companyxyz.co.

uk Penetration Test Report

March 2008

companyxyz.co.uk Penetration Test

Netdefense.co.uk, March 2008

PLEASE NOTE: COMPANYXYZ has been used to disguise the real identity of our customer. The IP addresses mentioned are random fictional IPs and not related to any of our customers.

Page 1 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Table of Contents
Introduction.......................................................................................................................................... 3 Summary of Findings........................................................................................................................... 3 Network Assessment............................................................................................................................ 4 Information Gathering..................................................................................................................... 4 Port Scanning .................................................................................................................................. 4 ICMP Packet Filtering..................................................................................................................... 5 SSL Security Analysis ......................................................................................................................... 6 HTTPS Not Enforced ...................................................................................................................... 6 SSL Protocol/Cipher Suite Evaluation ............................................................................................ 6 Web Application Security.................................................................................................................... 9 Content Analysis ............................................................................................................................. 9 Malicious Input/SQL Injection........................................................................................................ 9 Information Leakage ....................................................................................................................... 9 Cross-Site Scripting....................................................................................................................... 10 Web Server Assessment..................................................................................................................... 12 Apache Tomcat Directory Traversal ............................................................................................. 12 Apache Tomcat Directory Listing (CVE-2006-3835)................................................................... 12 Apache Tomcat Buffer Overflow (CVE-2007-0774) ................................................................... 12 Web Server Configuration ............................................................................................................ 12

Page 2 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Introduction
Netdfense were invited by Mr. X (ICT Manager, Company XYZ) to perform an initial evaluation of the http://www.companyxyz.co.uk/ website and associated functionality. Testing occurred between March 12th 2008 and March 16th 2008 and was performed via the Internet. Testing was primarily focussed on assessing the strength of the web server and its associated applications, covering areas such as malicious data exploits, operating system vulnerabilities, use of cryptography, and other areas critical to security. It must be stressed that during an accelerated test the emphasis is on breadth of coverage rather than depth, and time did not permit a thorough investigation of all issues encountered.

Summary of Findings
No immediate threats to the security of the systems under test were identified. However, new vulnerabilities are discovered regularly, and the current system configuration delivers a large amount of useful information to an intruder in the form of verbose error messages and the like. Based on software version numbers, certain Tomcat components appeared to be out-of-date. However, it is possible that software has been patched without changing the version number. Care should be taken to ensure that systems are always updated with the latest versions of software to remove vulnerability to several known issues. The Apache Tapestry framework appears to contain a subtle vulnerability which further weakens the confidentiality of the target system, again related to the use of error messages. Additionally, the framework contains a number of opportunities for cross-site scripting attacks which may be used to compromise the data of an end user. SSL encryption is offered to users to safeguard their data, but in some circumstances the site may be accessed without encryption or using algorithms considered to be weak. SSL configuration should be reviewed with respect to policy and recommendations made later in this document. Whilst no instances were detected during the test window, it is recommended that a thorough review of application source code is performed to ensure that the website is free from SQL injection and similar vulnerabilities which could result in system or data compromise. It must be remembered that penetration testing is performed on a snapshot of a given system, and as an application evolves, so will the security considerations associated with it. It is suggested that security testing occur regularly based on policy and an appropriate risk assessment.

Page 3 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Network Assessment
This section discusses details of the target systems that are discoverable via network-based probes, and evaluates the security impact of what was found.

Information Gathering
The initial target address was http://www.companyxyz.co.uk/. This resolves to 82.195.156.191, with reverse DNS of 191.156.reserved.hosting365.ie. Registering for the site elicits an email from this IP address, but with a hostname of mail.companyxyz.co.uk, and analysis of the SMTP headers reveals an alternate alias of newfutures1.companyxyz.co.uk. It appears that the hostname is not used to differentiate between content when serving HTTP requests, i.e. virtual hosts are not present. Furthermore, the SMTP header reveals that the Sendmail application is in use (version 8.13.1), and so it is possible to deduce that a UNIX system is employed here. The web application portion of the site, wizard.companyxyz.co.uk, resolves to the same IP address. WHOIS lookups in the RIPE and NIC.UK databases reveal that the IP space is allocated to Hosting365, and the domain is registered to Company XYZ, however neither reveal the purpose of the site.

