Title: Sawmill unauthorized administrative access and Cross-site Scripting vulnerabilities
Criticality: High (3/3)
Affected software: Flowerfire Sawmill versions 7.x and 6.x
Vendor home page: http://www.sawmill.co.uk/
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 6th June, 2005
Advisory ID: N/A (#7)
Location URL: http://www.networksecurity.fi/advisories/sawmill-admin.html (HTML)
CVE reference: CAN-2005-1900, CAN-2005-1901; see cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1900,
cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1901
- Overview:
Several new remote and local type vulnerabilities has been identified in Flowerfire Sawmill log analyzer application, which can enable Cross-site Scripting attacks and cause a disclosure of sensitive information.
From the vendor:
"Sawmill is a powerful, hierarchical log analysis tool that runs on every major platform. It is particularly well suited to web server logs, but can process almost any log."
It is widely used at several big IT companies, Web hosting companies, banks, US universities etc. It is commonly run as a CGI program.
Additional information from the vendor:
Version 7.1.x adds support for Windows 2003 DNS, Web Washer, Kaspersky Labs for Mail Servers, Symantec Mail Security, Windows NT Scheduler and some Cisco products etc.
The following categories of log type are covered:
Web Servers, Syslog Servers, Proxy Servers, Mail Servers, Media Servers, FTP Servers, Internet Devices, Network Devices, Firewalls, Applications and Other Formats.
Sawmill supports about 600 log formats.
Details:
There are several design error and input validation error type vulnerabilities in Sawmill. Both non-administrative and administrative features related to license, license key and user name handling are affected. Another common-type administrative access issue is also included in the affected versions.
Sawmill's administrative interface can be accessed by a web browser.
Versions Sawmill 7.1.5 and prior, and versions 6.x are affected.
- Description:
Vulnerability #1:
A remote attacker with non-administrative privileges may gain an administrative access to the vulnerable log analyzer application.
This is a remote and local type vulnerability.
This is an authentication bypass type issue as well.
Impact:
This can cause a disclosure of sensitive database, system and user information. This information is mainly purposed to administrative persons only. This issue can cause data loss too.
Program functionality was changed to prevent future issues mentioned in a fixed software version, by releasing a new version.
This can be exploited by a malicious user to gain sensitive information.
Vulnerability #2:
A remote attacker with no user privileges in use may add a license to the vulnerable system.
Like vulnerability #1, this is a remote and local type vulnerability.
Additionally, this is an authentication bypass type issue.
Impact:
This can lead to an unauthorized access to the system.
According to the vendor Web page, using Sawmill application without working license code is not possible.
This can be exploited by a malicious user to gain access to the system via 'Licensing' feature on the application's 'Administrative' menu.
Vulnerability #3:
An user with administrative privileges may execute a cross-site scripting (XSS) attack by entering a specially formatted user name in the application's 'Add User' window.
No further detailed information is currently available.
Impact:
This can cause a malicious code being executed in the system.
Vulnerability #4:
An user with administrative privileges may execute a cross-site scripting (XSS) attack by entering a specially formatted license key in the application's 'Licensing' page.
Impact:
This can cause a malicious code being executed in the system.
Additionally, several separate non-security issues in version release mentioned was also fixed. As reported, those updates are being included in the version release 7.1.7 too.
The previous security vulnerability related to Sawmill software was handled by security companies in February, 2002.
- Solution status:
Fixed (Vendor patch)
Affected product versions:
Flowerfire Sawmill 7.1.5 and prior
Flowerfire Sawmill 6.x
The vulnerabilities has been confirmed in version 7.1.5. Other previous versions may also be affected as well.
NOTE: Version 7.1.7 was released just one day after version 7.1.6 release.
Non-affected software versions:
Sawmill 7.1.7
Sawmill 7.1.6
Examples of the affected versions:
Sawmill 7.1.5
Sawmill 7.1.4
Sawmill 7.1.3
Sawmill 7.1.2
Sawmill 7.1.1b
Sawmill 7.1.1
Sawmill 7.1
Sawmill 7.0.10
Sawmill 7.0.9
Sawmill 6.5.11
Sawmill 6.5.5
Product was formerly known as Chartreuse Cartouche.
Users are urged to contact the vendor for information on obtaining an updated version (see References).
Vendor confirmed issues: Yes
Exploit included: No
Affected components: N/A
Affected component versions: N/A
OS:
Microsoft Windows (95/98/ME/NT4/2000/XP/2003)
Linux
Mac OS X
FreeBSD
OpenBSD
NetBSD
Sun Solaris
IBM AIX
HP/UX
OS/2
BeOS
Solution:
Update to version 7.1.6 or newer by contacting vendor.
- Workarounds:
No valuable workarounds available when writing this report.
Vulnerability information was announced by the vendor, and an issue is analyzed and written to a report by the researcher. Situation of working workarounds was added by the researcher.
This vulnerability information was provided to security companies and CERT units to help them to update their product databases to cover product versions handled in this report too.
References:
secunia.com/advisories/15499/
www.securitytracker.com/alerts/2005/Jun/1014106.html
www.secwatch.org/advisories/1010772/
www.securityfocus.com/bid/13864
www.securityfocus.com/bid/13866
www.securityfocus.com/bid/13868
xforce.iss.net/xforce/xfdb/20879
xforce.iss.net/xforce/xfdb/20880
xforce.iss.net/xforce/xfdb/20881
www.osvdb.org/displayvuln.php?osvdb_id=17100
www.osvdb.org/displayvuln.php?osvdb_id=17101
www.osvdb.org/displayvuln.php?osvdb_id=17102
www.osvdb.org/displayvuln.php?osvdb_id=17103
CVE #1: CAN-2005-1900
CVE #2: CAN-2005-1901
"Sawmill version history":
www.sawmill.net/version_history7.html
"Sawmill - Non-European Contact Details / European Contact Details":
www.thesawmill.co.uk/support.html
Additional references:
Pruduct homepage: "Sawmill: log analyzer; log file analysis; log analysis program":
www.sawmill.net/features.html
Timeline:
05-06-2005 Vulnerability researched
05-06-2005 Security companies and several CERT units contacted
06-06-2005 Advisory published
06-06-2005 Link to advisory sent to security companies and several CERT units
Revision history:
06-06-2005 1.0: Researcher's advisory published
06-06-2005 1.1: Updated advisory by adding references
07-06-2005 1.2: Updated advisory by adding references
09-06-2005 1.3: Added CVE references
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
To the Main Page
Best regards,
Juha-Matti Laurio
IT security researcher
Finland
www.networksecurity.fi
Read more about 24 other security vulnerabilities discovered by the researcher.