Security Advisory - FlexVision Listener Vulnerability

Neste post, reproduzo um advisory que publicamos na Full Disclosure sobre uma vulnerabilidade no software FlexVision.

Vale ressaltar que tentamos postar essa vulnerabilidade no US-CERT, no entanto eles não aceitaram pois a FlexVision declarou ao CERT que tratava-se de uma versão não mais suportada. O que ao meu ver não é verdade pois temos fortes indícios que a versão 1.3 ainda é bastante utilizada.

Quer dizer então, que se fosse uma vulnerabilidade do Windows 2000/XP eles não iriam publicar? Duvido.

=====[ Tempest Security Intelligence - Advisory #03 / 2010 ]=============
       Information Disclosure Vulnerability in FlexVision Agent Listener
  Authors: Victor Ribeiro Hora 
           Tempest Security Intelligence - Brazil
=====[ Table of Contents ]=================================
 1. Overview
 2. Detailed description
 3. Additional context & Solutions
 4. References
 5. Thanks
=====[ Overview ]======================================
 * System affected: FlexVision Agent Listener 1.3 for Windows, Linux and Solaris
   (other versions may be vulnerable)
 * Release date: 22 October 2010
 * Impact: Successful exploitation of this vulnerability may lead to remote server sensitive information disclosure.
FlexVision [1] claims to be an IT service focused on hardware and software management, offering features like capacity
planning, SLA monitoring and systems inventory. The service is used by several major companies in Brazil, including 
banking, telecom, energy, health and independent product sectors.
The vulnerability was found in the inventory agent listener or "fval". Exploitation of this weakness does not require
any authentication and may lead to remote disclosure of sensitive information from the server running the agent.
Specifically, an attacker can download non-binary files, and list running services, running processes and installed 
software. It seems there is some active filtering for known sensitive data, but other sensitive information may leak.
=====[ Detailed description ]================================
FlexVision Inventory service has several agents (servers) to collect data from different platforms and send them to 
a central console on the network. These agents are installed on the hardware to be monitored and listen for incoming
client connections.
One of the agents that was analyzed is the "FlexVision Actions Listener 1.3 for Linux", used for the inventory of 
Linux systems. This agent is executed by a Linux binary called "fval" started at boot time through an initscript in
/etc/init.d/rc.fval. Apparently the fval binary executes a chdir() to /opt/flex/plugins, then it opens a socket 
listening for connections on port 3810/TCP in daemon mode.
As soon as the TCP Three-Way Handshake is completed, the agent keeps waiting for "commands" to perform the various
inventory functions. These commands are interpreted as internal functions of the fval binary, such 
as help, version, exit or run.
Specifically, the run function expects a parameter. We noted that this parameter is a bash script file in the 
/opt/flex/plugins directory. This script is executed by the fval binary, and the output of the script is returned 
on the same TCP connection to the central console application. These commands are normally sent from a central 
console to the monitored agent.
As the connection is not authenticated nor encrypted in any way, it gives the possibility of any computer that has 
access to the 3810/TCP port of any agent, sending commands to be executed by the agent.
In spite of the fact that the agent uses an active filter for some well known sensitive data (like password hashes in 
the "shadow" file, for example), it is possible to get other not easily predictable but sensitive data. Some special 
chars we tested were also filtered, such as '*',  ';',  '>' , and also white spaces, tabs and other special delimiters
used on bash and other shells.

The following is an example of the recovery of a private SSH RSA key file
that belongs to the root user on a Linux server:
[email protected]:~$ telnet 3810
Connected to
Escape character is '^]'.
FVAL>run /root/.ssh id_rsa
Just like Linux fval, on Windows it's also possible to dump any non-binary file. It's worth saying that as fval always
runs as privileged user (Administrator/root), all the system files are accessible and most of them are readable.
Windows hosts behave similary. As soon as the Agent is installed, it is registered as a System Service and runs at boot
time. This service runs the fval binary located at %SystemDrive%\%ProgramFiles%\Flexvision. Then, fval will run any file
in the %SystemDrive%\%ProgramFiles%\Flexvision\Plugins directory.
By default, Windows fval has several 32bit Portable Executable (.EXE) files to provide inventory data to the central 
console, but most interesting is the hotfix.exe file, which lists all the installed HotFixes on the host:
[email protected]:~$ telnet 3810
Connected to
Escape character is '^]'.
FVAL>run hotfix.exe
Hot Fix ID.75=File 1
Service pack afetado.75=KB956801
Instalado por.75=
Hot Fix ID.76=File 1
Service pack afetado.76=KB956806
Instalado por.76=
Hot Fix ID.77=File 1
Service pack afetado.77=KB956848
Instalado por.77=

With that sort of info it would be possible to plan and execute a much more precise attack against the host.
=====[ Other contexts & Solutions ]============================
As usual [2], we contacted the vendor. After some weeks, they released version 1.4 that uses source IP based 
access (whitelist policy) and a static key for authentication, but nothing to address the actual problem: no strong 
authentication scheme and no encrypted client-server traffic. Version 2.0 was just released, the vendor states that this
version uses encrypted client-server communication, but we were unable to test it until now. After waiting a few 
months, FlexVision did not provide us a public URL with an actual fix which addresses this problem to attach in this 

=====[ Thanks ]========================================
 - Tempest Security Intelligence [3] - Tempest MSS Team
 - Evandro Curvelo Hora 
 - Marco "Kiko" Carnut 
 - Cristiano Lincoln Mattos 
 - Aldo Albuquerque 
=====[ References ]======================================

Aceita-se formatação à la TWiki. HTML e scripts são filtrados. Máximo 15KiB.

Enviando... por favor aguarde...
Comentário enviado com suceso -- obrigado.
Ele aparecerá quando os moderadores o aprovarem.
Houve uma falha no envio do formulário!
Deixei uma nota para os admins verificarem o problema.
Perdoe-nos o transtorno. Por favor tente novamente mais tarde.