Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Unanet Backdoor Allows Unauthenticated Access

A backdoor found in the default configuration of the Unanet web application allows an unauthenticated attacker to login and manipulate user accounts and the roles they maintain.

A backdoor found in the default configuration of the Unanet web application allows an unauthenticated attacker to login and manipulate user accounts and the roles they maintain.

Unanet provides end-to-end services automation, its web-based software enables the management of people and projects from a single database. According to the company, it offers “one look and feel, and one connected set of applications.”

The issue, Trustwave security researchers say, resides in a code branch within the Unanet product that maintains a hardcoded user, unlisted in the users table of the database. This user, they explain, was initially identified via a user enumeration vulnerability.

The user cannot login directly but, because session cookies within Unanet function in a vulnerable manner, with zero entropy and no session timeouts, anyone can bypass the need to authenticate with this user. The construction of a Unanet session cookie, the researchers explain, includes UserID, username in uppercase, roles concatenated together with ‘^’, static cookie value, and digest.

What’s more, usernames and IDs were available via a user enumeration, because iterating the ‘personkey’ value would result in each username and id echoing into an error page that an attacker could parse to determine the list of existing usernames within the system.

Because user roles are known, since they exist within the ‘Roles’ tab in the preferences section, researchers managed to identify 19 roles within the environment, although they aren’t specifically associated with each user. However, researchers say that the possible permutations of users and roles can be brought down to around 5! permutations, meaning they can be determined using brute force attacks.

At this point, with the userID, usernames, and roles already discovered, all that an attacker needs to determine a Unanet session cookie is the special cookie value, which is referred to as a nonce, which, by default, is only used once. This, however, is a set to a default, although Unanet suggests it should be changed.

Advertisement. Scroll to continue reading.

As long as the value hasn’t been changed, “the hidden cookie value can be brute forced offline, using the knowledge of all other values. This is true because the algorithm for generating the digest is known and when userID, username, roles, and digest are known it becomes a simple problem of solving for the single missing variable,” Trustwave security researchers explain.

User unanet (id 0), however, is not handled in the same way, and the researchers discovered that, if the personkey was zero, it would go to the makeadmin section, and that the method generated a new person ‘unanet’ and assigned the password ‘UNANET’ to it. Additionally, it called the ‘setUnanetAdministrator(true)’ method.

Armed with the UserID, Username, and the secret group __unanetAdministrator__, the researchers managed to generate the digest and reveal the cookie, and then to login using the user. The main issue, they say, is that anyone can use this method to access a Unanet system.

“This is not some deep, arcane issue. Anyone having access to a Unanet system is capable of generating the same conclusion via a simple code review. Additionally, even if the cookie ‘nonce’ was changed, any user of the system (or attacker who intercepts a request) is capable of brute forcing the new nonce offline. Currently any system that has not changed their cookie ‘nonce’ is vulnerable to an unauthenticated attacker being able to login with unanetAdministrator privileges,” the researchers mention.

At the moment, there are around 1600 public facing instances of Unanet that are potentially affected by this issue, Trustwave says. By exploiting the issue, an attacker could access the system and remove users, change roles, and create a new administrator. Using these privileges, the attacker can deny availability, comprise integrity, and remove confidentiality, the security researchers say.

The issue was patched in Unanet versions 10.0.51, 10.1.43, and 10.2.5.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.