113 lines
No EOL
4.9 KiB
Text
113 lines
No EOL
4.9 KiB
Text
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
|
|
web-application
|
|
Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
|
|
Date published: Mar 08, 2017
|
|
Vendor: dnaTools, Inc.
|
|
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
|
|
USCERT VU: 929263
|
|
|
|
Vulnerability Summaries
|
|
1) Improperly protected web shell [CVE-2017-6526]
|
|
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
|
|
a web shell included with the software running as the web user. However,
|
|
sending a POST request to that page bypasses authentication checks,
|
|
including the UID parameter within the POST request.
|
|
|
|
2) Unauthenticated Directory Traversal [CVE-2017-6527]
|
|
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
|
|
directory traversal attack. This allows an unauthenticated attacker to
|
|
retrieve files on the operating system accessible by the permissions of the
|
|
web server. This page also does not require authentication, allowing any
|
|
person on the Internet to exploit this vulnerability.
|
|
|
|
3) Insecure Password Storage [CVE-2017-6528]
|
|
An option, which is most likely the default, allows the password file
|
|
(/home/dna/spool/.pfile) to store clear text passwords. When combined with
|
|
the unauthenticated directory traversal vulnerability, it is possible to
|
|
gain the username and password for all users of the software and gain
|
|
complete control of the software.
|
|
|
|
4) Session Hijacking [CVE-2017-6529]
|
|
Each user of the dnaLIMS software is assigned a unique four-digit user
|
|
identification number(UID) upon account creation. These numbers appear to
|
|
be assigned sequentially. Multiple pages of the dnaLIMS application require
|
|
that this UID be passed as a URL parameter in order to view the content of
|
|
the page.
|
|
Consider the following example:
|
|
The URL ahttp://<SERVER NAME
|
|
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
|
|
to view the page for sequencing requests for the user with the UID of 2410. The
|
|
username parameter of the URL is the mechanism for authentication to the
|
|
system. The first eight-digit number of the username parameter appears to
|
|
be a session identifier as it changes every time the user logs in from the
|
|
password.cgi page, however this value is not checked by the seqreq2N.cgi
|
|
page. This allows an attacker to guess the four-digit UID of valid user
|
|
accounts that have an active session. The user with the UID of 2419
|
|
currently has an active session, so we can simply hijack this useras
|
|
session by requesting this page and specifying the UID 2419.
|
|
|
|
5) Cross-site Scripting
|
|
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
|
|
reflected cross site scripting attack via GET request as seen in the
|
|
following URL:
|
|
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
|
|
Alert("XSS") </SCRIPT>
|
|
|
|
6) Cross-site Scripting
|
|
The navUserName parameter of the seqTable*.cgi page is vulnerable to a
|
|
reflected cross site scripting attack via POST request as seen in the
|
|
example below. The * reflects a short name for a client, (ie Shorebreak
|
|
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
|
|
vulnerable for all dnaLIMS installs.
|
|
|
|
7) Improperly Protected Content
|
|
|
|
Many of the pages within the admin interface are not properly protected
|
|
from viewing by authenticated users. This can give an attacker additional
|
|
system information about the system, or change system/software
|
|
configuration.
|
|
|
|
Software was conducted on a live production system, therefore the pages
|
|
themselves were tested, forms within these pages were not.
|
|
|
|
This is also not an exhaustive list of improperly protected pages:
|
|
|
|
cgi-bin/dna/configuration.cgi
|
|
|
|
cgi-bin/dna/createCoInfo.cgi
|
|
|
|
cgi-bin/dna/configSystem.cgi
|
|
|
|
cgi-bin/dna/combineAcctsN.cgi
|
|
|
|
Disclosure Timeline
|
|
|
|
Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
|
|
securely exchange details of vulnerabilities identified
|
|
|
|
Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
|
|
to PO box via Postal Service
|
|
|
|
Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
|
|
Mail
|
|
|
|
Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
|
|
report
|
|
|
|
Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
|
|
placing the software behind a firewall as a solution to the vulnerabilities.
|
|
|
|
Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
|
|
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
|
|
plan to address the vulnerabilities
|
|
|
|
Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
|
|
gather a DNA sequence, PO Number, or Fund Number and go to your local
|
|
grocery store and see what it will buy you.a
|
|
|
|
Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT
|
|
|
|
Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
|
|
assignment
|
|
|
|
Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly |