Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

NSA workflow application Emissary vulnerable to malicious takeover

Emissary, an open source, peer-to-peer (P2P) workflow engine developed by the US National Security Agency (NSA), contains vulnerabilities that attackers could chain to take over Emissary instances.

Users have been urged to update their systems after the discovery of five security flaws in the Java web application, which runs in a multi-tiered P2P network of computer resources.

In a blog post published on Monday (April 5), security researchers from Swiss infosec outfit SonarSource demonstrated how an attacker could mount a cross-site request forgery (CSRF) attack against a logged-in user to exploit a code injection vulnerability and achieve remote code execution (RCE).

They also combined arbitrary file disclosure and reflected cross-site scripting (XSS) flaws to read arbitrary files from the Emissary server.

Once the XSS payload is executed in the victim’s browser, the file disclosure vulnerability could be exploited to read administrator credentials and relay them to an attacker-controlled server – resulting in a “quick and easy” server compromise demonstrated in the video below:

XSS and arbitrary file disclosure

The Emissary XSS flaw was found in a DocumentAction error response message generated when a requested document was not found, resulting in user input being reflected without output encoding.

An attacker could therefore craft a malicious link that, if clicked by an authenticated victim, passes a payload that executes JavaScript in the browser, explained SonarSource researcher Dennis Brinkrolf.

The file disclosure flaw was found in a feature showing configuration files. The user-controlled HTTP GET variable CONFIG_PARAM was received from the query string, and the configName variable was not sanitized and could contain any file path.

path traversal attack that injects character sequences such as ../ would therefore enable a malicious user to access authentication files on Emissary’s HTTP Digest Authentication function, which by default has administrator credentials for only a single user.

Remote takeover

Found in a console feature used to evaluate Ruby code, the code injection bug arises from the absence of CSRF tokens.

Brinkrolf demonstrated how if the user-controlled post parameter CONSOLE_COMMAND mirrors the string eval then an attacker-controlled post variable, CONSOLE_COMMAND_STRING, is received and passed to the function evalAndWait() from the RubyConsole class.

The vulnerable eval() function then receives a Ruby expression as the first parameter controllable by an attacker, who can therefore execute arbitrary Ruby code through the browser of a logged-in administrator.

SonarSource researchers also discovered authenticated file delete and file upload vulnerabilities.

Disclosure timeline

The vulnerabilities were found in Emissary version 5.9.0.

The researchers initiated contact with Emissary’s maintainers on September 24, 2020, and sent them an advisory on October 16. Version 5.11.0, which addressed the RCE issue, was then issued on December 15.

Advertisement. Scroll to continue reading.

After being notified of the remaining vulnerabilities on January 7, Emissary maintainers then released version 6.1 on March 2.

However, on March 5 SonarSource informed maintainers that the CSRF and path traversal problems remained unpatched.

The Daily Swig has asked the maintainers about a timeline for final patches – we will update this article if and when we hear back.

Source: https://portswigger.net/daily-swig/nsa-workflow-application-emissary-vulnerable-to-malicious-takeover

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO