Options" menu by unchecking the "Enable
    web server on port [80]" checkbox.

    Vendor response:
    This vulnerability is addressed in WhatsUP Pro 2005 SP1a.

    A change log detailing changes in SP1a is available at:
     
    <http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699>
    http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1250>
    CAN-2005-1250

    Disclosure Timeline:
     * 25.04.05 - Initial vendor notification
     * 10.05.05 - Initial vendor response
     * 22.06.05 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] phpBB Multiple User Registeration DoS (Exploit)"