Professional Documents
Culture Documents
March 2008
PLEASE NOTE: COMPANYXYZ has been used to disguise the real identity of our customer. The IP addresses mentioned are random fictional IPs and not related to any of our customers.
Page 1 of 12
March 2008
Table of Contents
Introduction.......................................................................................................................................... 3 Summary of Findings........................................................................................................................... 3 Network Assessment............................................................................................................................ 4 Information Gathering..................................................................................................................... 4 Port Scanning .................................................................................................................................. 4 ICMP Packet Filtering..................................................................................................................... 5 SSL Security Analysis ......................................................................................................................... 6 HTTPS Not Enforced ...................................................................................................................... 6 SSL Protocol/Cipher Suite Evaluation ............................................................................................ 6 Web Application Security.................................................................................................................... 9 Content Analysis ............................................................................................................................. 9 Malicious Input/SQL Injection........................................................................................................ 9 Information Leakage ....................................................................................................................... 9 Cross-Site Scripting....................................................................................................................... 10 Web Server Assessment..................................................................................................................... 12 Apache Tomcat Directory Traversal ............................................................................................. 12 Apache Tomcat Directory Listing (CVE-2006-3835)................................................................... 12 Apache Tomcat Buffer Overflow (CVE-2007-0774) ................................................................... 12 Web Server Configuration ............................................................................................................ 12
Page 2 of 12
March 2008
Introduction
Netdfense were invited by Mr. X (ICT Manager, Company XYZ) to perform an initial evaluation of the http://www.companyxyz.co.uk/ website and associated functionality. Testing occurred between March 12th 2008 and March 16th 2008 and was performed via the Internet. Testing was primarily focussed on assessing the strength of the web server and its associated applications, covering areas such as malicious data exploits, operating system vulnerabilities, use of cryptography, and other areas critical to security. It must be stressed that during an accelerated test the emphasis is on breadth of coverage rather than depth, and time did not permit a thorough investigation of all issues encountered.
Summary of Findings
No immediate threats to the security of the systems under test were identified. However, new vulnerabilities are discovered regularly, and the current system configuration delivers a large amount of useful information to an intruder in the form of verbose error messages and the like. Based on software version numbers, certain Tomcat components appeared to be out-of-date. However, it is possible that software has been patched without changing the version number. Care should be taken to ensure that systems are always updated with the latest versions of software to remove vulnerability to several known issues. The Apache Tapestry framework appears to contain a subtle vulnerability which further weakens the confidentiality of the target system, again related to the use of error messages. Additionally, the framework contains a number of opportunities for cross-site scripting attacks which may be used to compromise the data of an end user. SSL encryption is offered to users to safeguard their data, but in some circumstances the site may be accessed without encryption or using algorithms considered to be weak. SSL configuration should be reviewed with respect to policy and recommendations made later in this document. Whilst no instances were detected during the test window, it is recommended that a thorough review of application source code is performed to ensure that the website is free from SQL injection and similar vulnerabilities which could result in system or data compromise. It must be remembered that penetration testing is performed on a snapshot of a given system, and as an application evolves, so will the security considerations associated with it. It is suggested that security testing occur regularly based on policy and an appropriate risk assessment.
Page 3 of 12
March 2008
Network Assessment
This section discusses details of the target systems that are discoverable via network-based probes, and evaluates the security impact of what was found.
Information Gathering
The initial target address was http://www.companyxyz.co.uk/. This resolves to 82.195.156.191, with reverse DNS of 191.156.reserved.hosting365.ie. Registering for the site elicits an email from this IP address, but with a hostname of mail.companyxyz.co.uk, and analysis of the SMTP headers reveals an alternate alias of newfutures1.companyxyz.co.uk. It appears that the hostname is not used to differentiate between content when serving HTTP requests, i.e. virtual hosts are not present. Furthermore, the SMTP header reveals that the Sendmail application is in use (version 8.13.1), and so it is possible to deduce that a UNIX system is employed here. The web application portion of the site, wizard.companyxyz.co.uk, resolves to the same IP address. WHOIS lookups in the RIPE and NIC.UK databases reveal that the IP space is allocated to Hosting365, and the domain is registered to Company XYZ, however neither reveal the purpose of the site.
Port Scanning
Limited TCP and UDP port scanning was attempted as part of the test. Services found were identified using various fingerprinting techniques. The following information was gathered on available ports:
Host 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 21/TCP 53/TCP 80/TCP 81/TCP 82/TCP 83/TCP 84/TCP 443/TCP
Port (ftp)
Description Closed* Closed* (domain) HTTP (hosts2-ns) (xfer) HTTP (ctf) (https) (http-proxy)
Notes
8080/TCP
Page 4 of 12
companyxyz.co.uk Penetration Test Report Host 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 21/TCP 53/TCP 80/TCP 81/TCP 82/TCP 83/TCP 84/TCP 443/TCP 8080/TCP Port (ftp) (domain) HTTP (hosts2-ns) (xfer) (mit-ml-dev) (ctf) HTTPS (http-proxy) Description Closed* Closed*
Closed: received TCP reset/UDP port unreachable. Indicates use of TCP wrappers or similar.
