Multiple vulnerabilities in web2py Sample Web Application

1) Hardcoded credentials

EUVDB-ID: #VU18924

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-3953

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to presence of a hardcoded encryption key in the "session.connect" function call. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

web2py: 2.0.0 - 2.14.1

External links

http://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
http://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Deserialization of Untrusted Data

EUVDB-ID: #VU18926

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-3957

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the "secure_load" function in "gluon/utils.py" uses pickle.loads to deserialize session information stored in cookies. A remote attacker with knowledge of the encryption key (see vulnerability #1) can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

web2py: 2.0.0 - 2.14.1

External links

http://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
http://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Information disclosure

EUVDB-ID: #VU18927

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-3954

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the software allows access to the "session_cookie_key" value if a request is made to the "examples/simple_examples/status" page. A remote authenticated attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

web2py: 2.0.0 - 2.14.1

External links

http://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.