Tried, Tested and Proven

Security Advisory 06 – 004 – P-Synch permits GET or POST requests

Vulnerable System:

M-Tech P-Synch Password Management Software

Version:

6.2.8

Other versions:

Unknown

Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected Systems:

The vulnerability was found and verified against a system running on a windows 2000 platform.

Details:

It was observed that the application will accept either GET or POST methods.

By accepting GET methods the application makes an attack by a malicious user more trivial to perform where the attacker has a limited toolset with which to subvert it.

By design, the tested application makes POST requests to relay information between client and server. To modify these communications, the Test Team relied on the use of a HTTP proxy server running locally on their workstations. By using the GET method, the attacker would be able to freely modify the requests using only their HTTP browser application.

Impact:

In a restricted environment, it may not be possible for the attacker to install arbitrary tools on their workstation, so the ability to make GET requests makes the job of the attacker considerably easier.

Exploit:

None required

Vendor Status:

Notified via email 17 February 2006

Vendor Response:

M-Tech does not consider this to be a real security problem. At most, it enables would-be intruders to attack P-Synch with slightly more convenience. Attackers can reformulate HTTP POST requests just as well as they can reformulate HTTP GET requests, with nothing more than a text editor and Telnet client. Moreover, even in restricted environments, an attacker can just bring his own laptop into work, set its MAC address to match that of his normal workstation, and use whatever tools he wants to attack the network. Finally, an attacker that already controls a workstation (e.g., an “insider”) can always compromise the local administrator credentials and install a keylogger or other malware. An organization that really wants to prevent HTTP GET requests into P-Synch can do so quite easily by placing it behind a filtering reverse web proxy (e.g., Apache). This is a normal configuration for Extranet facing deployments, for example.

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.