Sec-1 Labs

Advisory: Multiple WatchGuard Log and Report Manager Vulnerabilities

waynem — Thu, 22 Dec 2011 12:28:49 +0000

Sec-1 Security Advisory

Advisory Name	:	WatchGuard Log and Report Manager: Persistent Cross-Site-Scripting (XSS) Vulnerability
Release Date	:	16/12/2011
Application	:	WSM 11.5.1 Log and Report Manager
Platform	:	Windows
Severity	:	HIGH. Persistent XSS
Author	:	Wayne Murphy
Vendor Status	:	Fixed in WSM 11.5.1 Update 1
Website	:	http://www.sec-1.com/blog

Vulnerability Summary:

Cross site scripting vulnerabilities were discovered within the Log and Report Manager component of WatchGuard System Manager Version 11.5.1.

Version 11.5.1 introduced the new Log and Report Manager (web interface) replacing the older LogViewer, Report Manager and Reporting Windows client components. The introduction of this web component introduced two types of cross site scripting vulnerabilities; Persistent and Reflected. With the persistent XSS vulnerability it is possible to send traffic containing malicious scripts to a WatchGuard XTM Firebox firewall that is sending logs to a WatchGuard LogServer. Upon viewing the logs within the new Log and Remote Manager Web UI, the malicious scripts then execute, potentially allowing attackers to gain elevated privileges in the users browser. The reflected XSS vulnerabilities allows an attacker to embed script code into maliciously formatted links. If the attacker enticed the user to follow the links, the embedded script code would then execute. The following line is taken from WatchGuard’s Release Notes for WSM 11.5.1 Update 1 “These vulnerabilities do not allow the attacker to gain access to your XTM appliance or change firewall rules, but could potentially allow the attacker to gain unauthorized access to your computer.”

Exploit 1: Persistent XSS : FTP Method

Script code embedded within the FTP username value is insecurely stored and retrieved from the database. Upon viewing the FTP Log within Log and Report Manager the embedded script code executes in the users browser.

Example:

Entering the username value:

Embeds the following escaped log entry within the Watchguard LogServer Database:

command=USER \x3cscript\x3ealert(\x22Username_XSS\x22)\x3c/script\\3e

When the malicious log entry is viewed the embedded script code executes within the browser.

Exploit 1: Persistent XSS : SMTP Method

SMTP was also targeted during testing since this service is more commonly encountered during real world penetration testing. Furthermore, based on data collected from our firewall team, it is considered more likely that application aware proxies (with logging enabled) will be used for SMTP traffic.

The WatchGuard’s SMTP-Proxy logs all headers that are stripped from SMTP emails. By sending script code within a invalid SMTP header, data is insecurely stored and retrieved by the application allowing for Cross-Site-Scripting attacks.

For example, submitting the following SMTP header via the WatchGuard SMTP service will embed a JavaScript designed to display an alert box:

Bogus: \x3cscript\x3ealert(\x22XSS_Test_With_Encoding\x22)\x3c/script\x3e

Exploit 2: Reflected XSS

The following two parameters were found to be be vulnerable to Reflected XSS attacks.

https://:4130/	- URL Parameter
https://:4130/auth/login	- from_page Parameter

N.B. Modern browsers were unable to exploit the URL Parameter attack vector. An intercepting proxy had to be used to exploit this successfully.

Vendor Response:

The vendor has patched these issues in WSM Version 11.5.1 Update 1. A WatchGuard advisory has been released relating to these vulnerabilities;

http://watchguardsecuritycenter.com/2011/12/15/watchguard-releases-wsm-v11-5-1-update-1-xss-flaws-corrected/

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

CVE : CVE-2011-4774

Advisory: Multiple Splunk Vulnerabilities

Gary O'leary-Steele — Thu, 15 Dec 2011 09:21:59 +0000

Sec-1 Security Advisory

Advisory Name	:	Splunk Multiple Vulnerabilities
Release Date	:	14/12/2012
Application	:	Splunk 4.2.4, 4.2.3 and 4.2.2 tested
Platform	:	Windows & Linux
Severity	:	Remote Compromise (root)
Author	:	Gary O’Leary-Steele
Vendor Status	:	Fixed in 4.2.5
Website	:	http://www.sec-1.com/blog

Vulnerability Summary:

Multiple vulnerabilities were discovered that could be exploited to gain remote code execution as the root/localsystem user. A full description of the discovered vulnerabilities can be found here: Download

Exploit:

Exploit code designed for use in penetration testing can be downloaded here: Download

Vendor Response:

The vendor has patched the issue in version 4.2.5. Sec-1 would like to thank Splunk for their prompt and professional response.

