Portcullis Security Advisory - 09-011 Vulnerable System: Accellion Secure File Transfer Appliance Vulnerability Title: Multiple Vulnerabilities In The Web Application Allows Remote Compromise As A Root User. Vulnerability Discovery And Development: Portcullis Security Testing Services. Credit For Discovery: Tim Brown - Portcullis Computer Security Ltd. Affected systems: All known versions of Secure File Transfer Appliance; the vulnerability discovered was for version FTA_7_0_259. Details: Accellion Secure File Transfer Appliance is an appliance based solution used for receiving and delivering large files. It does this by allowing users to upload and download files via https. It is generally deployed in a DMZ to allow users access from the local network as well as the Internet. It is based on a customised Redhat OS running a web application which provides the user and administrative interfaces. Combining multiple vulnerabilities in the web application allows an attacker to remotely compromise the appliance as the root user: Firstly, it is possible for an attacker to inject Javascript into the administrative interface of the web application by making requests to log in with a username consisting of HTML. In testing, the string "" was sent in place of a valid username, resulting in it being injected in to the audit log web page due to a failed login attempt event being generated. It is also possible for an attacker with administrative access to inject arbitrary commands into the administrative interface of the web application by making requests to set an SNMP community string. When a community string of "public touch /tmp/portcullis" is set, the web application executes the command "touch /tmp/portcullis" in the context of the web server user. Using command injection and the printf command, arbitrary code can be uploaded to the appliance. The PHP source for the application is obfuscated but it is likely that this is due to the parameter containing the community string being passed unmodified to the system() function. Finally, using sudo, the web application is able to execute the script "/usr/local/bin/admin.pl" as the root user. The purpose of this script is to allow the reconfiguration of the appliance, and to that end, the script has a number of functions. One function of the script is to allow the application to move a file from one arbitrary location to another. Since no validation or sanitisation of the parameters occurs, it can be used to overwrite itself. For example, "/usr/local/bin/admin.pl --file_move --source=/home/admin/evil.pl --dest=/usr/local/bin/admin.pl". Impact: By combining the vulnerabilities outlined above, it is possible for an attacker to permanently inject JavaScript which would be executed in the context of an administrator when they review the audit log. The injected JavaScript could manipulate the documentlocation object to extract the unique per session element of the administration URL allowing arbitrary requests to be made using the XMLHttpRequest object. With the unique per session element of the URL, an attacker could make malicious requests to set the appliance's SNMP community string. By replacing the "/usr/local/bin/admin.pl" script, an attacker may then execute malicious code on the target system as the root user. Exploit: The proof of concept exploit code is available. Vendor Status: 15/06/2009 - Vendor informed via email by Portcullis 18/08/2009 - Vendor advised the following: This bug was reported and announced back on January 12, 2009. It was fixed in patch 7_0_287 tagged on December 12,2008 and released live to our customers on January 12,2009 as part of patch 7_0_296. 18/08/2009 - From Portcullis's discussions with the vendor, it is believed that the previously noted patch was for the Javascript injection and not the subsequent code injection or privilege escalation 04/11/2009 - Publication Copyright: Copyright � Portcullis Computer Security Limited 2009, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.