Critical CSRF Bugs Found in eBox and Snare

Can lead to full system compromise

By on July 1st, 2010 09:08 GMT
eBox Technologies and the InterSect Alliance have released updates to their products, eBox Platform and Snare Agent, addressing critical cross-site request forgery (CSRF) vulnerabilities that could compromise the security of the systems.

CSRF is a type of flaw, which exploits the inherent trust systems put into already authenticated users. It is also known as session riding, as it involves an attacker tricking a logged in user into passing malicious requests to a system on his behalf. Many times the exploitation can be done transparently by simply getting the victim to visit a specially crafted Web page.

Security researcher Russ McRee is credited with the discovering the CSRF vulnerabilities in the eBox Platform and the Snare Agent. In a post on his blog, the Mr. McRee points out that both vendors acted responsibly and provided the fixes in a timely fashion.

According to the researcher, exploiting these flaws do not only pose a risk the applications themselves, but the entire systems they run on. "[...] It gets more sketchy when the vulnerable application gives up the keys to the castle via CSRF. I don't mean just admin rights to the app, I mean compromise leading to control of the OS or platform itself," McRee says.

The eBox Platform is an open source server solution for small and medium-sized businesses, which is based on the Ubuntu linux distribution. According to the official documentation, it can act "as a Gateway, Infrastructure manager, Unified Threat Manager, Office Server, Unified Communication Server or a combination of them."

The platform can be easily managed from a Web interface, which was found vulnerable to one-click CSRF attacks, because it failed to tokenize requests. Associating an unique string of characters, called a token, to each session and verifying that all requests in that session contain it, is the most common way to protect against cross-site request forgery.

The Snare Agent is a program for collecting and processing text-based log files from various services and applications running on operating systems like Windows, Linux or Solaris. Specialized versions for collecting logs from AIX, Irix, Tru64 or Lotus Notes also exist.

According to an US-CERT advisory, exploiting the CSRF bug in the web interface of this client, allows an attacker to the change several important settings like the password or listening port. McRee adds that the Windows version of the client can be exploited to dump local users, domain users and the entire registry.

For eBox the bug has been corrected in eBox 1.4.7-0ubuntu1~ppa1~hardy1, libebox 1.4.5-0ubuntu1~ppa1~hardy1 and ebox-remoteservices 1.4.7-0ubuntu1~ppa1~hardy1. eBox Technologies notes that performing a standard system upgrade should be enough.

As far as the Snare Agent is concerned, the vulnerability has been fixed in Snare for Windows 3.1.8,  Snare for Windows Vista 1.1.5, Snare for AIX 1.5.1, Snare for Irix 1.4.1, Snare for Solaris 3.2.4, Epilog for Windows 1.5.4 and Epilog for UNIX 1.3.

Comments