WatchGuard AP - Remote Code Execution

Similar documents
Multiple vulnerabilities in Vectra Cognito

Connect using Putty to a Linux Server

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

VULNERABILITY ADVISORY

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Penetration Testing. James Walden Northern Kentucky University

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Integration Guide. ManageEngine Network Configuration Manager

WP Voting Plugin - Ohiowebtech Video Extension - Youtube Documentation

Put something on the internet - Get hacked. Beyond Security 1

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

DreamFactory Security Guide

Building Block Installation - Admins

Advanced Penetration Testing

3. Apache Server Vulnerability Identification and Analysis

Examples of Cisco APE Scenarios

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Lab Configure Basic AP security through GUI

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Accessing the Online Application

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Ruckus Wireless Security Advisory ID FAQ

WHY CSRF WORKS. Implicit authentication by Web browsers

Volume. Enterprise Secure File Transfer (ESFT) User Guide

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Secure web proxy resistant to probing attacks

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

This Readme describes the NetIQ Access Manager 3.1 SP5 release.

Cross-Site Request Forgery in Cisco SG220 series

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Security Course. WebGoat Lab sessions

Polycom Video Border Proxy (VBP ) 7301

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Project 4: Penetration Test

Release note Tornaborate

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

Scan Report Executive Summary

CyberP3i Hands-on Lab Series

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

AppSpider Enterprise. Getting Started Guide

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

SOURCEFIRE 3D SYSTEM RELEASE NOTES

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Fast and Vulnerable A Story of Telematic Failures

Step-by-Step Guide to Ansur Executive 3.0 Installation With or without Electronic Signatures

Hackveda Training - Ethical Hacking, Networking & Security

HTTP Protocol and Server-Side Basics

CS 142 Winter Session Management. Dan Boneh

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

SmartLink configuration DME Server 3.5

Brocade will no longer provide security updates as End of Life (EOL) was January 18, 2013.

Web Security. Thierry Sans

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Yealink Device Management Platform Quick Start Guide. Applies to version or later

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

Building a Web-based Health Promotion Database

Yealink Device Management Platform Quick Start Guide. Applies to version or later

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Integration Guide. LoginTC

Configuring Communication Services

IRL: Live Hacking Demos!

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Administering Jive Mobile Apps for ios and Android

Scan Report Executive Summary

Checklist for Testing of Web Application

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Upgrade Guide for Cisco Digital Media System Release 5.0

Logging into the Firepower System

SECURE CODING ESSENTIALS

Penetration Testing with Kali Linux

Guardium UI Login using a Smart card

MAINTENANCE HELPDESK SYSTEM USER MANUAL: CUSTOMER (STAFF) VERSION 2.0

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

BIG-IP DataSafe Configuration. Version 13.1

Man-In-The-Browser Attacks. Daniel Tomescu

SAML-Based SSO Solution

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Ricoh Managed File Transfer (MFT) User Guide

Getting started with Raspberry Pi (and WebIoPi framework)

OWASP TOP 10. By: Ilia

A4: Insecure Direct Object References

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

Configuring Local Authentication and Authorization

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Advanced API Security

Transcription:

WatchGuard AP - Remote Code Execution Security Advisory Date 1/05/2018 Version: 1.0

Table of Contents 1. Document Control... 2 1.1. Document Information... 2 1.2. Revision Control... 2 2. Background... 2 2.1. Introduction... 2 2.2. Vendor notification... 2 2.3. Affected devices... 3 2.4. Disclosure Timeline... 3 3. Technical Findings... 4 3.1. Hard-coded credentials... 4 3.2. Hidden authentication method in web interface allows for authentication bypass... 4 3.3. Hidden "wgupload" functionality allows for file uploads as root and remote code execution... 4 3.4. Change password functionality incorrectly verifies old password... 5 4. Further details & Metasploit module... 5 www.zxsecurity.co.nz 1/6

1. Document Control 1.1. Document Information Title Document Filename WatchGuard AP - Remote Code Execution - Security Advisory ZX Security Advisory - Watchguard Access Points - Multiple Vulnerabilities.docx 1.2. Revision Control Version Date Released Pages Affected Author Description 1.0 01/05/2018 All Stephen Shkardoon Initial release 2. Background 2.1. Introduction ZX Security identified several major vulnerabilities within WatchGuard Access Point devices that can be chained together to gain pre-authenticated remote code execution on the devices. 2.2. Vendor notification The vendor has provided several articles regarding the identified issues: https://watchguardsupport.secure.force.com/publickb?type=kbsecurityissues&sfdcid=ka62a0 000000LIy https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300- security-vulnerability-fixes www.zxsecurity.co.nz 2/6

2.3. Affected devices All issues are present on the following devices: AP100 AP102 AP200 Additionally, all issues except for the hardcoded access credentials are present on the following additional devices: AP300 2.4. Disclosure Timeline ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor. Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 www.zxsecurity.co.nz 3/6

3. Technical Findings 3.1. Hard-coded credentials CVE-2018-10575 A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false. 3.2. Hidden authentication method in web interface allows for authentication bypass CVE-2018-10576 The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hardcoded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v This session allows for complete access to the web interface as an administrator. 3.3. Hidden "wgupload" functionality allows for file uploads as root and remote code execution CVE-2018-10577 Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. www.zxsecurity.co.nz 4/6

An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); }) An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). 3.4. Change password functionality incorrectly verifies old password CVE-2018-10578 The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually. 4. Further details & Metasploit module ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hardcoded password will be released on May the 14th 2018. www.zxsecurity.co.nz 5/6

ZX Security Limited Level 1, 50 Manners St Wellington, New Zealand

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback