Date: Mon, 8 Mar 1999 10:58:17 -0500 From: Fabien Royer To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Password and DOS Vulnerability with Testrack (bug tracking software) TestTrack, a bug tracking software made by Seapine Software (http://www.seapine.com) has a number of security problems that allow an attacker to acquire userids and passwords in clear text. TestTrack also has an implementation flaw that allows anyone to peg the CPU of the machine running the TestTrack server to 100%. I notified Seapine of this issue 30 days ago but they never bothered to answer my emails. Here follows the email that I sent to the Seapine sales rep handling my evaluation of the product: - - - - - - - - - - - - - - - - - - - - - Richard, After conducting a short evaluation of TestTrack WEB, I have decided not to move forward with the purchase of the product. The main reason for my decision is the lack of robustness of the components (ttcgi.exe and TestTrackWeb.exe). I was able to remotely break the TestTrack server and peg the CPU of the server hosting it at 100%. Here's how: using telnet, connect to port 99 of the TestTrack server, then disconnect without typing any data. As soon as you disconnect, the CPU jumps to 100%. The only way to get it back down is to kill the TestTrack server >from the task manager. I was able to reproduce the same thing with ttcgi.exe. Login to the TestTrack server using the web interface and start working normally. While working from the WEB browser, connect to port 99 of the TestTrack server using telnet and do nothing. From the WEB browser, attempt any operation, like adding a new bug report. As soon as you add, the WEB browser sits there, because the telnet connection is blocking it. The TestTrack server is not capable of processing more than one request at a time. Now, if you stop the activity of the WEB browser, you will see in the task manager that the ttcgi.exe process is still there! If I attempt the same operation again, a new ttcgi.exe process will be created, and so on and so on... I created 10 of them like this. Needless to say that if I decided to create a simple script creating a few thousand requests like this, I'd be able to exhaust the resources of the NT server in a few seconds and very likely crash it. At this point, if you disconnect the telnet session, the TestTrack server jumps to 100% and remains there. All the ttcgi.exe processes on the WEB server are still there. It's only after killing the TestTrack server that they finally go away. But in some cases during my tests, I was able to cause the ttcgi.exe to be pegged at 100%. Since this process was spawned by IIS, and was running as system, I could not kill it. I could not stop IIS either, leaving me only with the option to reboot NT. I would have had the same problem if I had executed TestTrackWeb.exe under ServerAny. Finally, under the \scripts directory, I noticed that ttcgi.exe creates a log file by default. This log file contains all the commands issued from ttcgi.exe to TestTrackWEB.exe, including clear text login information! See for yourself below. This is the same problem as the clear text user IDs and passwords in the project files. Command=Login&database=&uname=fabienr&pword=qwert123456&startat=Defects&subm it=Login <---- Ouch! command=RecordList&cookie=0022e88b&from=1&table=user Command=UserListAction&cookie=0022e88b&RecordsPerPage=20&SEL01=1&listaction_ makecustomer.x=46&listaction_makecustomer.y=10 Because of these flaws capable of causing a complete denial of service on the machine running your software and a security breach because of the presence of clear text passwords, I cannot proceed any further with purchasing the product. Given the serious nature of these problems, I will post a report to NTBugTraq (http://www.ntbugtraq.com) in 30 days. This should give you more than enough time to fix these problems. Best regards, Fabien. ----------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 11:14:06 -0400 From: Richard Clyde To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Password and DOS Vulnerability with Testrack (bug tracking software) NTBUGTRAQ Item #2136 had reported several security issues in TestTrack Web (a bug tracking software). These security issues have all been addressed in version 1.2.0 of TestTrack Web. A free upgrade to version 1.2.0 is available via the web at www.seapine.com. The user IDs and passwords are encrypted in the database for added security. The CGI program has been modified to block attempts to peg the CPU of the TestTrack server through the use of telnet. A log file is no longer generated by the TestTrack Web application. Seapine Software has also taken steps to improve its customer support. The customer support group did not grow quickly enough in response to the success of the TestTrack product. Over the past five months, Seapine Software has hired additional technical support personnel and has focused on improving customer support response time.