Owning a domain using Metasploit and incognito | blog-windows


blog-windows | Owning a domain using Metasploit and incognito




Share Your Knowledge................................by comment-Regards, blog-windows blog(sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker
Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows

Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows


Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows

As a part of SOC team, we observed attacker (someone) from outside tried to exploit Vtiger vulnerability by exploiting one of the vulnerability invented in mid of 2012.

Actually he is trying to access one file i.e. Amportal.conf, this file consist of all passwords information and probably be used to view most any file on the system        
Here is brief explanation:
About Vtiger:-

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.

II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.

III. ANALYSIS
Summary:
 A) Remote Code Execution (RCE) Vulnerability
 B) Local File Inclusion (LFI) Vulnerability (pre-auth)
 C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
 D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

 Code we observed:

https://myipadddress/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf

When user browses this URL the amportal.conf was displayed, including all passwords therein.
Obviously the sortfieldsjson.php file is being used to access amportal.conf and can probably be used to view most any file on the system        
Disclosure Date : 2012-03-21
Exploit Publish Date : 2012-03-21

Description:
Vtiger CRM contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the sortfieldsjson.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g. /../) supplied via the 'module_name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

Recommendation:
Ø  Kindly check the version of Vtiger they are using and update or patch it.
Ø  I strongly recommend that if you run Elastix (which includes Vtiger even if you don’t use it) that you either -

Limit access to the web interface of your server to only specific IP addresses.
If you don’t use Vtiger then disable access to the interface by running.
Upgrading Elastix? Read this FAQ Now!!
elx.ec/upgfaq

Elastix Docs : 
elx.ec/elastixtutorials
www.elastixconnection.com

Elastix Fault Finding Guide
elx.ec/faultfind


Root Cause Analysis :
After proper investigation we observed that attacker exploited the vulnerability as shown above in Linux Platform and we are using Windows based OS  then we got confirmation that we are not using Vtiger on our environment. Also I personally did investigation of that particular server.


Share Your Knowledge................................by comment
-Regards,
blog-windows blog
(sms GeniusHacker on 9870807070)or
http://labs.google.co.in/smschannels/channel/GeniusHacker