SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   A-A-S Application Access Server Vendors:   applicationaccessserver.de
A-A-S Application Access Server CSRF Bug Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1022204
SecurityTracker URL:  http://securitytracker.com/id/1022204
CVE Reference:   CVE-2009-1464, CVE-2009-1465, CVE-2009-1466   (Links to External Site)
Date:  May 12 2009
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.48; possibly earlier versions
Description:   Several vulnerabilities were reported in A-A-S Application Access Server. A remote user can conduct cross-site request forgery attacks to execute arbitrary commands on the target system. A remote user can use a default password to gain administrative access. A local user can obtain passwords.

The 'job' parameter of 'index.aas' does not properly validate requests [CVE-2009-1464]. A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary commands on the target application.

The system uses a common default password ("wildbat") for the admin account [CVE-2009-1465]. If the password is not changed, a remote user can gain administrative access to the target application.

The system stores passwords in plain text form in the 'aas.ini' file [CVE-2009-1466]. A local user can obtain the passwords.

Felipe Aragon of the Syhunt Security Research Team reported this vulnerability.

The original advisory is available at:

http://www.syhunt.com/advisories/?id=aas-multiple

Impact:   A remote user can cause arbitrary commands to be executed on the target application.

A remote user can gain administrative access to the target application when the admin password has not been changed from its default value.

A local user can obtain passwords.

Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix.

Vendor URL:  www.klinzmann.name/a-a-s/index.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Mon, 11 May 2009 22:44:14 -0300
Subject:  [Full-disclosure] Syhunt: A-A-S (Application Access Server)

Hello all! This is my first post here.

Syhunt: A-A-S (Application Access Server) Multiple Security Vulnerabilities

Advisory-ID: 200905111
Discovery Date: 3.23.2009
Release Date: 5.11.2009
Affected Applications: A-A-S 2.0.48 and possibly older versions
Class: XSRF (Cross Site Request Forgery) Arbitrary Command Execution, 
Undocumented Default Password, Insecure Password Storage
Status: Vendor informed. No fix available
Vendor: Klinzmann
Vendor URL: http://www.klinzmann.name/a-a-s/index_en.html
Advisory URL: http://www.syhunt.com/advisories/?id=aas-multiple

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
following CVEs to these vulnerabilities:
* CVE-2009-1464 - index.aas job parameter XSRF Arbitrary Command 
Execution Vulnerability
* CVE-2009-1465 - Default Admin Password Vulnerability
* CVE-2009-1466 - Insecure Password and Port Keyword Storage Vulnerability

----------------------------------------------------------------

Overview:
The Application Access Server is a popular freeware remote 
administration tool that allows to start and stop applications or 
services over the Internet using a Web-based client. It also allows to 
uninstall applications, remotely shutdown and retrieve various 
information about the current system the server is running on. It claims 
to be able to "black list" aggressors and run in "Stealth mode", thus 
evading port scanners.

The A-A-S server also supports DynDNS.org, which allows aliasing the 
server IP to a static hostname.

Description:
The Application Access Server is vulnerable to extremely dangerous XSRF 
(Cross Site Request Forgery) attacks. A remote attacker can use the XSRF 
flaw to take control over the system running the A-A-S server. The issue 
is triggered when a web page containing a malicious JavaScript code is 
viewed. Such malicious code can automatically make requests to the AAS 
server on the user's behalf.

Two additional vulnerabilities affect the Application Access Server: an 
undocumented default password and insecure password storage. Technical 
details are included below.

----------------------------------------------------------------

Details:
1) index.aas job parameter XSRF (Cross Site Request Forgery)
Arbitrary Command Execution

Example 1 - Arbitrary Command Execution / File Upload
See: http://www.syhunt.com/advisories/aashack.txt

This exploit demonstration code automatically makes sequential requests 
to the AAS server on the user's behalf (if the user is logged in to the 
server), disabling undesired services, uploading and launching a file on 
the target machine. It has been successfully tested on IE 7.0 and 
Firefox 3.08. Should work on any browser that has javascript enabled

Please note that the server's security features like host access list 
and port modes (Silent or Stealth) will not protect against the XSRF 
flaw if enabled.

Example 2 - Arbitrary Command Execution:
<img src="http://[AAS IP or DYNDNS 
HOST]:6262/index.aas?job=command&action=[command]">
This for example would launch the Calculator:
/index.aas?job=command&action=calc.exe

Example 3 - Stopping Services:
<img src="http://[AAS IP or DYNDNS 
HOST]:6262/index.aas?job=setservice&action=stop&select=[servicename]">
This for example would disable Automatic Updates:
/index.aas?job=setservice&action=stop&select=wuauserv

Example 4 - Killing Processes:
<img src="http://[AAS IP or DYNDNS 
HOST]:6262/index.aas?job=killprocess&select=[exename]">
Example:
/index.aas?job=killprocess&select=notepad.exe

Additional commands are available via the job parameter.

2) Default Admin Password Vulnerability
By default, A-A-S installs with a default admin account. The account has 
an undocumented default password of "wildbat" and all the security 
rights enabled. These default rights allow to execute any commands on 
the machine.

3) Insecure Password and Port Keyword Storage Vulnerability
A-A-S passwords and the port keyword (used to connect to the server when 
in Stealth or Silent mode) are stored as a base64 string in the 
"aas.ini" file, contained in the A-A-S install directory, with no 
encryption at all. This allows the password or port keyword to be easily 
retrieved.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted, immediately responded and will be releasing a 
fix soon.

As a workaround to the XSRF vulnerability, the vendor recommends 
limiting the security rights in the user settings screen for each user:
- Disable the "Allow own command" option (command execution will not be 
possible after this option is disabled).
- If possible also disable the "Enable kill process", "Start/Stop 
service" and "Run application" rights.

Avoid completely navigating to other websites while logged in to the 
Application Access Server.

Never start the server using its default settings (as explained above 
machines running a default A-A-S may be easily compromised). Change the 
password of the admin account first.

----------------------------------------------------------------

Credit:
Felipe Aragon
Syhunt Security Research Team, www.syhunt.com

---

Copyright  2009 Syhunt Cyber Security Company

Disclaimer:
The information in this advisory is provided "as is" without warranty of 
any kind. Details provided are strictly for educational and defensive 
purposes.

Syhunt is not liable for any damages caused by direct or indirect use of 
the information provided by this advisory.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC