Ixia ATI Research Center Discovers Zero-Day SearchBlox Vulnerabilities
Ixia’s ATI Research Center recently discovered multiple authentication bypass vulnerabilities inside SearchBlox 8.3. These vulnerabilities are due to lack of or improper validation of HTTP requests to the SearchBlox Web UI. An attacker could exploit these to add or delete business users, delete collections, delete reports, and import and export the configuration file. By importing and exporting the configuration file, the admin password could be compromised or overwritten. In some cases, overwriting the configuration file can cause the application to crash, resulting in a Denial-of-Service condition.
SearchBlox is a web-based proprietary enterprise content search engine, offering commercial search solutions that are used by over 300 customers in 30 countries. For further company and product information, visit the SearchBlox web site: http://www.searchblox.com/
- Multiple authentication bypass vulnerabilities in SearchBlox 8.3
- Improper validation of HTTP requests to /searchblox/servlet/UserServlet, /searchblox/servlet/CollectionServlet, /searchblox/servlet/ReportListServlet, which permits unauthenticated access to private data
- Searchblox has issued a patch in version 8.3.1 is available here: http://www.searchblox.com/downloads/
- Ixia BreakingPoint PoC strike released in ATI-2016-02 is available here: https://strikecenter.ixiacom.com/bps/strikepacks
- SearchBlox provides a search and text analytics platform that can aggregate and search unstructured data from websites, file folders, feeds, cloud storage, email archives, databases, csv, and social streams like Twitter. The data is available for search and text analysis, allowing businesses to gain insights into customers and products.
- SearchBlox web UI can be accessed through HTTP requests over port 8080.
- Among other things, SearchBlox offers the admin user the possibility of adding new business users, deleting existing business users, collections, and reports, and most of all, seeing or overwriting the application’s configuration file by exporting or importing it (from the web UI).
- The authentication bypass vulnerabilities mentioned in the above section could be used by an attacker to gain a certain level of admin access.
- An attacker exploiting these vulnerabilities could:
- Modify/alter important data contained in collections or reports.
- Arbitrarily delete business accounts, which would prevent valid users from accessing their accounts.
- Add a business user and then get authenticated as the added user.
- Retrieve the configuration file, which contains a hash of the admin’s password.
- Overwrite the admin password or trigger a crash by overwriting the configuration file.
- The most important of all the unauthenticated requests that an attacker could make is the one in which they get the hash over the admin password or manages to overwrite it through the configuration file.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.