[VulnWatch] Remote access to NeuSecure/Netcool backend database via web interface credentials leakage



-= DDSi Security Report =-
March 8th, 2006

---------------------------------------------------------------------------------------------------------

Another credentials leak was found in Netcool/NeuSecure Security
Information
Management platform which leads to remote backend database access
with administrative privileges by an unauthenticated remote user



Problems :

- Web interface Applet parameters have credentials stored in clear
which allows access to backend database.
- Version information leak.


About NeuSecure:

--------------------------------------------------------------------------------------------------------------------------

Netcool/NeuSecure is a security information management (SIM) platform
designed to improve the effectiveness, efficiency and visibility of
security operations and information risk management. The solution
centralizes and stores security data from throughout the enterprise,
automating incident recognition and response, streamlining incident
handling, enabling policy monitoring enforcement and providing
comprehensive reporting for regulatory compliance. The centralization
and automation of these functions results in reduced costs of security
and IT operations

---------------------------------------------------------------------------------------------------------------------------------


Platform : RedHat EL 3
------------------------------
JReports-NeuSecure-3.0.236-1
common-NeuSecure-3.0.236-1
cms-NeuSecure-3.0.236-1
---------------------------------------------------------------------------------------------------------------------------------








Procedure:
----------------------------------------------

Web client mozilla 1.5.0.1
Navigate to company;s Neusecure Server Website:

http://neusecuresrv.domain.com/body.phtml

View source :

<SCRIPT LANGUAGE="JAVASCRIPT">
var ap_width = '';
var ap_height = '';
var paramNameArray = ["ARCHIVE", "CODEBASE", "CODE", "EVENT_LIMIT",
"FiresScriptEvents", "MAYSCRIPT", " database.CMS_DBTYPE", "
database.CMS_DBNAME", "database.CMSM_DBNAME", "database.CMS_DBHOST", "
database.CMS_DBUSER", "database.CMS_DBPASS", "agent_count_limit", "
triton.ticket.export", "username", "sessionid", "javaplugin.jre.params", "
database.java.connectionURL"];
var paramValueArray = ["JavaClasses.jar", ".", " Triton.TritonApplet.class",
"", "true", "true", "mysql", "nsdbp", "nsdbm", "localhost", "ns", " password",
"2000", "", "", "fb9ad3ab8968e88e4a576f598b39d61e", "-Xmx512M
-Xms256M", "http://neusecure.domain.com:80/getData.php<http://neusecure.domain.com/getData.php>
"];
browser.constructApplet('TritonApplet', paramNameArray, paramValueArray,
ap_width, ap_height);
</SCRIPT>


Outcome:
-----------------------------------------

- Default settings for database user [ns] allows connection from any host.
- These credentials are used to connect to NeuSecure backend Mysql database
with the following privileges:

Alter Tables
To alter the table
Create temporary tables Databases To use
CREATE TEMPORARY TABLE
Create Databases,Tables,Indexes To create new
databases and tables
Delete Tables
To delete existing rows
Drop Databases,Tables To drop
databases and tables
File File access on server To
read and write files on the server
Grant option Databases,Tables To give to
other users those privileges you possess
Index Tables
To create or drop indexes
Insert Tables
To insert data into tables
Lock tables Databases To use
LOCK TABLES (together with SELECT privilege)
Process Server Admin To view the
plain text of currently executing queries
References Databases,Tables To have
references on tables
Reload Server Admin To
reload or refresh tables, logs and privileges
Replication client Server Admin To ask
where the slave or master servers are
Replication slave Server Admin To read
binary log events from the master
Select Tables
To retrieve rows from table
Show databases Server Admin To see all
databases with SHOW DATABASES
Shutdown Server Admin To shutdown
the server
Super Server Admin To
use KILL thread, SET GLOBAL, CHANGE MASTER, etc.
Update Tables
To update existing rows
Usage Server Admin
No privileges - allow connect only




* Also, under Mozilla client applet renders to provide a Help button
which gives out the version
of the NeuSecure product and it's service pack version.
So far IE6 does not display applet in a way to glean this information.




Workaround:
One can change access permissions for user ns in the database
to include only valid hosts to prevent direct backend logins.


Conclusion:

- Vendor needs to validate user session before accessing the applet.
- Vendor should not store credential cleartext.

---------------------------------------------------------------------------------------------

Vendor communication:

Attempt to make the vendor aware of this problem was ignored.




Thanks,

Dimitry Snezhkov.
DDSi


Relevant Pages