Port Scanning
Limited TCP and UDP port scanning was attempted as part of the test. Services found were identified using various fingerprinting techniques. The following information was gathered on available ports:

Host 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 82.195.156.191 21/TCP 53/TCP 80/TCP 81/TCP 82/TCP 83/TCP 84/TCP 443/TCP

Port (ftp)

Description Closed* Closed* (domain) HTTP (hosts2-ns) (xfer) HTTP (ctf) (https) (http-proxy)

Notes

Apache-Coyote/1.1 Closed* Closed* Apache-Coyote/1.1 Closed* Closed* Closed*

8080/TCP

Page 4 of 12

companyxyz.co.uk Penetration Test Report Host 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 82.195.156.203 21/TCP 53/TCP 80/TCP 81/TCP 82/TCP 83/TCP 84/TCP 443/TCP 8080/TCP Port (ftp) (domain) HTTP (hosts2-ns) (xfer) (mit-ml-dev) (ctf) HTTPS (http-proxy) Description Closed* Closed*

March 2008 Notes

Apache-Coyote/1.1 Closed* Closed* Closed* Closed* Apache-Coyote/1.1 Closed*

Closed: received TCP reset/UDP port unreachable. Indicates use of TCP wrappers or similar.

ICMP Packet Filtering

It appears possible to elicit ICMP timestamp responses from the machines, whilst ICMP echo 'ping' requests are blocked. This allows an intruder to know the exact time of the remote computer, which can prove useful in cryptographic attacks, and such packets should be blocked using a firewall if possible.

Page 5 of 12

companyxyz.co.uk Penetration Test Report

March 2008

SSL Security Analysis

The wizard.companyxyz.co.uk site employs SSL encryption to protect customer data and credentials from eavesdropping. This section offers an overview of details discovered and how security may be improved.

HTTPS Not Enforced

The contents of https://wizard.companyxyz.co.uk/ (port 443, SSL) are also available via HTTP on port 80 without encryption. Whilst the application link from the main site does indeed link to the SSL version, it is possible that an end user could erroneously visit the site via HTTP. Therefore access to the system could occur in clear-text and expose personal details in transit in some circumstances (e.g. upstream web proxy, users of wireless networks). Furthermore, without the use of SSL, the end user cannot be assured of the authenticity of the application and is therefore potentially vulnerable to a man-in-the-middle attack. It it recommended that access to the wizard application be restricted to SSL-based sessions only. This could effectively be performed by simply closing port 80 on the host 82.195.156.203, assuming that this HTTP server is not required for other purposes outside the scope of this test.

SSL Protocol/Cipher Suite Evaluation

The wizard application offers SSLv3 and TLSv1 encryption options. A variety of cipher suites are available for negotiation. This section of the report outlines the details of these options and discusses the security implications of each cipher suite. Cryptographic details are omitted for brevity, however where a non-recommended cipher suite is in use, care should be taken to test target browsers/operating systems for compatibility before disabling access to it.

Export Ciphers (SSLv3):

Cipher Suite Key Exchange Authentication Encryption DES-CBC (40-bit key) DES-CBC (40-bit key) RC4 (40-bit key) SHA1 SHA1 MD5 MAC EXP-EDH-RSA-DES- Diffie-Hellman RSA CBC-SHA EXP-DES-CBC-SHA EXP-RC4-MD5 RSA RSA RSA RSA

Export-strength ciphers use weak encryption algorithms such as DES and RC4. Additionally the MD5 algorithm should be considered deprecated and so export ciphers should be completely disabled where possible. Page 6 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Export Ciphers (TLSv1):

As per SSLv3 above.

