0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 Credential Management Vulnerabi
[Product(s): Password Safe and Repository Enterprise
Manufacturer: MATESO GmbH
Affected Version(s): 7.4.4 Build 2247
Tested Version(s): 7.4.4 Build 2247
Vulnerability Type: Credentials Management (CWE-255)
Violation of Secure Design Principles (CWE-657)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-07-09
Solution Date: 2016-10-18
Public Disclosure: 2017-04-10
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Password Safe and Repository Enterprise is a password management
software for companies with many features.
The vendor MATESO GmbH describes the product as follows (see [1]):
"Manage your passwords in the company according to your security needs!
Features such as password policies, multi-eyes principle, workflow and
task system makes management productive and safe.
The integrated rights management system with data transfer option and
automatic synchronization with Active Directory ensures that your
employees can only access data which they are entitled to."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that synchronized databases (offline databases)
created by a specific user also contain sensitive data of other users,
for example login credentials.
The password information of other users are stored as raw, unsalted MD5
hash values in the database table tdUsers (see SYSS-2015-037).
Thus, by having access to an offline database, it is possible to access
password information of other users, for example the MD5 password hash
of the built-in administrator account. This password information may be
recovered during password guessing attacks and used for accessing
foreign user data in an unauthorized way or for performing privilege
escalation attacks in the online mode.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
In the offline mode of the password management software Password Safe
and Repository, it is possible to manipulate SQL statements due to
the violation of secure design principles and SQL injection
vulnerabilities (see SYSS-2015-035).
By using the following SQL statement, user information of all users
unnecessarily stored in the database table tdUsers can be retrieved from
an offline database and extracted from memory of the password management
software, for example by using a modified client software:
SELECT * FROM tdUsers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The MATESO GmbH released the new software version Password Safe and
Repository Enterprise 8 that is not affected by the described security
issues.
Please contact the manufacturer for further information or support.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-07-09: Vulnerability reported to manufacturer
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory
2015-07-30: Scheduling of the publication date in agreement with the
manufacturer
2015-10-02: Rescheduling of the publication date in agreement with the
manufacturer
2016-10-18: Manufacturer presents new software version with fixed
security issues
2017-04-10: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Password Safe and Repository Enterprise
http://www.passwordsafe.de/en/products/business/enterprise-edition.html
[2] SySS Security Advisory SYSS-2015-036
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-036.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
# 0day.today [2024-07-07] #