Endeca Latitude 2.2.2 – Cross-Site Request Forgery

• Exploit Database
• 13 阅读

• 作者： RedTeam Pentesting
  日期： 2014-06-27
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33897/

• Advisory: Endeca Latitude Cross-Site Request Forgery
  
  RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)
  vulnerability in Endeca Latitude. Using this vulnerability, an attacker
  might be able to change several different settings of the Endeca
  Latitude instance or disable it entirely.
  
  
  Details
  =======
  
  Product: Endeca Latitude
  Affected Versions: 2.2.2, potentially others
  Fixed Versions: N/A
  Vulnerability Type: Cross-Site Request Forgery
  Security Risk: low
  Vendor URL: N/A
  Vendor Status: decided not to fix
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002
  Advisory Status: published
  CVE:CVE-2014-2399
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399
  
  
  Introduction
  ============
  
  Endeca Latitude is an enterprise data discovery platform for advanced,
  yet intuitive, exploration and analysis of complex and varied data.
  Information is loaded from disparate source systems and stored in a
  faceted data model that dynamically supports changing data. This
  integrated and enriched data is made available for search, discovery,
  and analysis via interactive and configurable applications.
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  Endeca Latitude offers administrators the ability to perform different
  administrative and configuration operations by accessing URLs.
  These URLs are not secured by a randomly generated token and therefore
  are prone to Cross-Site Request Forgery attacks.
  
  For example by accessing the URL http://example.com/admin?op=exit an
  administrator can shut down the Endeca Latitude instance. Several other
  URLs exist (as documented at [1] and [2]) which can be used to trigger
  operations such as flushing cashes or changing the logging settings.
  
  
  Proof of Concept
  ================
  
  An attacker might prepare a website, which can trigger arbitrary
  functionality (see [1] and [2]) of an Endeca Latitude instance if
  someone opens the attacker's website in a browser that can reach Endeca
  Latitude.An easy way to implement this is to embed a hidden image into
  an arbitrary website which uses the corresponding URL as its source:
  
  <img src="http://example.com/admin?op=exit" style="display:hidden" />
  <img src="http://example.com/config?op=log-disable" style="display:hidden" />
  [...]
  
  
  Workaround
  ==========
  
  The vendor did not update the vulnerable software, but recommends to
  configure all installations to require mutual authentication using TLS
  certificates for both servers and clients, while discouraging users from
  installing said client certificates in browsers.
  
  
  Fix
  ===
  
  Not available. The vendor did not update the vulnerable software to
  remedy this issue.
  
  
  Security Risk
  =============
  
  The vulnerability can enable attackers to be able to interact with an
  Endeca Latitude instance in different ways. Possible attacks include the
  changing of settings as well as denying service by shutting down a
  running instance. Attackers mainly benefit from this vulnerability if
  the instance is not already available to them, but for example only to
  restricted IP addresses or after authentication. Since this makes it
  harder to identify potential target systems and the attack mainly allows
  to disturb the service until it is re-started, the risk of this
  vulnerability is considered to be low.
  
  
  Timeline
  ========
  
  2013-10-06 Vulnerability identified
  2013-10-08 Customer approved disclosure to vendor
  2013-10-15 Vendor notified
  2013-10-17 Vendor responded that investigation/fixing is in progress
  2014-02-24 Vendor responded that bug is fixed and scheduled for a future
   CPU
  2014-03-13 Vendor responded with additional information about a
   potential workaround
  2014-04-15 Vendor releases Critical Patch Update Advisory with little
   information on the proposed fix
  2014-04-16 More information requested from vendor
  2014-05-02 Vendor responds with updated information
  2014-06-25 Advisory released
  
  
  References
  ==========
  
  [1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations
  [2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests, short pentests,
  performed by a team of specialised IT-security experts. Hereby, security
  weaknesses in company networks or products are uncovered and can be
  fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at
  https://www.redteam-pentesting.de.
  
  
  -- 
  RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  Dennewartstr. 25-27 Fax : +49 241 510081-99
  52068 Aachenhttps://www.redteam-pentesting.de
  Germany Registergericht: Aachen HRB 14004
  Geschäftsführer: Patrick Hof, Jens Liebchen