Thursday 11 October 2012

TeamMentor Vulnerability Disclosures: CSRF , ClickJacking and Get Password Hash from Browser Memory

Following the Test and Hack TeamMentor server with 3.2 RC5 code and SI library post, Dinesh Shetty took the challenge and sent me 3 nice documents with a number of security issues on the 3.2 version of TeamMentor (note that we are also Creating an TeamMentor Security Bounty Program)

Here are some comments on the 3 issues, and below you can see the PDFs he submitted:

  • CSRF:
    • this was a typical example of a security control that was disabled during development which should had been re-enabled before shipping. 
    • Fixed on latest build
  • ClickJacking :
    • pretty good finding and something that we hadn't look at.  
    • Fixed on latest build
  • Get Password Hash from Browser Memory:
    • this is an interesting one, since I (as a dev) don't think that it is a mitigatable issue :)
    • basically, if the attacker controls the browser (or the computer) he will be able to capture the admin session
      • Also, there are multiple places to get current/past user credentials (SessionID,  password as it is being typed, multiple locations in memory where that value is stored).
    • there is also the issue of multiple browsers and the fact that each one will handle it differently. 
    • just for reference, at the moment the hash is already salted with the username value (we could try to make this unique per session, but that would not solve this issue)
    • I'm happy to change my mind, but at the moment I'm marking this as a not-to-be-fixed :)
My plan is to document this better in the TeamMentor docs, where I will also add more info about the TeamMentor's Security Architecture and its defences

Here are the PDFs submitted by Dinesh:

CSRF - Cross-Site Request Forgery




ClickJacking




Get Password Hash from Browser Memory