IntelliSec Security Advisory ============================================================================================== Title: Multiple Vulnerabilities in Kerio Control (Virtual Appliance) Vulnerabilities: XSS, SQL Injection, Remote Code Execution through CSRF Product: Kerio Control Homepage: http://www.kerio.com Affected Version: <= 8.6.1 Fixed Version: 8.6.2 (partially fixed) Impact: critical Date: 2015-10-12 Author: Raschin Tavakoli | IntelliSec GmbH http://ift.tt/1MxQca5 research@intellisec.at Links: https://youtu.be/EzTI2WlGHb4 =============================================================================================== Vendor description: =================== Kerio Control is a unified threat management firewall developed by Kerio Technologies. It features intrusion prevention, content filtering, activity reporting, bandwidth management, and virtual private networking. Kerio Control runs Linux, providing network perimeter defense for small to medium organizations. Vulnerabilities =============== 1. XSS with Anti-XSS-Filter bypass (nonauth area) 2. SQL Injection (non-admin area) 3. Remote Code Execution (admin area) By chaining the vulnerabilities together in combination with user interaction, an attacker may gain full control over the firewall and the underlying network. Attack Scenario =============== The first attack could be to trick non-admin users to follow a malicious link in order to trigger a CSRF exploit via the /nonauth/certificate.php script. The script may exploit the SQL Injection flaw in reports.php for example. Once able to query the database, sensitive data of the users can be transmitted back to the attacker. Information of interest could be for example the traffic usage of admin users and their top-visited webpages. In the next attack, this information may be used to embed another CSRF exploit into one of the top-visited webpages. If the attacker succeeds and the exploit gets triggered by a visiting admin, arbitrary remote code execution will be gained. =============================================================================================== 1. SQL Injection: =============================================================================================== Description: ============ Kerio Control suffers from an SQL Injection flaw in the report.php script. It is not necessary to use blind sql injection, as the output will be rendered into an image file. As the text in the image file has a fixed size, multiple union selects can be combined to render out multiple images containing the result text of the query. In order to exploit the issue, a user has to be authenticated. For non-admin users, webreports have to be enabled. This issue is fixed in 8.6.2 Proof of Concept: ================= GET /report.php?id=1'+OR+'1'%3d'1'%3b+-- HTTP/1.1 Host: testbox:4081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: SESSION_CONTROL_WEBIFACE=c0fa6c207d812da1fce3e2ff2bc2e609948988a041f5a23adb64064a42010e6b; TOKEN_CONTROL_WEBIFACE For example, to read out the admin's internal UUID number, the following union based sql injection can be used: https://testbox:4081/report.php?start=16703, 0, 0) UNION SELECT 'x', 'Admin UUID: ' || substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 1 for 14), REQUESTS FROM GET_ALL_TOP_WEBS_D(16703, 1) UNION SELECT 'y', substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 15 for 40), '7' FROM GET_ALL_TOP_WEBS_D(16703, 1);+--+&end=16703&id=0'+OR+USERNAME='Admin';+--+ ======================== 2. Cross Site Scripting ======================== Description: ============ The server parameter in the nonauth/certificate.php script suffers from an non persistent XSS vulnerability. The payload needs to be base64 encoded and will be decoded at runtime. That way it bypasses all Anti-XSS Filters of modern browsers, which increases the severity of this issue significantly. The issue has been tested with OS X Chrome Version 45.0.2454.101, OS X Safari Version 9.0 (10601.1.56.2), Linux Chromium Version 37.0.2062.120 and Linux Iceweasel 31.8.0 This issue is fixed in 8.6.2 =============================================================================================== 3. Remote Command Execution via File Upload =============================================================================================== Description: ============ The Kerio Control upgrade function in the admin interface suffers from a RCE vulnerability. A malicious ssh script can be uploaded and executed with root privileges. This can be done by simply changing a tar file to the extension .img. If this tar file contains a upgrade.sh shell script, this script will be executed with root privileges. Kerio did not provide a fix for the upgrade functionality yet. The Kerio admin interface by itself does not provide a functionality to execute shell commands on the underlying Linux system nor a possibility to enable ssh. SSH is disabled by default and can only be enabled through the Kerio Console Application. More, this issue becomes critical, if it is combined with an CSRF attack. ======================================== 4. Remote Command Execution through CSRF ======================================== Description: ============ If a user with an authenticated admin session can be tricked to follow a specially crafted link (containing the base64 encoded payload), complete control over the firewall can be gained. Proof of Concept: ================= Create a Bash Script:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment