BugTraq
Back to list
|
Post reply
Re: Multiple Vulnerabilities In P-Synch Password Management
May 30 2003 04:03PM
Idan Shoham (idan psynch com)
In-Reply-To: <20030529052621.31678.qmail (at) www.securityfocus (dot) com [email concealed]>
The following can be taken as an official response from the vendor:
M-Tech Information Technology, Inc. (http://mtechIT.com/) to this
"vulnerability:"
1) The actual risk of these issues to production deployments of
P-Synch is nil, as users do not normally, or in our experience ever,
access P-Synch by clicking a URL on a third-party web server.
Cross-site scripting attacks only affect the web browser of
users who click a maliciously-constructed URL to a valid
application URL, and this mode of attacking user browsers is
simply not relevant to a normal P-Synch deployment.
Users access P-Synch in one of several ways, none of which
expose their browser to cross-site scripting attacks:
a) By typing a well known URL, such as "password" in their browser,
and relying on the DNS infrastructure of their organization
(e.g., password --> password.acme.com --> P-Synch server).
b) By triggering transparent password synchronization with a native
password change on some system (and where no browser is involved).
c) Using an IVR system and telephone (again, no browser).
d) By clicking on a link to P-Synch on their corporate Intranet,
which is highly unlikely to be compromised by a mangled URL.
2) A fix for both issues has been available to M-Tech customers
for some time. Despite extremely low risk, M-Tech was already
aware, in particular of the path disclosure issue, and had already
resolved it.
3) Path disclosure is trivial in this case. The fact that P-Synch
was installed on "C:\Program Files\P-Synch" is hardly sensitive
and security through obscurity is obviously a falsehood. The
P-Synch application is hardened, and knowledge on the part of
an intruder that the software is installed in a given directory,
on a machine that should in normal deployments have no filesystem
shares or other remote access mechanisms, is meaningless.
4) The contents of the filesystem of the P-Synch server are not
affected. For example, issuing a URL such as:
http://demobox/demo/psdemo/nph-psf.exe?css=c:\test.dat
will simply cause a web browser that follows this link to get
an HTML page that includes the text:
<style type="text/css" media="all">
@import "c:\test.dat";
</STYLE>
The original poster never made an effort to notify M-Tech of the
"discovered vulnerability," and does not have a legitimate copy of P-Synch
(presumably because he refused to sign a license agreement which many
customers and prospects sign daily to get a free evaluation copy of the
software). As there are extremely few P-Synch deployments facing the
Internet, it is very unlikely that the poster "came across" P-Synch by
accident.
Customers and prospects are encouraged to contact M-Tech for
more detailed information about this issue, and to download
patches if they feel the vulnerability is worth addressing.
>Received: (qmail 11684 invoked from network); 30 May 2003 05:14:47 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 30 May 2003 05:14:47 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
>
by outgoing3.securityfocus.com (Postfix) with QMQP
>
id B59A3A313B; Thu, 29 May 2003 23:10:31 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 21185 invoked from network); 29 May 2003 04:59:28 -0000
>Date: 29 May 2003 05:26:21 -0000
>Message-ID: <20030529052621.31678.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: JeiAr <jeiar (at) kmfms (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Multiple Vulnerabilities In P-Synch Password Management
>
>
>
>Multiple Vulnerabilities In P-Synch Password Management
>-------------------------------------------------------
>The other night I came across a server running P-Synch.
>I had never heard of it so i was curious to poke around
>on it a bit. Within an hour i found the vulns listed below.
>Im pretty sure there are other more serious vulns in
>P-Synch, but they are very picky about who they give thier
>software to, even an evaluation version. So was not able
>to test any further. However i encourage any admins running
>P-Synch to poke around on it, just to be on the safe side.
>
>
>
>Description
>-------------------------------------------------------
>P-Synch Total Password Management Solution
>by M-TECH
>P-Synch is a total password management solution. It is
>intended to reduce the cost of ownership of password systems,
>and simultaneously improve the security of password protected
>systems. This is done through: -Password Synchronization.
>-Enforcing an enterprise wide password strength policy.
>-Allowing authenticated users to reset their own forgotten
>passwords and enable their locked out accounts. -Streamlining
>help desk call resolution for password resets. P-Synch is
>available for both internal use, on the corporate Intranet,
>as well as for the Internet deployment in B2B and B2C
>applications.
>
>http://www.securityfocus.com/products/837
>
>
>
>Problems
>-------------------------------------------------------
>All of these problems are simple, self explanatory vulns
>so, i'm sure the below examples will speak for themselves.
>Once again this application was NOT thoroughly researced.
>So anyone with a copy of P-Synch might wanna explore it
>further.
>
>
>
>Path Disclosure Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psa.exe?lang=
>https://path/to/psynch/nph-psf.exe?lang=
>
>
>Code Injection Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]
>https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]
>
>
>File Include Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psf.exe?css=http://somesite/file
>https://path/to/psynch/nph-psa.exe?css=http://somesite/file
>
>
>
>Credits
>-------------------------------------------------------
>All credits go to JeiAr of GulfTech Computers and CSA
>Security Research http://www.gulftech.org
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
The following can be taken as an official response from the vendor:
M-Tech Information Technology, Inc. (http://mtechIT.com/) to this
"vulnerability:"
1) The actual risk of these issues to production deployments of
P-Synch is nil, as users do not normally, or in our experience ever,
access P-Synch by clicking a URL on a third-party web server.
Cross-site scripting attacks only affect the web browser of
users who click a maliciously-constructed URL to a valid
application URL, and this mode of attacking user browsers is
simply not relevant to a normal P-Synch deployment.
Users access P-Synch in one of several ways, none of which
expose their browser to cross-site scripting attacks:
a) By typing a well known URL, such as "password" in their browser,
and relying on the DNS infrastructure of their organization
(e.g., password --> password.acme.com --> P-Synch server).
b) By triggering transparent password synchronization with a native
password change on some system (and where no browser is involved).
c) Using an IVR system and telephone (again, no browser).
d) By clicking on a link to P-Synch on their corporate Intranet,
which is highly unlikely to be compromised by a mangled URL.
2) A fix for both issues has been available to M-Tech customers
for some time. Despite extremely low risk, M-Tech was already
aware, in particular of the path disclosure issue, and had already
resolved it.
3) Path disclosure is trivial in this case. The fact that P-Synch
was installed on "C:\Program Files\P-Synch" is hardly sensitive
and security through obscurity is obviously a falsehood. The
P-Synch application is hardened, and knowledge on the part of
an intruder that the software is installed in a given directory,
on a machine that should in normal deployments have no filesystem
shares or other remote access mechanisms, is meaningless.
4) The contents of the filesystem of the P-Synch server are not
affected. For example, issuing a URL such as:
http://demobox/demo/psdemo/nph-psf.exe?css=c:\test.dat
will simply cause a web browser that follows this link to get
an HTML page that includes the text:
<style type="text/css" media="all">
@import "c:\test.dat";
</STYLE>
The original poster never made an effort to notify M-Tech of the
"discovered vulnerability," and does not have a legitimate copy of P-Synch
(presumably because he refused to sign a license agreement which many
customers and prospects sign daily to get a free evaluation copy of the
software). As there are extremely few P-Synch deployments facing the
Internet, it is very unlikely that the poster "came across" P-Synch by
accident.
Customers and prospects are encouraged to contact M-Tech for
more detailed information about this issue, and to download
patches if they feel the vulnerability is worth addressing.
>Received: (qmail 11684 invoked from network); 30 May 2003 05:14:47 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 30 May 2003 05:14:47 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
>
by outgoing3.securityfocus.com (Postfix) with QMQP
>
id B59A3A313B; Thu, 29 May 2003 23:10:31 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 21185 invoked from network); 29 May 2003 04:59:28 -0000
>Date: 29 May 2003 05:26:21 -0000
>Message-ID: <20030529052621.31678.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: JeiAr <jeiar (at) kmfms (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Multiple Vulnerabilities In P-Synch Password Management
>
>
>
>Multiple Vulnerabilities In P-Synch Password Management
>-------------------------------------------------------
>The other night I came across a server running P-Synch.
>I had never heard of it so i was curious to poke around
>on it a bit. Within an hour i found the vulns listed below.
>Im pretty sure there are other more serious vulns in
>P-Synch, but they are very picky about who they give thier
>software to, even an evaluation version. So was not able
>to test any further. However i encourage any admins running
>P-Synch to poke around on it, just to be on the safe side.
>
>
>
>Description
>-------------------------------------------------------
>P-Synch Total Password Management Solution
>by M-TECH
>P-Synch is a total password management solution. It is
>intended to reduce the cost of ownership of password systems,
>and simultaneously improve the security of password protected
>systems. This is done through: -Password Synchronization.
>-Enforcing an enterprise wide password strength policy.
>-Allowing authenticated users to reset their own forgotten
>passwords and enable their locked out accounts. -Streamlining
>help desk call resolution for password resets. P-Synch is
>available for both internal use, on the corporate Intranet,
>as well as for the Internet deployment in B2B and B2C
>applications.
>
>http://www.securityfocus.com/products/837
>
>
>
>Problems
>-------------------------------------------------------
>All of these problems are simple, self explanatory vulns
>so, i'm sure the below examples will speak for themselves.
>Once again this application was NOT thoroughly researced.
>So anyone with a copy of P-Synch might wanna explore it
>further.
>
>
>
>Path Disclosure Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psa.exe?lang=
>https://path/to/psynch/nph-psf.exe?lang=
>
>
>Code Injection Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]
>https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]
>
>
>File Include Vulnerability
>-------------------------------------------------------
>https://path/to/psynch/nph-psf.exe?css=http://somesite/file
>https://path/to/psynch/nph-psa.exe?css=http://somesite/file
>
>
>
>Credits
>-------------------------------------------------------
>All credits go to JeiAr of GulfTech Computers and CSA
>Security Research http://www.gulftech.org
>
[ reply ]