dnaLIMS DNA Sequencing – Directory Traversal / Session Hijacking / Cross-Site Scripting

• Exploit Database
• 15 阅读

• 作者： Shorebreak Security
  日期： 2017-03-10
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/41578/

• Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
  web-application
  Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
  Date published: Mar 08, 2017
  Vendor: dnaTools, Inc.
  CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
  USCERT VU: 929263
  
  Vulnerability Summaries
  1) Improperly protected web shell [CVE-2017-6526]
  dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
  a web shell included with the software running as the web user.However,
  sending a POST request to that page bypasses authentication checks,
  including the UID parameter within the POST request.
  
  2) Unauthenticated Directory Traversal [CVE-2017-6527]
  The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
  directory traversal attack. This allows an unauthenticated attacker to
  retrieve files on the operating system accessible by the permissions of the
  web server. This page also does not require authentication, allowing any
  person on the Internet to exploit this vulnerability.
  
  3) Insecure Password Storage[CVE-2017-6528]
  An option, which is most likely the default, allows the password file
  (/home/dna/spool/.pfile) to store clear text passwords.When combined with
  the unauthenticated directory traversal vulnerability, it is possible to
  gain the username and password for all users of the software and gain
  complete control of the software.
  
  4) Session Hijacking [CVE-2017-6529]
  Each user of the dnaLIMS software is assigned a unique four-digit user
  identification number(UID) upon account creation.These numbers appear to
  be assigned sequentially. Multiple pages of the dnaLIMS application require
  that this UID be passed as a URL parameter in order to view the content of
  the page.
  Consider the following example:
  The URL ahttp://<SERVER NAME
  REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
  to view the page for sequencing requests for the user with the UID of 2410. The
  username parameter of the URL is the mechanism for authentication to the
  system. The first eight-digit number of the username parameter appears to
  be a session identifier as it changes every time the user logs in from the
  password.cgi page, however this value is not checked by the seqreq2N.cgi
  page. This allows an attacker to guess the four-digit UID of valid user
  accounts that have an active session. The user with the UID of 2419
  currently has an active session, so we can simply hijack this useras
  session by requesting this page and specifying the UID 2419.
  
  5) Cross-site Scripting
  The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
  reflected cross site scripting attack via GET request as seen in the
  following URL:
  http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
  Alert("XSS") </SCRIPT>
  
  6) Cross-site Scripting
  The navUserName parameter of the seqTable*.cgi page is vulnerable to a
  reflected cross site scripting attack via POST request as seen in the
  example below. The * reflects a short name for a client, (ie Shorebreak
  Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
  vulnerable for all dnaLIMS installs.
  
  7) Improperly Protected Content
  
  Many of the pages within the admin interface are not properly protected
  from viewing by authenticated users.This can give an attacker additional
  system information about the system, or change system/software
  configuration.
  
  Software was conducted on a live production system, therefore the pages
  themselves were tested, forms within these pages were not.
  
  This is also not an exhaustive list of improperly protected pages:
  
  cgi-bin/dna/configuration.cgi
  
  cgi-bin/dna/createCoInfo.cgi
  
  cgi-bin/dna/configSystem.cgi
  
  cgi-bin/dna/combineAcctsN.cgi
  
  Disclosure Timeline
  
  Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
  securely exchange details of vulnerabilities identified
  
  Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
  to PO box via Postal Service
  
  Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
  Mail
  
  Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
  report
  
  Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
  placing the software behind a firewall as a solution to the vulnerabilities.
  
  Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
  some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
  plan to address the vulnerabilities
  
  Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
  gather a DNA sequence, PO Number, or Fund Number and go to your local
  grocery store and see what it will buy you.a
  
  Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT
  
  Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
  assignment
  
  Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly