[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities

R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities
February 7, 2011

-- Vulnerability Details:

The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers 
from a number of security flaws that can lead to a remote root compromise. 


1. Message Routing Daemon Default Encryption Keys

The appliance ships with UDP port 8812 allowed through the firewall. The port 
correlates to an internal service that routes messages between backend 
processes. To authenticate access to this service, all messages must be 
encrypted with a secret key using the blowfish algorithm. The appliance ships 
with two default keys, neither of which is random, which results in an attacker 
being able to communicate with the internal processes of the appliance and 
perform administration tasks on the appliance itself. These two default keys 
are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, 
which are expanded with MD5 to create 448-bit blowfish keys.


2. MatchRep Daemon insert_plugin_meta_info() Command Injection

One of the applications that is exposed through the port 8812 message routing 
service executes a system command without sanitizing the arguments provided by 
the requesting application. This allows arbitrary commands to be executed on 
the appliance. Combined with Issue #1, this allows remote, unauthenticated 
command execution on the appliance as the "soggycat" user, which is root 
equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to 
chain these vulnerabilities and will release this module in early March. 


3. Remote Administration TTY Check Bypass

The appliance ships with a default login of admin/accellion. To reduce the risk 
of remote attack, this account is not allowed to login over Secure Shell. The 
implementation of this security check has a flaw and 
it is still possible to configure an out-of-box Accellion appliance remotely 
through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh')


4. Static Passwords for Privileged User Accounts

The secure shell daemon is running by default and the system is configured with 
static passwords for a number of root-equivalent accounts. It is possible to 
crack these passwords and gain access to any Accellion system with the secure 
shell daemon exposed. The scope of our research did not provide time to crack 
these passwords, but it's a just a question of resource allocation. These 
accounts include "soggycat","sdadmin", and the "root" user account itself.


5. Remote Access via Stale SSH Authorized Keys

The "soggycat" user account has a static password, as mentioned previously, but 
also has two SSH keys configured for passwordless login. These keys were 
generated over eight years ago and should have been changed to reduce the risk 
of exposure. The comments of these two keys are worrying as well:

[root@fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@xxxxxxxxxxxxxx, Mon Feb
25 2002 05:31:0


6. Weak MySQL Password for "root" Account

This issue is not exploitable by default due to firewall configuration of the 
appliance, but it points to larger problems with the design of the system. The 
root password for the MySQL server is simply "hawksql" 
and all users of the system are able to read this password within various 
configuration files. At the least, a non-root MySQL user account should be used 
to reduce the risk of attack due to SQL  Injection flaws in the rest of the 
application.


7. Internal Daemons not Bound to Loopback Interface

This issue is not exploitable by default due to firewall configuration of the 
appliance. All internal services communicate through UDP services bound to the 
0.0.0.0 address. This exposes the internal workings of the appliance to an 
attacker with network access to the system. For example, a local user account 
without administrative rights would still be able to escalate privileges by 
communicating with these internal services. 


8. Rsync Daemon Allows Access to Privileged User Home Directory

This issue is not exploitable by default due to firewall configuration of the 
appliance. The rsync daemon allows read/write access to the "soggycat" home 
directory. Since this user account is root-equivalent, any attacker than talk 
to the rsync daemon can take full control of the 
appliance.


*** Information from the Metasploit module combining issues #1 and #2, to be 
released in early March of 2011.


Description:
  This module exploits a chain of vulnerabilities in the Accellion
  File Transfer appliance. This appliance exposes a UDP service on
  port 8812 that acts as a gateway to the internal communication bus.
  This service uses Blowfish encryption for authentication, but the
  appliance ships with two easy to guess default authentication keys.
  This module abuses the known default encryption keys to inject a
  message into the communication bus. In order to execute arbitrary
  commands on the remote appliance, a message is injected into the bus
  destined for the 'matchrep' service. This service exposes a function
  named 'insert_plugin_meta_info' which is vulnerable to an input
  validation flaw in a call to system(). This provides access to the
  'soggycat' user account, which has sudo privileges to run the
  primary admin tool as root.

msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151
msf exploit(accellion_fta_mpipe2) > exploit

[*] Started reverse handler on 192.168.198.135:4444
[*] Command shell session 1 opened (192.168.198.135:4444 ->
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600

id
uid=520(soggycat) gid=99(nobody) groups=99(nobody)



-- Vendor Response:

Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540

Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th, 2011 with 
update FTA_8_0_562

Item #8 is not exploitable in the default configuration and Accellion 
recommends the use of SSL VPN when configuring a trusted link between two 
appliances.

Official Changelog for FTA_8_0_562:

The update randomizes the following on the Accellion setup - Accellion remote 
management user password, the system mysql password and the keys used for 
encrypting inter-appliance communication. All internal Daemons are now bound to 
Loopback Interface. The update also removes an unused SSH key meant for remote 
troubleshooting login. These fixes are in response to a security scan done by 
Rapid7.


-- Disclosure Timeline:
2010-10-21 - Issue #3 was reported to Accellion
2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion
2010-12-20 - A reminder the Rapid7 policy was sent to Accellion
2010-12-21 - Accellion responds with a fix date of January 2011
2010-12-21 - Accellion releases FTA_8_0_540 to address #3
2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items
2011-02-07 - Detailed advisory released by Rapid7


-- Credit:
This vulnerability was discovered by HD Moore


-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp