Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: Computer Associates eTrust Security Command Center Multiple Vulnerabilities

From: Patrick Webster (patrickaushack.com)
Date: Fri Sep 22 2006 - 03:03:34 CDT

aushack.com - Vulnerability Advisory
Release Date:

 Computer Associates - eTrust Security Command Center

 "eTrust Security Command Center helps you discover and prioritize
 relevant security data to effectively manage your security risks in real
 time. By correlating security risks to assets, you can take corrective
 action and investigate security incidents through a centralized command
 and control center."

Versions affected:
 eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2.
 eTrust Audit 1.5 and r8.

Vulnerabilities discovered:

 1) Reveal web server path.

 2) Read and delete arbitrary files from the host server under
    the service account, generally LocalSystem.

 3) The event alerting does not use authentication, and as such is
    vulnerable to external replay attacks, similar to IDS replay attacks.

Vulnerability impact:

 Medium - A malicious authenticated user may read and delete arbitrary
           files, whilst an unauthenticated attacker may use a replay
           attack to distract staff from tracking real events, and/or
           denial of service by consuming disk space with false alerts.

Vulnerability information

 The software is operated by use of a web browser. Authenticated users have
 access to the various security reports and functions, which generally do
 not verify user controlled parameters.

 1) The 'ePPIServlet' script returns a detailed path error when sent the
 quote character [ ' ] as part of the 'PIProfile' function.

 2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml',
 which is used to provide reporting functionality. The component generates
 reports in a temporary file location, returns the file contents to the
 web client, then deletes it... but does not validate the path.

 3) There is an API function to create your own alerts: eTSAPISend.exe.
 The service does not use any authentication, so the attacker may script
 the binary to send thousands of false-positive alerts to the Security
 Command Center, diverting attention and resources from real threats.

 Examples (lines have been wrapped):

  1) https://escc-server.example.com:8080/etrust/servlet/ePPIServlet?

  Would return an error similar to: "Cannot read profile:
  C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. "

  2) https://escc-server.example.com:8080/etrust/servlet/eSMPAuditServlet?

  Assuming the product was installed on the C drive, this will return the
  contents of c:\boot.ini to the client, then immediately delete it, e.g:

  [boot loader]
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server"

  3) An example Windows Logon failure event would be similar to:

  C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon
  -sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70
  -src Security -nid 529 -inf "Logon Failure"

 Exploitation Requirement:

  Fortunately, the web service requires product based authentication prior
  to execution for 1 and 2. Unfortunately, the product ships with multiple
  default usernames and passwords, which although unlikely, may still be
  present. The default username:password pairs are below:


 For point 3, the $dstIP must have the Audit Router socket open (tcp/111).

 1) Fixes QO81875, QO81758, QO81862, QO81863 ...

 2) Fixes QO81851, QO81876, QO81878 can be found at:


 3) No solution - use perimeter based firewalls.

 aushack.com advisory

 Patrick Webster ( patrickaushack.com )

 Thanks to the CA Security team for their quick response.

Disclosure timeline:
 21-Jan-2006 - Vulnerabilities discovered.
 04-Aug-2006 - Sent to Computer Associates Security Advisor.
 04-Aug-2006 - Vendor response & verification.
 19-Sep-2006 - Vendor patch release.
 22-Sep-2006 - Public disclosure.