what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

perfact::mpa Insecure Direct Object Reference

perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that any logged in user is able to download valid VPN configuration files of arbitrary existing remote sessions. All an intruder needs to know is the URL with the dynamic parameter "brsessid". Due to the modification of this incremental increasing integer value, it is possible to enumerate and download a valid VPN configuration file for every existing remote session.

tags | exploit, remote, arbitrary
SHA-256 | 0395cba8a67f491b8450abca96173ea16da49abe7cd6b3f2d88cf3e02d04710c

perfact::mpa Insecure Direct Object Reference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-069
Product: perfact::mpa
Manufacturer: PerFact Innovation GmbH & Co. KG
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2
Vulnerability Type: Insecure Direct Object References (CWE-932)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-12-18
Solution Date: 2016-01-18
Public Disclosure: 2016-02-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software solution perfact::mpa is a software architecture that, for
instance, is used to build web applications for the secure and reliable
remote maintenance of machines via the Internet (see [1]).

According to the manufacturer, remote control software built with
perfact::mpa impresses through the following features:

* location-independent and central monitoring,
* maintenance and error management,
* authorized remote access, and
* integrated documentation of incidents and services.

Due to improper authorization checks, any logged in user can download
valid VPN configuration files of arbitrary existing remote sessions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that any logged in user is able to download
valid VPN configuration files of arbitrary existing remote sessions.

All an intruder needs to know is the URL with the dynamic parameter
"brsessid". Due to the modification of this incremental increasing
integer value, it is possible to enumerate and download a valid
VPN configuration file for every existing remote session.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL is an exemplary request to download a valid VPN
configuration file for the remote session identified by the ID
"brsessid":

https://<HOST>/<PATH>/MPA2/RoleSession/Link/connect?brsess_id=<BRSESSID>&brvpnnode_id=1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the PerFact Innovation GmbH & Co. KG, the
described security issue has been fixed in PerFact DB_Utils (toolkit)
software version 3.2.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-18: Vulnerability reported to manufacturer
2016-01-18: Response from manufacturer with detailed information about
the reported security vulnerability and its solution status
2016-02-05: E-mail to manufacturer according two open questions
2016-02-05: Response from manufacturer with further information
2016-02-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for perfact::mpa
http://perfact.de/mpa/index_html
[2] SySS Security Advisory SYSS-2015-069
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-069.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Sven Freund
of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW0/AFAAoJENmkv2o0rU2rQSAP/0/zhmg+uzJaPxZJ0/N4y5Jz
IwNr+Dla9lPglGtkGOogmDImR7D10csqYXD4jDCgkJN/yxYCbJYv3anKOPy87yiY
/GNk6vGuzcbGCBmq3sxxF8cuuTygEshTDeGE8lY7HArWq30Kyf9ob2CA8dMPxpA2
SDCv5Glv0I8BFkd3JHlGrs/yLZ4HVRMv1Bnwqzv8PXDWcQPpy7Lhz0z3l3w60aK8
CZCvmgX2nfX1nTgopQqiB/kYqnOK6QkAxvudepfOZqn7cXgM94vd8fnwYW1HRVgK
H8ftEa+UQa0WmvtZ4tEBvav0mGgivw5yixXbZxt0OxyMz585MVHKAu4SgxKfTjNl
z83fvGkxIpSSwjSKNEgy57gHofN9rwOUdvFj35JnUiszcGT0WA1Np3CEGny5TA+N
wj7p7MgkiYglv0DMmHkgvdiow0fgN5Gz9At2D6EINZuw9KR9SdDPmn6utIFMBVbG
mltSyBnPok5jEnPV9KfrXH5XBBsUy2MM1pQla8HYMmaicAvbbfEHy9RboVJCSVKL
pkyMQx1quUph43E0hpPGnIQO7djJJ/bT4aZtFRWTI+tqdB3Z1FvGbzzuRKZabhTh
Sgh0uP+8UecrxG9YLXBb5JK8TKpPZbPXjX1Qlte1/U07XUpcWgXGqNzhVUU7dXHD
q6KQNEPgR3SgCO1bMo+9
=x2/v
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close