The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ipswitch WhatsUp SQL Injection Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.ipswitch.com/Products/WhatsUp/professional/index.html>
Ipswitch's WhatsUp is "a network management solution for small and mid
sized organizations".
Remote exploitation of a SQL injection vulnerability in Ipswitch Inc.'s
WhatsUp Professional allows remote attackers to gain administrative access
to the application.
DETAILS
Vulnerable Systems:
* Ipswitch WhatsUp Gold Professional version 2005 SP1
Immune Systems:
* Ipswitch WhatsUP Professional 2005 SP1a
The main logon screen for the web based front end does not properly
validate input, allowing for SQL injection attacks to occur. SQL commands
can be submitted through the "User Name" and "Password" fields on the
default login page.
The web front end is not enabled by default and must be running for the
application to be vulnerable. It can be enabled under the "Configure",
"Program Options" menu by checking the "Enable web server on port [80]"
checkbox.
Exploit code for this vulnerability is unnecessary; the following SQL
injection attacks can be executed in the "User Name" field of the
http://[target]/NmConsole/Login.asp page:
Reset the Admin user password with a blank password:
- 'UPDATE WebUser SET sPassword=DEFAULT WHERE sUserName='Admin'--
Elevate Guest user privileges to Admin privileges:
- 'UPDATE WebUser SET nUserRightsMask=-1 WHERE sUserName='guest'--
Successful exploitation allows unauthenticated remote attackers to gain
administrative access to the WhatsUp Professional application. SQL
injection attacks can be used to either elevate the privileges of the
Guest user or to change/erase the password of the Admin user. Either
approach will provide a remote attacker with full administrative access to
the application. By default, the Guest user is enabled but has limited
access to the application and the account has a blank password.
Workaround:
Disabling the web front end to WhatsUp Gold Professional 2005 (SP1) will
prevent the ability to exploit this vulnerability. It can be disabled
under the "Configure", "Program Options" menu by unchecking the "Enable
web server on port [80]" checkbox.
Vendor response:
This vulnerability is addressed in WhatsUP Pro 2005 SP1a.
A change log detailing changes in SP1a is available at:
<http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699>
http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1250>
CAN-2005-1250
Disclosure Timeline:
* 25.04.05 - Initial vendor notification
* 10.05.05 - Initial vendor response
* 22.06.05 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=268&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
