[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Vulnerability Report: EMC Centera Universal Access
From:       Aaron Brown <Aaron.Brown () admeritia ! de>
Date:       2008-07-23 17:09:27
Message-ID: D79FDDD8143E7B4CBCDB375A698BDA07013293B8C0 () srvmail01 ! admeritia ! lan
[Download RAW message or body]

adMERITia Vulnerability Report
Vulnerability Information

Vendor: EMC²
Product: Centera Universal Access
Version: CUA4.0_4735.p4

Vulnerability Type: Software Flaw

Vulnerability: SQL Injection

Impact: Attacker can bypass the authentication method and will be logged in as an \
arbitrary user. With specific knowledge of user names it is possible for an attacker \
to choose the user he/she wishes to log in as without a password.

Description: The user name field of the CUA Module Login does not sanitize user input \
allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is \
possible to comment out the password check allowing an attacker to log in with the \
first available user name in the table. After performing this several times or by \
searching through the "Accounts" tab within the CUA Module an attacker can gather a \
list of all users. With this list an attacker can select an administrator account and \
log in with this by simply entering the user name followed by "--".

How Vulnerability can be reproduced:
        For an arbitrary account enter the following in the user field: ' --
        For a targeted account enter the following in the user field: \
valid_user_name' --

Release Information
Model: CENTERA_GEN_4
Software Version: CUA4.0_4735.p4
Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735

Fix: (quote from the vendor)
"The remedy for the reported problems has been released on 30 June 2008 and is \
available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software \
Download"." Vendor URL: www.emc.com

Vendor Status:
Vendor was informed of the problem, and was very cooperative in getting a patch \
developed for the problem. However, contact was broken off by the vendor after the \
relevant patch was released. The vendor has not yet published an advisory stating the \
reason for the latest patch or the discovered vulnerability in previous versions. \
This vulnerability was brought to the attention of the vendor on May 20, 2008 under \
the policy of responsible disclosure as documented at \
http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor did \
not respond to requests to release a public advisory. Therefore we have taken the \
initiative to alert the public through various security publications.

Credit for this vulnerability finding should be given to:
Lars Heidelberg, adMERITia GmbH
Aaron Brown, adMERITia GmbH

Disclaimer
The information within this document may change without notice. Use of this \
information constitutes acceptance for use in an AS IS condition. There are NO \
warranties with regard to this information. In no event shall the author be liable \
for any consequences whatsoever arising out of or in connection with the use or \
spread of this information. Any use of this information lays within the user's \
responsibility.


Mit freundlichen Grüssen / With kind regards

Aaron Brown

**********************************************************
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. \
Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein \
sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, \
Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten \
Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. This \
e-mail and any files transmitted with it are confidential and intended solely for the \
use of the individual or organization to whom they are addressed. Should you not be \
the intended addressee of this e-mail or his or her representative, please note that \
publication, replication of the contents by any means or further communication of the \
content is not permissible. Should you have received this e-mail in error, please \
notify the sender.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic