nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
           BID: 37802

  I. BACKGROUND
     "Zenoss Core is an award-winning open source IT monitoring product that
     effectively manages the configuration, health and performance of
     networks, servers and applications through a single, integrated
     software package." [1] 

II. DETAILS
    getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly
    sanitized user provided input. The following URL parameters are injectable: severity,
    state, filter, offset, and count.

    Authentication as an admin or regular user is required for successful exploitation.
    Depending on the type of attack, it may also be accomplished via Cross-Site Request
    Forgery (CSRF).

    A proof of concept request might look like this
      /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
      offset=0&count=60 into outfile "/tmp/z"

III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

     Update 1.21.2010
     This vulnerability was fixed prior to version 2.5.

http://dev.zenoss.org/trac/changeset/15257

Copyright (c) 2009 nGenuity Information Services, LLC

Today marks the kickoff of the 6th annual national cyber security awareness month promoted by the Department of Homeland security. To help promote good security practice and awareness nGenuity is doing free 1 hour security assessments of web applications and networks. We are also available to speak on security related topics for local events at no cost during the month of October.

For more detail or if you want to schedule with us please contact Adam Baldwin at 509.396.2075 or info@ngenuity-is.com

With the launch of social-engineering.org I thought I would publish one of the tactics I have used in the past to gain trust with employees while on a social engineering engagements. I found this particular pretext makes the classic tech support attack significantly more successful, even while using a non-spoofed caller ID and a phone # from out of state.

It’s commonly agreed upon that anywhere from 60-90% of communication is non-verbal. You might think that this would make a phone based attack more difficult, I’m of the opinion that it makes it easier to abuse the imagination of the victim as they have less input to observe.

Just like phishing uses visual clues to build trust with the victim, it is possible to do the same using voice mail. Many companies have standard messages that employees are to use for their voice mail, simply mirroring those makes it appear like the victim has reached another employee. Here is how the attack is outlined.

1. Attacker calls to identify voice mail of victim organization.
2. Attacker sets up their voice mail to mimic target organization.
3. Attacker calls victim either just before or just after office hours. This is the key as this triggers the employee to call the attacker back.
4. Attacker ignores callback and directs it to voice mail for the victim. Victim hears the voice of the attacker, the branding that the attacker left for the victim.
5. Attacker calls victim back and proceeds with the classic tech support attack.

Theoretical Script:

Attacker (voicemail): “Hi, you have reached the voice mail of John Doe with nGenuity. We are currently experiencing a company wide security incident. Please leave your name and number and I will contact you back as soon as I can.”

Victim (voicemail): “Hi this is Joy Doe from nGenuity accounting. You can reach me at 555-1212″

Attacker (calling vicitim): “Hi Joy this is John Doe with nGenuity technical support. I’m sorry for getting back to you so late, we have had a lot of work to do to correct this mess. Your workstation is one of the last systems that I need to clean up to be done for the day. Unfortunately this threat has locked out our administrative access so I need your username and password to take care of this.”

Now if the user doesn’t want to provide their credentials simply direct them to a website you control, branded like the company and have them install some remote access software.

The point was that voice mail can be used to improve your branding as an attacker and build credibility where there is none or very little. The victim easily forgets that they were solicited because of the number of calls. Another fun tactic to build credibility is call center background noise clips and hold music. Make it sound like your actually at work.

Most businesses rely heavily on computers and networks to get work done these days. When your computer or network fails you in some way, that has a direct impact on your bottom line. In an effort to help you understand the risks associated with using these essential pieces of technology in your business, and help mitigate them, we are giving away a whole pile of consulting time in the form of free security assessments.

What do you get with the free assessment?

• 30 minutes of network and website security assessment by the nGenuity team of security ninjas.
• 30 minutes of discussion / debrief about any security issues identified.
• 20% discount on any IT and security consulting and support services through the remainder of 2009.
• No hassle or obligation to purchase anything. This is not a hard sell, this is a free service we are offering to improve awareness on network / website security.

Follow this link for more information on nGenuity’s security assessments.

I already have an “IT” person / company that handles this type of stuff for me.

Chances are your IT person or company is doing a great job supporting you, but what if that isn’t the case and you just haven’t noticed yet? What if security isn’t their thing? nGenuity already works with a few IT providers to complement the services they provide. There is nothing wrong with getting a second opinion from an expert.

Where do I sign up?

Call us at 509-396-2075 and mash the first number that you hear or email us at info@ngenuity-is.com

Look for the ad (designed by &yet) for this free assessment in the Tri-City Area Journal of Business (page 26.)

I stumbled upon a fun little sql injection in playfoursquare the other day. I notified them but have not heard back, but it appears it has been addressed so here are the details.

     It was possible to inject specially crafted SQL into the cookie "cookieCityID"
     which provides 

     If you set the cookie to the value below the query will take roughly 5-7
     seconds to return with this "True" condition (1=1).

     (SELECT IF(1=1,BENCHMARK(1000000,SHA1(1)),0))

     If you change the logic condition to 1=0 (False) the query returns
     immediately demonstrating that blind SQL injection is possible.

     (SELECT IF(1=0,BENCHMARK(1000000,SHA1(1)),0))

III. REFERENCES
     [1] - http://playfoursquare.com

Copyright (c) 2009 nGenuity Information Services, LLC