Common Vulnerabilities and Exposures (CVE) Information:

CVE : See PDF

Sec-1 Penetration Testing Workshop

Gary O'leary-Steele — Wed, 23 Nov 2011 10:22:44 +0000

Download the slides and supporting tools presented at the Sec-1 Penetration Testing Workshop:

Note: You will need to obtain the password from your account manager

Testing Workshop (Slides Only)

Slides and Tools

Advisory: WebTitan Multiple Vulnerabilities

waynem — Thu, 20 Oct 2011 15:54:28 +0000

Sec-1 Security Advisory

Advisory Name	:	WebTitan Multiple Vulnerabilities
Release Date	:	19/10/2011
Application	:	WebTitan version 3.50 (Build 183)
Platform	:	VMWare Appliance
Severity	:	SQL injection, Command injection, Dir Traversal
Author	:	Richard Conner
Vendor Status	:	Fixed in Version 3.60
Website	:	http://www.sec-1.com/blog

Product Overview:

Taken from: http://www.webtitan.com/products

WebTitan is a complete internet monitoring software (web filter) which provides organisations protection for their data from malware and other internet threats such as viruses, spyware and phishing as well as providing user policy browsing tools to ensure corporate internet policy is adhered to.

Vulnerability Summary:

A number of security issues were identified in version 3.50 (Build 183). A SQL injection attack within the authentication component can be leveraged to recover the password hashes of valid users. Once authenticated access is obtained further attacks exist. Additional SQL injection, Command Injection providing access to the FreeBSD O/S and a Directory Traversal flaw can be exploited.

Exploit 1: PRE Auth – Blind SQL Injection

The following vulnerability was identified

This vulnerable component can be accessed without Authenticating. The affected script provides a web interface to the authentication component of the application. From here it is possible to perform any administrative task includinguser administration and running diagnostics.

Vulnerable Script: /login-x.php

Vulnerable POST request:
jaction=login&language=en_US&username=admin&password=hiadmin
Vulnerable Parameter: username
Database: POSTGRES

It is possible to perform blind SQL injection within the username parameter to recover the contents of various tables from the public database, including the admin table which contains the usernames and a MD5 hash of the password for each administrative account.

Exploit 2: POST Auth – SQL Injection

Once Authenticated, either through compromising of the PRE-Auth SQL injection
flaw or through a known administrative account (default values, brute force, etc) it is possible to perform several further SQL injection attacks against the following;

Vulnerable Script: /urls-x.php

Vulnerable POST Parameters: bldomain, wldomain, temid

Exploit 3: POST Auth – Command Injection

The Traceroute or Ping functionality when issued by an authenticated user can be abused to execute an additional command by the script. Appending two ampersands && characters to the Ping or Traceroute command causes the script to execute the instruction as a second command. The returned data is displayed within the diagnostic message within the users web browser.

Example:

http://172.31.1.25/tools.php#tab0

127.0.0.1 && cat /etc/passwd

Will display the contents of the password file which lists the FreeBSD users and their privileges.

Exploit 4: POST Auth – Dir Traversal

Example:

http://[HOST_IP]//logs-x.php? jaction=view&fname=../../../../../etc/passwd

Vendor Response:

These issues were resolved in version 3.60

Common Vulnerabilities and Exposures (CVE) Information:

CVE : CVE-2011-4638 (SQL Injection Issues)
CVE : CVE-2011-4639 (POST Auth. Command Injection Issues)
CVE : CVE-2011-4640 (POST Auth. Dir Traversal)

Advisory: Loglogic 5.1 Directory Traversal

Gary O'leary-Steele — Wed, 06 Jul 2011 08:44:14 +0000

Sec-1 Security Advisory

Advisory Name	:	Loglogic 5.1 Directory Traversal
Release Date	:	06/06/2011
Application	:	MX3020-PCI Edition / MX Virtual Appliance
Platform	:	Linux / Appliance
Severity	:	Remote Compromise (root)
Author	:	Gary O’Leary-Steele
Vendor Status	:	Fixed in HF-3 for version 5.1
Website	:	http://www.sec-1.com/blog

Vulnerability Summary:

A directory traversal vulnerability was identified within the Loglogic web interface. The vulnerability could be exploited by an unauthenticated attacker to gain access to any file on the local file system. For example, the attacker could extract the local /etc/shadow file and launch an offline password attack to recover the root password. Successful exploitation of this vulnerability could provide full control over the affected log management device including any stored reports and log files.

Exploit:

The following URL will download the /etc/shadow file:

https://[IP]/logapp20/downloadreportzip?file=/../../../../../../../etc/shadow

Vendor Response:

The vendor has patched the issue in HF-3 for version 5.1

Common Vulnerabilities and Exposures (CVE) Information:

CVE : CVE-2011-2781

Advisory: F5 Networks Big-IP Multiple Vulnerabilities

Gary O'leary-Steele — Mon, 04 Jul 2011 16:42:38 +0000

Sec-1 Security Advisory

Advisory Name	:	F5 Networks Big-IP Multiple Vulnerabilities
Release Date	:	04/07/2011
Application	:	F5 Networks Big-IP 10.1.0
Platform	:	Local Traffic Manager Virtual Edition (tested)
Severity	:	Privilege Escalation (to root), CSRF and XSS
Author	:	Gary O’Leary-Steele
Vendor Status	:	Patch Released
Website	:	http://www.sec-1.com/blog

Product Overview:

Taken from: http://www.f5.com/products/big-ip/

The BIG-IP product family is a system of integrated application delivery services that work together on the same best-in-class hardware. From load balancing, SSL offload, and web acceleration to application security, access control, and much more, a single BIG-IP device can do the work of a dozen single-purpose appliances.

Local Traffic Manager Virtual Edition enables you to create a mobile, scalable, and adaptable infrastructure for virtualized applications by applying the functionality of BIG-IP LTM in a virtualized environment.

Vulnerability Summary:

A number of security issues were identified within the management web interface that could be combined to gain unauthorised root access to the affected system. Identified vulnerabilities include Privilege Escalation, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/XSRF).

Vulnerability Details – Privilege Escalation:

The following vulnerable script was identified during an analysis of the local file system:

https://[TARGET_IP]/tmui/tools/dbeditor.jsp

To access this component the user must be authenticated to the web interface as any user (including guest). The affected script provides a web interface to the underlying database along with easy to use templates to change database data. From here it is possible to perform any administrative task including user administration.

From an attackers perspective this interface allows any user, including Guest, to administer any aspect of the Big-IP’s configuration.

Exploit Example 1:

The following URL, when accessed by any authenticated user will add a root equivalent the user “hacker2? with a password of “admin” to the affected Big-IP system (adds and entry to /etc/shadow):

https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=INSERT into userdb_entry value(‘hacker2′,12345,’$1$vj2xXJiEZC0aIA.IBj5rvaEfbDgr0′,’true’,”,0,0,’/home/hacker2′,’/bin/sh’,0,”,’false’,’all’)

This vulnerability could be exploited using common Cross-Site Request forgery techniques such as an embedded IMG tag.

Exploit Example 2:

The following URL will extract password hashes from the /etc/shadow file:

https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=select * from userdb_entry

Vulnerability Details – Cross Site Scripting:

Errors returned by the affected script(s) are written to the page without encoding and can therefore be exploited to perform an XSS attack. Furthermore, since the resulting error can be constructed using SQL it is possible to form a payload that will bypass local XSS filters.

