During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, a Trustgroup Enumeration Risk was discovered.
This requires a low-privilege user to expose the risk, and the CLI access to be enabled in the portal.
It was discovered that the portal /cli/ page, when enabled, had a command called ml which gave information about mailing lists to which the user was subscribed with input like ml list groupname. If the given group name existed, the response would give a different error than if it did not, allowing the tester to enumerate group names. Mailing list addresses seemed to be prepended with the group name, as expected by the system, but this could be used to enumerate available trust groups.
While this could potentially be used in targeted social engineering attacks, the risk of this is low.
Recommendations included providing a consistent response to requests which did not yield immediate internal information as to the status of the item requested.
Examples included below:
Command issued as a non-member of a valid group: ml list validgroup
Output: "An error occured: Not a group member."
Command issued against an invalid group: ml list invalidgroup
Output: "An error occured: sql: no rows in result set."
@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.
The Portal interface to the CLI should probably have standardized responses regardless of whether a group exists or not, if you are not a member of such group.
During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, a Trustgroup Enumeration Risk was discovered.
This requires a low-privilege user to expose the risk, and the CLI access to be enabled in the portal.
It was discovered that the portal /cli/ page, when enabled, had a command called
mlwhich gave information about mailing lists to which the user was subscribed with input likeml list groupname. If the given group name existed, the response would give a different error than if it did not, allowing the tester to enumerate group names. Mailing list addresses seemed to be prepended with the group name, as expected by the system, but this could be used to enumerate available trust groups.While this could potentially be used in targeted social engineering attacks, the risk of this is low.
Recommendations included providing a consistent response to requests which did not yield immediate internal information as to the status of the item requested.
Examples included below:
@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.
The Portal interface to the CLI should probably have standardized responses regardless of whether a group exists or not, if you are not a member of such group.