PasswordManager Pro 6.1 Script Injection Vulnerability

Advisory Content :

PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009) http://www.scip.ch/?vuldb.4063

I. INTRODUCTION

"Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital identities
of enterprises."

More information is available on the official product web site at the
following URL[1]:

http://www.manageengine.com/products/passwordmanagerpro/

II. DESCRIPTION

Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The processing method for the search function fails to perform proper input
validation on the data that is being submitted via HTTP GET. The parameter
"searchtext" lacks validation and is therefore vulnerable to script
injection. While there is a basic input filterting method in place, it
fails to detect more advanced (e.g. encoded) payloads.
Other parts of the application might be affected too.

This vulnerability has been tested on version 6.1, other versions might be
affected as well.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to be
an imperfect mechanism that is unable to prevent an attack using a more
sophisticated payload. For a selection, you might want to check RSnakes
popular XSS Cheat Sheet[2], which contains several patterns not being
detected by the filter in place, allowing you execute any arbitrary,
externally hosted payload.

Exploitation can be performed using any medium, that is able to perform a
GET request. Under certain circumstances, it is even possible to attack
unauthenticated user, as the payload will be kept in the users session
until authentication data has been entered.

We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.

IV. IMPACT

Impact of the vulnerability depends on the stored data. PMP is often used
for corporate password management and contains highly sensitive
information. Therefore, a high amount of damage might be caused by
successful exploitation and follow-up attacks.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available and
easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag. In
some cases single (') or double quotes (") are required to inject the code
in a given HTML statement. Some implementation of security systems are
looking for well-known attack tags as like <script> and attack attributes
onMouseOver too. However, these are usually not capable of identifying
highly optimized payload.

VI. SOLUTION

Move to version 6104 or after
http://forums.manageengine.com/#Topic/49000003740390

VII. VENDOR RESPONSE

The issue is due to the filter applying case sensitive checks to the attack
strings and the situation of such a string with different cases of
characters was not handled. (09.12.2009; ManageEngine)

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/?vuldb.4063

IX. DISCLOSURE TIMELINE

2009/09/28 Identification of the vulnerability
2009/10/-- ManageEngine supplies hotfix for affected customer
2009/12/07 scip AG starts public disclosure process by informing
ManageEngine
2009/12/07 ManageEngine acknowledges vulnerability and disclosure timeline
2009/12/09 ManageEngine announces patch within 5 days, sends official
vendor response statement
2009/12/15 ManageEngine releases official patch
2009/12/15 scip AG releases public advisory

X. CREDITS

The vulnerabilities were discovered by Stefan Friedli.

Stefan Friedli, scip AG, Zuerich, Switzerland
stfr-at-scip.ch
http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] PMP Official Vendor Information, ManageEngine
http://www.manageengine.com/products/passwordmanagerpro/

A2. LEGAL NOTICES

Copyright (c) 2002-2009 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not be
edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage from use of or reliance on this advisory.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PasswordManager Pro 6.1 Script Injection Vulnerability