Exploit Example 3:

https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=select%20name,passwd%20from%20userdb_entry%20union%20select%20%27%3Cscript%3Ealert%281%29%3C/script%3E%27,%27b%27%20from%20userdb_entry

Vendor Response:

This issue was resolved in version 10.2.2 and within the hotfix release 10.2.1-hf1

Common Vulnerabilities and Exposures (CVE) Information:

CVE : CVE-2011-3121

Tool: Blind SQL Injection exploit tool

Gary O'leary-Steele — Thu, 27 Jan 2011 16:51:25 +0000

Sec-1 Blind Injector (sec1blindinjector.rb)

The sec1blindinjector.rb tool is designed to exploit blind SQL injection vulnerabilities in Microsoft SQL Server based applications. Whilst there are many good tools already out there such as SQLMap, this tool offers a number of unique features we have found useful during penetration testing.

Features

Search tables for columns names containing a specific key word (e.g. password)
Search all tables and databases for columns containing specific data (e.g admin)
Enumerate table and column names
Extract table data
Perform a dictionary attack against the local or accessible SQL server (SQL server 2000 only)
Execute operating system commands via cracked “sa” account

Download here: sec1blindinjector

Tool: Identify vulnerable share permissions to prevent data leakage

Gary O'leary-Steele — Tue, 25 Jan 2011 11:50:02 +0000

Windows File Sharing Vulnerabilities

Windows file sharing permissions are based on the popular Discretionary Access Control (DAC) model, this essentially means that the owner of the resource uses his or her discretion when deciding who should be permitted access. Access is granted to either an individual user or a group of users, unfortunately file shares are rarely configured with security as a top priority and the course of least resistance is often applied. Vulnerabilities commonly arise when access to a confidential resource is granted to a group containing users who should not permitted to access it, or generalised group such as “Everyone” has erroneously been included.

Download: ShareCheck

Sec-1 ShareCheck

Sec-1 ShareCheck was written during a penetration test to assess a given IP Address range for weak file share permissions. The output of the tool produces a HTML table containing:

The IP Address
Account Lockout Threshold
A list of Local Administrators
Shares which the supplied user can access
Shares which the supplied user can write to

In the course of a penetration test local administrator accounts could then be targeted in an attempt to compromise the host and network.

Usage

ShareCheck is a command line tool written in Python.

To use ShareCheck configure a user account with limited permissions, i.e. a regular user. The results of running ShareCheck will illustrate what this user can and cannot access.

Command line example:

Assess the IP range 192.168.0.1-254 using the username “Bob” and the password “datastealer” and will save the results in report.html:

sharecheck.exe 192.168.1.0/24 bob datastealer report.html

Paper: Buffer Truncation Abuse in Microsoft SQL Server Based Applications

Gary O'leary-Steele — Fri, 12 Oct 2007 17:27:16 +0000

This paper is designed to document an attack technique Sec-1 recently adopted during the course of their application assessments. The basic principal of this technique has existed for some time; however we hope this paper we will provide an insight of how a variation of the technique can be adopted to attack common forgotten password functionality within web applications.

The document is split into two sections. The first section covers the principals of the technique and the second is an attack case study against a commercial application.

Download: Buffer Truncation Abuse Paper

Advisory: Collaboration Data Objects Buffer Overflow Vulnerability

Gary O'leary-Steele — Wed, 12 Oct 2005 17:05:56 +0000

                                SEC-1 LTD.
                              www.sec-1.com

Collaboration Data Objects Buffer Overflow Vulnerability
Application: Multiple Applications that implement CDO
Platform:Windows
Severity: Critical. Remote Code Execution
Author: Gary O'leary-Steele
Vendor Status:Patch Released
CVE Candidate:CAN-2005-1987
Reference:http://www.sec-1.com
Disclosed:12/October/2005

Vulnerability Details:

Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data
Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks
are used within Microsoft Exchange 2000 or Microsoft Mail services to parse
Email content. Several Content Security packages were identified to be vulnerable.
The vulnerability can be exploited by crafting an email with a large header
name such as "Content-Type:". A failiure to correctly determine
the length of the string results in a stack overflow. Sucessful exploitation
of the vulnerability could allow the attacker to gain complete control of the
vulnerable host. In somecases the vulnerability can also be used to bypass
content security mechanisms such as virus and content scanners.

http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx
Exploit Download: cdo_exploit