Advisory: Multiple WatchGuard Log and Report Manager Vulnerabilities

Posted on December 22, 2011 by waynem
Sec-1 Security Advisory
Advisory Name : WatchGuard Log and Report Manager: Persistent Cross-Site-Scripting (XSS) Vulnerability
Release Date : 16/12/2011
Application : WSM 11.5.1 Log and Report Manager
Platform : Windows
Severity : HIGH. Persistent XSS
Author : Wayne Murphy
Vendor Status : Fixed in WSM 11.5.1 Update 1
Website : http://www.sec-1.com/blog
Vulnerability Summary:
Cross site scripting vulnerabilities were discovered within the Log and Report Manager component of WatchGuard System Manager Version 11.5.1.
Version 11.5.1 introduced the new Log and Report Manager (web interface) replacing the older LogViewer, Report Manager and Reporting Windows client components. The introduction of this web component introduced two types of cross site scripting vulnerabilities; Persistent and Reflected. With the persistent XSS vulnerability it is possible to send traffic containing malicious scripts to a WatchGuard XTM Firebox firewall that is sending logs to a WatchGuard LogServer. Upon viewing the logs within the new Log and Remote Manager Web UI, the malicious scripts then execute, potentially allowing attackers to gain elevated privileges in the users browser. The reflected XSS vulnerabilities allows an attacker to embed script code into maliciously formatted links. If the attacker enticed the user to follow the links, the embedded script code would then execute. The following line is taken from WatchGuard’s Release Notes for WSM 11.5.1 Update 1 “These vulnerabilities do not allow the attacker to gain access to your XTM appliance or change firewall rules, but could potentially allow the attacker to gain unauthorized access to your computer.”
Exploit 1: Persistent XSS : FTP Method
Script code embedded within the FTP username value is insecurely stored and retrieved from the database. Upon viewing the FTP Log within Log and Report Manager the embedded script code executes in the users browser.

Example:

Entering the username value: <script>alert(“Username_XSS”)</script>

Embeds the following escaped log entry within the Watchguard LogServer Database:

command=USER \x3cscript\x3ealert(\x22Username_XSS\x22)\x3c/script\\3e

When the malicious log entry is viewed the embedded script code executes within the browser.

Exploit 1: Persistent XSS : SMTP Method
SMTP was also targeted during testing since this service is more commonly encountered during real world penetration testing. Furthermore, based on data collected from our firewall team, it is considered more likely that application aware proxies (with logging enabled) will be used for SMTP traffic.
The WatchGuard’s SMTP-Proxy logs all headers that are stripped from SMTP emails. By sending script code within a invalid SMTP header, data is insecurely stored and retrieved by the application allowing for Cross-Site-Scripting attacks.
For example, submitting the following SMTP header via the WatchGuard SMTP service will embed a JavaScript designed to display an alert box:

Bogus: \x3cscript\x3ealert(\x22XSS_Test_With_Encoding\x22)\x3c/script\x3e

Exploit 2: Reflected XSS
The following two parameters were found to be be vulnerable to Reflected XSS attacks.

https://:4130/ - URL Parameter
https://:4130/auth/login - from_page Parameter
N.B. Modern browsers were unable to exploit the URL Parameter attack vector. An intercepting proxy had to be used to exploit this successfully.
Vendor Response:
The vendor has patched these issues in WSM Version 11.5.1 Update 1. A WatchGuard advisory has been released relating to these vulnerabilities;

http://watchguardsecuritycenter.com/2011/12/15/watchguard-releases-wsm-v11-5-1-update-1-xss-flaws-corrected/
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-4774
Copyright 2011 Sec-1 LTD. All rights reserved.
This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.