SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   EMC Centera Universal Access Vendors:   EMC
EMC Centera Universal Access Input Validation Flaw in Login Module Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1020540
SecurityTracker URL:  http://securitytracker.com/id/1020540
CVE Reference:   CVE-2008-3370   (Links to External Site)
Updated:  Aug 6 2008
Original Entry Date:  Jul 23 2008
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): CUA4.0_4735.p4
Description:   Lars Heidelberg and Aaron Brown of adMERITia reported a vulnerability in EMC Centera Universal Access. A remote user can inject SQL commands.

The CUA Module Login does not properly validate user-supplied input in the user name field. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A remote user can exploit this to bypass authentication.

The vendor was notified on May 20, 2008.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a fix (CUA 4.0.1 Patch 1), available via on EMC Powerlink.
Vendor URL:  www.emc.com/products/detail/software/emc-centera-universal-access.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability Report: EMC Centera Universal Access

adMERITia Vulnerability Report
Vulnerability Information

Product: Centera Universal Access
Version: CUA4.0_4735.p4

Vulnerability Type: Software Flaw

Vulnerability: SQL Injection

Impact: Attacker can bypass the authentication method and will be logged in as an 
arbitrary user. With specific knowledge of user names it is possible for an attacker 
to choose the user he/she wishes to log in as without a password.

Description: The user name field of the CUA Module Login does not sanitize user 
input allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is 
possible to comment out the password check allowing an attacker to log in with the 
first available user name in the table. After performing this several times or by 
searching through the "Accounts" tab within the CUA Module an attacker can gather a 
list of all users. With this list an attacker can select an administrator account 
and log in with this by simply entering the user name followed by "--".

How Vulnerability can be reproduced:
        For an arbitrary account enter the following in the user field: ' --
        For a targeted account enter the following in the user field: valid_user_name' --

Release Information
Model: CENTERA_GEN_4
Software Version: CUA4.0_4735.p4
Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735

Fix: (quote from the vendor)
"The remedy for the reported problems has been released on 30 June 2008 and is 
available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software 
Download"."
Vendor URL: www.emc.com

Vendor Status:
Vendor was informed of the problem, and was very cooperative in getting a patch 
developed for the problem. However, contact was broken off by the vendor after the 
relevant patch was released. The vendor has not yet published an advisory stating 
the reason for the latest patch or the discovered vulnerability in previous 
versions. This vulnerability was brought to the attention of the vendor on May 20, 
2008 under the policy of responsible disclosure as documented at 
http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor did 
not respond to requests to release a public advisory. Therefore we have taken the 
initiative to alert the public through various security publications.

Credit for this vulnerability finding should be given to:
Lars Heidelberg, adMERITia GmbH
Aaron Brown, adMERITia GmbH

Disclaimer
The information within this document may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties with regard to this information. In no event shall the author be liable 
for any consequences whatsoever arising out of or in connection with the use or 
spread of this information. Any use of this information lays within the user's 
responsibility.



Aaron Brown
aaron.brown@admeritia.de

adMERITia GmbH
Gladbacher Strasse 3
40764 Langenfeld
Tel: +49 (2173) 20363-0
Fax: +49 (2173) 20363-29

USt-ID-Nr.: DE255841996

Besuchen Sie uns im Internet auf http://www.admeritia.de.

**********************************************************
bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen 
Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, 
Verbindung zu setzen.
This e-mail and any files transmitted with it are confidential and intended solely 
for the use of the individual or organization to whom they are addressed. Should you 
not be the intended addressee of this e-mail or his or her representative, please 
note that publication, replication of the contents by any means or further 
communication of the content is not permissible. Should you have received this 
e-mail in error, please notify the sender.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC