One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 1804112 |
| Date de publication | 2020-07-14 17:17:43 (vue: 2020-07-14 16:13:13) |
| Titre | Sophos XG - A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day |
| Texte | On April 25, 2020, Sophos published a knowledge base article (KBA) 135412 which warned about a pre-authenticated SQL injection (SQLi) vulnerability, affecting the XG Firewall product line. According to Sophos this issue had been actively exploited at least since April 22, 2020. Shortly after the knowledge base article, a detailed analysis of the so called Asnarök operation was published. Whilst the KBA focused solely on the SQLi, this write up clearly indicated that the attackers had somehow extended this initial vector to achieve remote code execution (RCE). The criticality of the vulnerability prompted us to immediately warn our clients of the issue. As usual we provided lists of exposed and affected systems. Of course we also started an investigation into the technical details of the vulnerability. Due to the nature of the affected devices and the prospect of RCE, this vulnerability sounded like a perfect candidate for a perimeter breach in upcoming red team assessments. However, as we will explain later, this vulnerability will most likely not be as useful for this task as we first assumed. Our analysis not only resulted in a working RCE exploit for the disclosed vulnerability (CVE-2020-12271) but also led to the discovery of another SQLi, which could have been used to gain code execution (CVE-2020-15504). The criticality of this new vulnerability is similar to the one used in the Asnarök campaign: exploitable pre-authentication either via an exposed user or admin portal. Sophos quickly reacted to our bug report, issued hotfixes for the supported firmware versions and released new firmware versions for v17.5 and v18.0 (see also the Sophos Community Advisory). I am Groot The lab environment setup will not be covered in full detail since it is pretty straight forward to deploy a virtual XG firewall. Appropriate firmware ISOs can be obtained from the official download portal. What is notable is the fact that the firmware allows administrators direct root shell access via the serial interface, the TelnetConsole.jsp in the web interface or the SSH server. Thus there was no need to escape from any restricted shells or to evade other protection measures in order to start the analysis.  Device Management -> Advanced Shell -> /bin/sh as root. After getting familiar with the filesystem layout, exposed ports and running processes we suddenly noticed a message in the XG control center informing us that a hotfix for the n-day vulnerability, we were investigating, had automatically been applied.  |
| Envoyé | Oui |
| Condensat | $request $requestdata /bin/sh /lib/libcscaid /usr/bin/csc /usr/share/webconsole /usr/share/webconsole/web /webconsole/controller /webconsole/controllerendpoint 0x20000 10: 1101 11: 12271 12:23 135412 14: 15504 2020 2020: 22:48 23:55 23:56 2531 299 8009 abandon ability able about above absolutely abusing accept access accessing accordance according account achievable achieve achieving achive across action activated active actively actual actually add added addeventandentityinpayload adding additional admin administration administrators advanced advisory affected affecting after again against aimed aiming all allow allowed allows alongside already also always analysis another any anything anyway apache api apiinterface apiinterfacefunction appealing appeared appliance appliances applied appreciate approach approaches appropriate april arbitrary architecture archive are arguments around article asnarök assessments associated assume assumed assumption attack attacker attackers attacks attempt attempts attention attribute auth authenticated authentication authprofile auto automatic automatically availability back base base64 based basic because been before behavior behind being below better between bin binary bit blind blocks blog body boiled boring both brainstormed breach break brief browsing bug bugcrowd built bury busybox but bypass bypassed call callable called calling calls came campaign campaign: can cancel candidate careful carried case caught caveat: cccadminip center central centrally certain chain changed chapter characteristic characters checked checks checkuserpermission choose chosen chr class clearly clients clone closer code columns come coming command command: communication community complicated comply component components concat concatenation concentrated concentrating condition conditions conf/cscconf confident config configuration configured confirm confirming connected consisted constant constraint construct constructing contain contained container contains control controllable controlled copy correctly corresponding could countermeasures course covered craft crafting create created createjson createmodejson criticality cronjob csc cscconf custom cve data database databases dataprotectionpolicy day decoded decrypted deep deeper default defeat defined defining delay delete delve denoted dependent depending depicted deploy deployed derived described desired desperately despite detach detaching detail detailed details detect device devices did diff differed different diffing direct directed directly disable disables disassembler disassociates disclosed discovered discovery distributed docker does done down download due dug dump dumped dumps duplicate during each earlier easier easily either else email eml employed enable enabled enables encoded encountered encrypted end ended endpoint enforced engineering enough ensured ensures ensuring entities entity entityand environment equaled equals escalation escape escaped escaperequest escaping especially essential evade even event eventproperties eventually ever every everything exactly example excerpt exec execcall execsh execute executed executedeletequery execution exercise exist existing expanded expected experimentation explain explanation: exploit exploitable exploitation exploited exposed extended extension external extracted extracting fact falsein familiar far feature features fiddling field file files filesystem filtering finally find firewall firewallgroup firmware first fix fixed fixing flag focus focused folders followed following following: foreign form format former formtemplate fortinet forward forwarded found friendly from front frustration full function functionality functions further gain gained gaining garbage general generated get getoldobject getpreauthoperationlist getpreauthoperationlistdefined getting give giving global goal good got grep groot gzfile had handful handledeleterequest happened happens happy has have having hdnfilepath heads heavily held help helped here high highly hindsight hostname hotfix hotfixes how however http idea ide |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.