A backdoor found in the default configuration of the Unanet web application allows an unauthenticated attacker to login and manipulate user accounts and the roles they maintain.
Unanet provides end-to-end services automation, its web-based software enables the management of people and projects from a single database. According to the company, it offers “one look and feel, and one connected set of applications.”
The issue, Trustwave security researchers say, resides in a code branch within the Unanet product that maintains a hardcoded user, unlisted in the users table of the database. This user, they explain, was initially identified via a user enumeration vulnerability.
The user cannot login directly but, because session cookies within Unanet function in a vulnerable manner, with zero entropy and no session timeouts, anyone can bypass the need to authenticate with this user. The construction of a Unanet session cookie, the researchers explain, includes UserID, username in uppercase, roles concatenated together with ‘^’, static cookie value, and digest.
What’s more, usernames and IDs were available via a user enumeration, because iterating the ‘personkey’ value would result in each username and id echoing into an error page that an attacker could parse to determine the list of existing usernames within the system.
Because user roles are known, since they exist within the ‘Roles’ tab in the preferences section, researchers managed to identify 19 roles within the environment, although they aren’t specifically associated with each user. However, researchers say that the possible permutations of users and roles can be brought down to around 5! permutations, meaning they can be determined using brute force attacks.
At this point, with the userID, usernames, and roles already discovered, all that an attacker needs to determine a Unanet session cookie is the special cookie value, which is referred to as a nonce, which, by default, is only used once. This, however, is a set to a default, although Unanet suggests it should be changed.
As long as the value hasn’t been changed, “the hidden cookie value can be brute forced offline, using the knowledge of all other values. This is true because the algorithm for generating the digest is known and when userID, username, roles, and digest are known it becomes a simple problem of solving for the single missing variable,” Trustwave security researchers explain.
User unanet (id 0), however, is not handled in the same way, and the researchers discovered that, if the personkey was zero, it would go to the makeadmin section, and that the method generated a new person ‘unanet’ and assigned the password ‘UNANET’ to it. Additionally, it called the ‘setUnanetAdministrator(true)’ method.
Armed with the UserID, Username, and the secret group __unanetAdministrator__, the researchers managed to generate the digest and reveal the cookie, and then to login using the user. The main issue, they say, is that anyone can use this method to access a Unanet system.
“This is not some deep, arcane issue. Anyone having access to a Unanet system is capable of generating the same conclusion via a simple code review. Additionally, even if the cookie ‘nonce’ was changed, any user of the system (or attacker who intercepts a request) is capable of brute forcing the new nonce offline. Currently any system that has not changed their cookie ‘nonce’ is vulnerable to an unauthenticated attacker being able to login with unanetAdministrator privileges,” the researchers mention.
At the moment, there are around 1600 public facing instances of Unanet that are potentially affected by this issue, Trustwave says. By exploiting the issue, an attacker could access the system and remove users, change roles, and create a new administrator. Using these privileges, the attacker can deny availability, comprise integrity, and remove confidentiality, the security researchers say.
The issue was patched in Unanet versions 10.0.51, 10.1.43, and 10.2.5.