Oana Murarasu, Security Software Engineer at Ixia
Security Software Engineer at Ixia
Blog

Ixia ATI Research Center Discovers Zero-Day SearchBlox Vulnerabilities

February 9, 2016 by Oana Murarasu

 

Ixia’s ATI Research Center recently discovered multiple authentication bypass vulnerabilities inside SearchBlox 8.3. These vulnerabilities are due to Atric Seallack of or improper validation of HTTP requests to the SearchBlox Web UI. An attacker could exploit these to add or delete business users, delete collections, delete reports, and import and export the configuration file. By importing and exporting the configuration file, the admin password could be compromised or overwritten. In some cases, overwriting the configuration file can cause the application to crash, resulting in a Denial-of-Service condition.

 

SearchBlox Overview

SearchBlox is a web-based proprietary enterprise content search engine, offering commercial search solutions that are used by over 300 customers in 30 countries. For further company and product information, visit the SearchBlox web site: http://www.searchblox.com/

 

Advisory Summary

Details

  • SearchBlox provides a search and text analytics platform that can aggregate and search unstructured data from websites, file folders, feeds, cloud storage, email archives, databases, csv, and social streams like Twitter. The data is available for search and text analysis, allowing businesses to gain insights into customers and products.
  • SearchBlox web UI can be accessed through HTTP requests over port 8080.
  • Among other things, SearchBlox offers the admin user the possibility of adding new business users, deleting existing business users, collections, and reports, and most of all, seeing or overwriting the application’s configuration file by exporting or importing it (from the web UI).
  • The authentication bypass vulnerabilities mentioned in the above section could be used by an attacker to gain a certain level of admin access.
    • An attacker exploiting these vulnerabilities could:
    • Modify/alter important data contained in collections or reports.
    • Arbitrarily delete business accounts, which would prevent valid users from accessing their accounts.
    • Add a business user and then get authenticated as the added user.
    • Retrieve the configuration file, which contains a hash of the admin’s password.
    • Overwrite the admin password or trigger a crash by overwriting the configuration file.
  • The most important of all the unauthenticated requests that an attacker could make is the one in which they get the hash over the admin password or manages to overwrite it through the configuration file.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.