首页 -> 安全研究

安全研究

安全漏洞
CA 2E Web Option 8.1.2身份验证绕过漏洞

发布日期:2014-01-10
更新日期:2014-02-14

受影响系统:
CA CA 2E Web Option 8.1.2
描述:
CVE(CAN) ID: CVE-2014-1219

CA 2E Web Option是CA 2E应用Web接口开发工具。

CA 2E Web Option (r8.1.2)生成会议令牌的方式可以预测,在实现上存在安全漏洞,这可使远程攻击者绕过身份验证机制。

<*来源:vendor
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

CA 2E Web Option 8.1.2 - Authentication Bypass



EDB-ID: 31647     CVE: 2014-1219    OSVDB-ID: 103236
Author: Mike Emery    Published: 2014-02-13    Verified: Not Verified
Exploit Code:   Download    Vulnerable App:   N/A    
Rating
Overall:

Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option

CVE: CVE-2014-1219
Vendor: CA
Product: 2E Web Option
Affected version: 8.1.2
Fixed version: N/A
Reported by: Mike Emery

Details:

CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token.
The POST parameter session token W2E_SSNID appears as follows:

W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE
JuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75


However, this token is poorly validated, leading to

W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013

being accepted as a valid session. By incrementing and
decrementing the digits at the end of the value given above, it is
possible to control the session at the given ID. This token is sent as
part of the login page, and as such, can be manipulated by an
unauthenticated attacker, giving them access to any valid session.
Consequentially, it is possible to access the following page as such:

https://app.domain.co.uk/web2edoc/close.htm?SSNID=3DW90NIxGoSsN1023ZYW2E735182000026

Ending the session specified, which could lead to a denial of service condition.

Further details at:
http://portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

建议:
厂商补丁:

CA
--
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.ca.com/us/~/media/files/productbriefs/cs3003-ca-2e-web-option.aspx

浏览次数:2243
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障