aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 22-Sep-2006 Software: Computer Associates - eTrust Security Command Center http://www3.ca.com/solutions/Product.aspx?ID=4351 "eTrust Security Command Center helps you discover and prioritize relevant security data to effectively manage your security risks in real time. By correlating security risks to assets, you can take corrective action and investigate security incidents through a centralized command and control center." Versions affected: eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2. eTrust Audit 1.5 and r8. Vulnerabilities discovered: 1) Reveal web server path. 2) Read and delete arbitrary files from the host server under the service account, generally LocalSystem. 3) The event alerting does not use authentication, and as such is vulnerable to external replay attacks, similar to IDS replay attacks. Vulnerability impact: Medium - A malicious authenticated user may read and delete arbitrary files, whilst an unauthenticated attacker may use a replay attack to distract staff from tracking real events, and/or denial of service by consuming disk space with false alerts. Vulnerability information The software is operated by use of a web browser. Authenticated users have access to the various security reports and functions, which generally do not verify user controlled parameters. 1) The 'ePPIServlet' script returns a detailed path error when sent the quote character [ ' ] as part of the 'PIProfile' function. 2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml', which is used to provide reporting functionality. The component generates reports in a temporary file location, returns the file contents to the web client, then deletes it... but does not validate the path. 3) There is an API function to create your own alerts: eTSAPISend.exe. The service does not use any authentication, so the attacker may script the binary to send thousands of false-positive alerts to the Security Command Center, diverting attention and resources from real threats. Examples (lines have been wrapped): 1) https://escc-server.example.com:8080/etrust/servlet/ePPIServlet? PIProfile=eAV_Report's&PIName=Generate+Pre-7.1+Report+Data&profile= Threat+Management&node= Would return an error similar to: "Cannot read profile: C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. " 2) https://escc-server.example.com:8080/etrust/servlet/eSMPAuditServlet? verb=getadhochtml&eSCCAdHocHtmlFile=../../../../../../../boot.ini Assuming the product was installed on the C drive, this will return the contents of c:\boot.ini to the client, then immediately delete it, e.g: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server" 3) An example Windows Logon failure event would be similar to: C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon -sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70 -src Security -nid 529 -inf "Logon Failure" Exploitation Requirement: Fortunately, the web service requires product based authentication prior to execution for 1 and 2. Unfortunately, the product ships with multiple default usernames and passwords, which although unlikely, may still be present. The default username:password pairs are below: eadmin:eadmin iam:iam threat:threat admin:admin For point 3, the $dstIP must have the Audit Router socket open (tcp/111). Solution: 1) Fixes QO81875, QO81758, QO81862, QO81863 ... 2) Fixes QO81851, QO81876, QO81878 can be found at: http://supportconnectw.ca.com/public/eTrust/eTrust_scc/downloads/eTrustscc_updates.asp 3) No solution - use perimeter based firewalls. References: aushack.com advisory http://www.aushack.com/200608-computerassociates.txt Credit: Patrick Webster ( patrick@aushack.com ) Thanks to the CA Security team for their quick response. Disclosure timeline: 21-Jan-2006 - Vulnerabilities discovered. 04-Aug-2006 - Sent to Computer Associates Security Advisor. 04-Aug-2006 - Vendor response & verification. 19-Sep-2006 - Vendor patch release. 22-Sep-2006 - Public disclosure. EOF