sysPass 1.0.9 Insecure Direct Object Reference
Posted on 09 December 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-046 Product: sysPass Manufacturer: http://cygnux.org/ Affected Version(s): 1.0.9 and below Tested Version(s): 1.0.9 Vulnerability Type: Insecure Direct Object References (CWE-932) Exposure of Backup File to an Unauthorized Control Sphere (CWE-530) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2015-06-10 Solution Date: 2015-10-26 Public Disclosure: 2015-12-07 CVE Reference: Not yet assigned Author of Advisory: Daniele Salaris (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: sysPass is an web-based Password Manager written in PHP and Ajax with a built-in multiuser environment. The web application is prone to a security vulnerability that allows an unauthorized attacker to download existing backup files containing sensitive data. The software manufacturer describes the web application as follows (see [1]): "sysPass is a web password manager written in PHP that allows the password management in a centralized way and in a multiuser environment. The main features are: * HTML5 and Ajax based interface * Password encryption with AES-256 CBC. * Users and groups management. * Advanced profiles management with 16 access levels. * MySQL, OpenLDAP and Active Directory authentication. * Activity alerts by email. * Accounts change history. * Accounts files management. * Inline image preview. * Multilanguage. * Links to external Wiki. * Portable backup. * Action tracking and event log. * One-step install process." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The backup functionality of the web-based password manager sysPass creates the following two backup files that are stored within the application's backup folder: * sysPass_db.sql * sysPass.tar.gz The file sysPass_db.sql contains a full database dump and the file sysPass.tar.gz contains all contents of the sysPass web application folder. An unauthorized attacker can simply download these two existing backup files via the following URLs: http(s)://<HOST>/backup/sysPass_db.sql http(s)://<HOST>/backup/sysPass.tar.gz Thus, an external attacker without valid user credentials can gain unauthorized access to all configuration and application data of the password manager sysPass. With access to this data, an attacker can perform further attacks in order to recover user credentials of sysPass users or to decrypt encrypted password information contained within the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URLs can be used to download existing backup files of the password manager sysPass from an external attacker's perspective: http(s)://<HOST>/backup/sysPass_db.sql http(s)://<HOST>/backup/sysPass.tar.gz For example: http://syspass.org/demo/backup/sysPass_db.sql http://syspass.org/demo/backup/sysPass.tar.gz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The reported security vulnerabilities have been fixed in a new software release. Update to the new software version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-06-08: Vulnerability discovered 2015-06-10: Vulnerability reported to manufacturer 2015-10-26: Release of new software version that addresses the reported security issues. Discussed security fix with manufacturer. 2015-12-07: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Web site of sysPass - sysadmin password manager http://wiki.syspass.org/en/start [2] SySS Security Advisory SYSS-2015-046 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Daniele Salaris of the SySS GmbH. E-Mail: disclosure (at) syss.de Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJleJGS0Zrggwx ktKMN09N/GH0PohrPI4+JFFE6Eolmhlf5PkVRFU8X8Z9orqD8s8NqcHg8P4e5FJy Dey/+SD9SlbH/ICjxlkjaGXOlCqSHT3mQqhALaKSwikUN3v/YlzVaYwGnUwsYsVt arZTqKf6c2Sk8LAwZTWLbm6EB/FxuATObV+tblHd/KOcaDhmp0ykL8r1Mve/XQTw NX3aH9yXoRcpHjCSFa6QK89d4dY4Pv9ejpyMATcYmbLa4hEMZ421cAkJuFobHiCg MtlHXcVhNn7K+8ogxFk5EKyMEIRYUWqsmh6ZfW9F1qJ5jVezqjYdCmPdUeHlZ66u Mk2ikWNu3IkSv0fQy0HVzEvzHlbgzWYvWVaLCVwwS9s4JZTDvKF9E+xAeK2iC9Ul OOM1RgYcY57dFL7M6dY6OpMM8xapbJHtYjEC8ammfc9rhRIHQO4evBXGufs5vmc0 hWHIRLuF4rx0bja4qAbxK6l+7lWdgaPSHDOW7I2v+NUdjvPKcjndsAOB9FiK+jhI +Q09ybOMLEzICOlo3VhRwyaEc7X+HZRdTEijU3piV6nxKyhiCI2AVuMRKjJyV3pc tz8Q0g6YqzlFi8VnPgSV =YMqY -----END PGP SIGNATURE-----