Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 013

Ultraapps Issue Manager is vulnerable to Privilege Escalation

Vulnerablity Type / Importance: Privilege Escalation / High

Problem discovered: November 25th 2005
Vendor contacted: November 25th 2005
Advisory published: December 20th 2005
----------------------------------------------------------------------

Abstract:

Utraapps Issue Manager is a freely available web-based business
application for tracking issues and tasks during software development
or other projects involving teams of people. The service is vulnerable
to a privilege escalation attack that would enable a standard user to
log into the application as an administrator.

Description:

The vulnerability enables a low privileged user to modify the password
of the administrator account and therefore escalate privileges. The details
of the vulnerability are shown below:

In the test configuration there are 2 users:

admin/admin
guest/guest

Log on as a guest and visit the "My profile" link:
http://xxx.xxx.xxx.xxx/UserProfile.aspx

Intercept the request using a web proxy and change the field
'p_User_user_id' and 'User_user_id' from 2 (which is the guest id) to 1
(which is the administrator id)

Also, modify the password in the 'User_pass' field.

The user can now log into the admin account with the new password.

The vulnerability is located in the file UserProfile.cs, lines 273-275

if (p_User_user_id.Value.Length > 0) {
sWhere = sWhere + "user_id=" + CCUtility.ToSQL(p_User_user_id.Value, CCUtility.FIELD_TYPE_Number);

Tested Versions:

Ultraapps Issue Manager V2.1

Tested Operating Systems:

Microsoft Windows 2000

Vendor & Patch Information:

Contact was initially made via email on November 25th 2005. HOwever, no
response was received. A bug report was then submitted to the Ultraapps
website on December 13th 2005. On December 20th, a patch for the issue
was published on the site (http://www.ultraapps.com)

Workarounds:

IRM are not aware of any workarounds for this issue.

Credits:

Research & Advisory: R Marcos and A Davis

Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.