Medium Strength Ciphers (SSLv3):

Cipher Suite Key Exchange Authentication Encryption DES-CBC (56-bit key) DES-CBC (56-bit key) SHA1 SHA1 MAC EDH-RSA-DES-CBC- Diffie-Hellman RSA SHA DES-CBC-SHA RSA RSA

Again, the insecure DES encryption algorithm is employed by these cipher suites, and so these medium strength ciphers should also be disabled where possible.

Medium Strength Ciphers (TLSv1):

As per SSLv3 above.

High Strength Ciphers (SSLv3):

Cipher Suite EDH-RSA-DESCBC3-SHA DES-CBC3-SHA RC4-MD5 RC4-SHA Key Exchange Authentication Encryption 3DES-CBC (168-bit key) 3DES-CBC (168-bit key) RC4 (128-bit key) RC4 (128-bit key) SHA1 SHA1 MD5 SHA1 MAC Diffie-Hellman RSA RSA RSA RSA RSA RSA RSA

Given that modern browsers and operating systems support 3DES encryption, it is recommended that both RC4-based ciphers be disabled. If this is not possible, consider disabling only RC4-MD5.

Page 7 of 12

companyxyz.co.uk Penetration Test Report

March 2008

High Strength Ciphers (TLSv1):

As per SSLv3 above, plus: Cipher Suite DHE-RSA-AES128SHA AES128-SHA Key Exchange Authentication Encryption AES (128-bit key) AES (128-bit key) SHA1 SHA1 MAC

Diffie-Hellman RSA RSA RSA

These two cipher suites use strong AES encryption and should be considered preferred algorithms.

Page 8 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Web Application Security

This section details issues specific to the web applications encountered. The wizard application should be considered secure, but leaks valuable information to an intruder in its current configuration.

Content Analysis
The document tree was spidered and analysed to determine its structure, and then automated scanning was used to attempt to enumerate further directories and files based on what was seen. Neither the www or wizard sites appeared to contain backup files or other common data typically used to aid intrusion, and the server appeared to be free of example files, samples, and the like. It is noted that the wizard's /admin directory redirects to a non-existent /Login.htm which may indicate outdated or obsolete code exists at this point. Time did not permit a thorough investigation.

Malicious Input/SQL Injection

The wizard application was tested for SQL injection vulnerabilities, with the results being positive. It appears that filtering of malicious input is in place to prevent SQL injection vulnerabilities. For example, a trivial attempt to use an apostrophe character when registering for the site returns an error message like: Unable to update OGNL expression '<parsed OGNL expression>' of $Registration_18@1efcfad[Registration] to 'a@b: Method "setValue" failed for object uk.co.exsys.exsutils.tapestry.MemoryTapestryElement@1462a49 However, the uk.co.exsys.exsutils namespace indicates proprietary/bespoke code is in place, and therefore a code review of this package is recommended to ascertain true vulnerability. Additionally, the main http://www.companyxyz.co.uk/ site offers a properties page which accepts varies parameters from a remote client. It is possible to cause a server error through manipulation of these values and so without access to the source code it is impossible to rule out the possibility of SQL injection or similar attacks.

Information Leakage
Due to the verbose nature of Apache Tapestry error messages, it is possible to ascertain a large amount of information about the program flow and the code involved in a given request. If at all possible, error reporting to clients should be suppressed through configuration or modification of the Tapesty software to minimise the amount of information leaked to an attacker. Furthermore, in certain circumstances, Tapestry error messages can be abused to breach the confidentiality of a target system.

Page 9 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Tapestry allows remote user to enumerate files within the namespace via abuse of the asset service. Previous versions of the Tapestry framework contained a security hole which allowed an arbitrary file to be retrieved using a crafted URL: http://host/app?service=asset&path=/org/apache/tapestry/form/form. js to mitigate this, an MD5 digest is now used which must match the target file: ... &digest=557f2081d45a7528f898e7e384717596 However, the error message presented with a mismatched MD5 checksum differs from that given for a non-existent file, and this allows a brute-force enumeration of the namespace. For example, asking for form.js gives a message such as "The MD5 digest provided in the request does not match the actual value for classpath resource...", whereas asking for a non-existent file gives a 200 OK message. The original Tapestry bug report at http://issues.apache.org/jira/browse/TAPESTRY-278 mentions a directory traversal issue, which is present in the target server environment, although of limited impact. An example use of this to check for files outside of the appropriate directory: http://host/app?service=asset&path=../../index.html The MD5 digest provided in the request does not match the actual value for classpath resource '../../index.html' This technique can also be used to fingerprint the remote version of tapestry by requesting known files in conjunction with a list of known MD5 hash values. For example, an intruder may use this to ascertain which version of Tapestry is installed based on the presence and hash match/mismatch of given files. This particular error message appears to be a design flaw of a security patch to the Tapestry source by the developers which has failed to address the directory traversal bug in addition.

