Home » Archive for November 2012
Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows
Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows
As a part of SOC team, we observed attacker (someone) from outside tried to exploit Vtiger vulnerability by exploiting one of the vulnerability invented in mid of 2012.
Actually he is trying to access one file i.e. Amportal.conf, this file consist of all passwords information and probably be used to view most any file on the system
Here is brief explanation:
About Vtiger:-
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Local File Inclusion (LFI) Vulnerability (pre-auth)
C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)
Code we observed:
https://myipadddress/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf
When user browses this URL the amportal.conf was displayed, including all passwords therein.
Obviously the sortfieldsjson.php file is being used to access amportal.conf and can probably be used to view most any file on the system
Disclosure Date : 2012-03-21
Exploit Publish Date : 2012-03-21
Description:
Vtiger CRM contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the sortfieldsjson.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g. /../) supplied via the 'module_name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.
Recommendation:
Ø Kindly check the version of Vtiger they are using and update or patch it.
Ø I strongly recommend that if you run Elastix (which includes Vtiger even if you don’t use it) that you either -
Limit access to the web interface of your server to only specific IP addresses.
If you don’t use Vtiger then disable access to the interface by running.
Upgrading Elastix? Read this FAQ Now!!
elx.ec/upgfaq
Elastix Docs :
elx.ec/elastixtutorials
www.elastixconnection.com
Elastix Fault Finding Guide
elx.ec/faultfind
Root Cause Analysis :
After proper investigation we observed that attacker exploited the vulnerability as shown above in Linux Platform and we are using Windows based OS then we got confirmation that we are not using Vtiger on our environment. Also I personally did investigation of that particular server.
Share Your Knowledge................................by comment
-Regards,
blog-windows blog
(sms GeniusHacker on 9870807070)or
http://labs.google.co.in/smschannels/channel/GeniusHacker
Subscribe to:
Posts (Atom)