what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking
Posted Mar 10, 2017
Authored by Nicholas von Pechmann

dnaLIMS DNA sequencing application suffers from an improperly protected web shell, a directory traversal, insecure password storage, session hijacking, cross site scripting, and improperly protected content vulnerabilities.

tags | exploit, web, shell, vulnerability, xss, file inclusion
advisories | CVE-2017-6526, CVE-2017-6527, CVE-2017-6528, CVE-2017-6529
SHA-256 | 2c765d1002998d2516a62972d8bae6e5afe2348f1e7d3cf6ef351c942e91a44c

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking

Change Mirror Download
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
web-application
Advisory URL:
https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
Date published: Mar 08, 2017
Vendor: dnaTools, Inc.
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
USCERT VU: 929263

Vulnerability Summaries
1) Improperly protected web shell [CVE-2017-6526]
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
a web shell included with the software running as the web user. However,
sending a POST request to that page bypasses authentication checks,
including the UID parameter within the POST request.

2) Unauthenticated Directory Traversal [CVE-2017-6527]
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
directory traversal attack. This allows an unauthenticated attacker to
retrieve files on the operating system accessible by the permissions of the
web server. This page also does not require authentication, allowing any
person on the Internet to exploit this vulnerability.

3) Insecure Password Storage [CVE-2017-6528]
An option, which is most likely the default, allows the password file
(/home/dna/spool/.pfile) to store clear text passwords. When combined with
the unauthenticated directory traversal vulnerability, it is possible to
gain the username and password for all users of the software and gain
complete control of the software.

4) Session Hijacking [CVE-2017-6529]
Each user of the dnaLIMS software is assigned a unique four-digit user
identification number(UID) upon account creation. These numbers appear to
be assigned sequentially. Multiple pages of the dnaLIMS application require
that this UID be passed as a URL parameter in order to view the content of
the page.
Consider the following example:
The URL ahttps://<SERVER NAME
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
to view the page for sequencing requests for the user with the UID of 2410. The
username parameter of the URL is the mechanism for authentication to the
system. The first eight-digit number of the username parameter appears to
be a session identifier as it changes every time the user logs in from the
password.cgi page, however this value is not checked by the seqreq2N.cgi
page. This allows an attacker to guess the four-digit UID of valid user
accounts that have an active session. The user with the UID of 2419
currently has an active session, so we can simply hijack this useras
session by requesting this page and specifying the UID 2419.

5) Cross-site Scripting
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
reflected cross site scripting attack via GET request as seen in the
following URL:
https://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
Alert("XSS") </SCRIPT>

6) Cross-site Scripting
The navUserName parameter of the seqTable*.cgi page is vulnerable to a
reflected cross site scripting attack via POST request as seen in the
example below. The * reflects a short name for a client, (ie Shorebreak
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
vulnerable for all dnaLIMS installs.

7) Improperly Protected Content

Many of the pages within the admin interface are not properly protected
from viewing by authenticated users. This can give an attacker additional
system information about the system, or change system/software
configuration.

Software was conducted on a live production system, therefore the pages
themselves were tested, forms within these pages were not.

This is also not an exhaustive list of improperly protected pages:

cgi-bin/dna/configuration.cgi

cgi-bin/dna/createCoInfo.cgi

cgi-bin/dna/configSystem.cgi

cgi-bin/dna/combineAcctsN.cgi

Disclosure Timeline

Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
securely exchange details of vulnerabilities identified

Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
to PO box via Postal Service

Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
Mail

Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
report

Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
placing the software behind a firewall as a solution to the vulnerabilities.

Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
plan to address the vulnerabilities

Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
gather a DNA sequence, PO Number, or Fund Number and go to your local
grocery store and see what it will buy you.a

Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT

Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
assignment

Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly




--
with respect,

[image: Shorebreak Security]
Nicholas von Pechmann
Principal Security Engineer
O: (888) 838-7311 ext. 444
M: (818) 292-4915


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close