|
|
|
|
| |
Credit:
The information has been provided by Felipe Aragon.
The original article can be found at: http://www.syhunt.com/advisories/?id=aas-multiple
|
| |
Vulnerable Systems:
* Syhunt A-A-S version 2.0.48
1) Index.aas job parameter XSRF (Cross Site Request Forgery) Arbitrary Command Execution.
2) Default Admin Password Vulnerability By default, A-A-S installs with a default admin account. The account has an undocumented default password of "wildbat" and all the security rights enabled. These default rights allow to execute any commands on the machine.
3) Insecure Password and Port Keyword Storage Vulnerability A-A-S passwords and the port keyword (used to connect to the server when in Stealth or Silent mode) are stored as a base64 string in the "aas.ini" file, contained in the A-A-S install directory, with no encryption at all. This allows the password or port keyword to be easily retrieved.
Workaround
As a workaround to the XSRF vulnerability, the vendor recommends limiting the security rights in the user settings screen for each user:
- Disable the "Allow own command" option (command execution will not be possible after this option is disabled).
- If possible also disable the "Enable kill process", "Start/Stop service" and "Run application" rights.
Avoid completely navigating to other websites while logged in to the Application Access Server.
Never start the server using its default settings (as explained above machines running a default A-A-S may be easily compromised). Change the password of the admin account first.
CVE Information:
CVE-2009-1464
CVE-2009-1465
CVE-2009-1466
|
|
|
|
|