Page 5 of 12
March 2008
Export-strength ciphers use weak encryption algorithms such as DES and RC4. Additionally the MD5 algorithm should be considered deprecated and so export ciphers should be completely disabled where possible. Page 6 of 12
March 2008
Again, the insecure DES encryption algorithm is employed by these cipher suites, and so these medium strength ciphers should also be disabled where possible.
Given that modern browsers and operating systems support 3DES encryption, it is recommended that both RC4-based ciphers be disabled. If this is not possible, consider disabling only RC4-MD5.
Page 7 of 12
March 2008
These two cipher suites use strong AES encryption and should be considered preferred algorithms.
Page 8 of 12
March 2008
Content Analysis
The document tree was spidered and analysed to determine its structure, and then automated scanning was used to attempt to enumerate further directories and files based on what was seen. Neither the www or wizard sites appeared to contain backup files or other common data typically used to aid intrusion, and the server appeared to be free of example files, samples, and the like. It is noted that the wizard's /admin directory redirects to a non-existent /Login.htm which may indicate outdated or obsolete code exists at this point. Time did not permit a thorough investigation.
Information Leakage
Due to the verbose nature of Apache Tapestry error messages, it is possible to ascertain a large amount of information about the program flow and the code involved in a given request. If at all possible, error reporting to clients should be suppressed through configuration or modification of the Tapesty software to minimise the amount of information leaked to an attacker. Furthermore, in certain circumstances, Tapestry error messages can be abused to breach the confidentiality of a target system.
Page 9 of 12
March 2008
Tapestry allows remote user to enumerate files within the namespace via abuse of the asset service. Previous versions of the Tapestry framework contained a security hole which allowed an arbitrary file to be retrieved using a crafted URL: http://host/app?service=asset&path=/org/apache/tapestry/form/form. js to mitigate this, an MD5 digest is now used which must match the target file: ... &digest=557f2081d45a7528f898e7e384717596 However, the error message presented with a mismatched MD5 checksum differs from that given for a non-existent file, and this allows a brute-force enumeration of the namespace. For example, asking for form.js gives a message such as "The MD5 digest provided in the request does not match the actual value for classpath resource...", whereas asking for a non-existent file gives a 200 OK message. The original Tapestry bug report at http://issues.apache.org/jira/browse/TAPESTRY-278 mentions a directory traversal issue, which is present in the target server environment, although of limited impact. An example use of this to check for files outside of the appropriate directory: http://host/app?service=asset&path=../../index.html The MD5 digest provided in the request does not match the actual value for classpath resource '../../index.html' This technique can also be used to fingerprint the remote version of tapestry by requesting known files in conjunction with a list of known MD5 hash values. For example, an intruder may use this to ascertain which version of Tapestry is installed based on the presence and hash match/mismatch of given files. This particular error message appears to be a design flaw of a security patch to the Tapestry source by the developers which has failed to address the directory traversal bug in addition.
Cross-Site Scripting
Whilst dismissed by some as trivial or unimportant, cross-site scripting attacks become important when theft of credentials leads to the leakage of personal information. Cross-site scripting attacks are particularly effective against inexperienced or nave users who may be tempted into clicking a particular URL in an email, for instance. Put simply, cross-site scripting attacks occur when malicious script is included into a web page, via crafted URL or similar. These issues may be avoided by not echoing user input in forms and similar web pages, or sanitising it before doing so to remove <script> tags and other such malicious input.
Page 10 of 12
March 2008
Typical uses for such vulnerabilities involve stealing user's credentials, or submitting or retrieving user data without their knowledge or consent through the scripting environment offered by most web browsers. The first occurrence of XSS identified is that caused by simply requesting an invalid page name: http://wizard.companyxyz.co.uk/%3Cscript%3Ewindow.alert(%22Vulnera ble %22)%3C/script%3E,Wizard.sdhtml ... causing injection of malicious script into the 'page not found' message. Other Tapestry error messages are equally prone to XSS injection. For example, the service parameter name: http://wizard.companyxyz.co.uk/app?service=%3Cscript%3Ewindow.aler t(%22Vulnerable %22)%3C/script%3E ... results in an injection into the No engine service ... was found error message. A thorough review of the Tapestry source is required, in conjunction with application code review, to ascertain true vulnerability to similar issues and more, as many opportunities for such an attack appear to exist. Furthermore, the Apache-Coyote/1.1 web server supports the HTTP TRACE method, which can assist cross-site scripting attacks. It is recommended that this method be disabled if possible.
Page 11 of 12
March 2008
Page 12 of 12