Cross-Site Scripting
Whilst dismissed by some as trivial or unimportant, cross-site scripting attacks become important when theft of credentials leads to the leakage of personal information. Cross-site scripting attacks are particularly effective against inexperienced or nave users who may be tempted into clicking a particular URL in an email, for instance. Put simply, cross-site scripting attacks occur when malicious script is included into a web page, via crafted URL or similar. These issues may be avoided by not echoing user input in forms and similar web pages, or sanitising it before doing so to remove <script> tags and other such malicious input.

Page 10 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Typical uses for such vulnerabilities involve stealing user's credentials, or submitting or retrieving user data without their knowledge or consent through the scripting environment offered by most web browsers. The first occurrence of XSS identified is that caused by simply requesting an invalid page name: http://wizard.companyxyz.co.uk/%3Cscript%3Ewindow.alert(%22Vulnera ble %22)%3C/script%3E,Wizard.sdhtml ... causing injection of malicious script into the 'page not found' message. Other Tapestry error messages are equally prone to XSS injection. For example, the service parameter name: http://wizard.companyxyz.co.uk/app?service=%3Cscript%3Ewindow.aler t(%22Vulnerable %22)%3C/script%3E ... results in an injection into the No engine service ... was found error message. A thorough review of the Tapestry source is required, in conjunction with application code review, to ascertain true vulnerability to similar issues and more, as many opportunities for such an attack appear to exist. Furthermore, the Apache-Coyote/1.1 web server supports the HTTP TRACE method, which can assist cross-site scripting attacks. It is recommended that this method be disabled if possible.

Page 11 of 12

companyxyz.co.uk Penetration Test Report

March 2008

Web Server Assessment

This section gives an overview of vulnerabilities identified based on server version information and the configuration encountered. In summary, Tomcat should be patched/upgraded to the latest available version to mitigate a number of possible vulnerabilities, the most applicable of which are listed here.

Apache Tomcat Directory Traversal

Whilst the installation does not appear to be vulnerable, the system configuration may change in future. When combined with a web proxy such as the mod_proxy component of the Apache web server, a directory traversal attack is theoretically possible against the installed version of Tomcat. Details are available here: http://www.sec-consult.com/286.html.

Apache Tomcat Directory Listing (CVE-2006-3835)

Certain configurations of Tomcat allow a directory listing to be obtained through a crafted request. The installed version does not appear to be vulnerable at present. See here for details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835.

Apache Tomcat Buffer Overflow (CVE-2007-0774)

Similarly, based on version fingerprinting, the installation may theoretically be vulnerable to a buffer overflow vulnerability in some circumstances. However, the current configuration does not appear to permit such an exploit to succeed against the system. Again, upgrading Tomcat to the latest version will remove any possibility of this flaw being leveraged as part of an attack. Details here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774.

Web Server Configuration

As previously mentioned, the web server implements the TRACE method, which can be abused to facilitate cross-site scripting attacks in some cases. Additionally, the HTTP PUT method appears to be implemented, and whilst time did not permit a thorough analysis of this interface, it should be disabled or heavily restricted if possible. The Apache-Coyote/1.1 server also returns a 404 code when a given page is not found. If possible, web servers should be configured with an Error Document so that a 200 OK message is returned in the event of an invalid filename being returned. This hinders automated scanning and enumeration of the web site's contents.

Page 12 of 12