Posts

CVE-2019-16384, 85: Cyblesoft Thinfinity VirtualUI – Path Traversal, HTTP Header Injection

Nettitude discovered two vulnerabilities within Cyblesoft’s Thinfinity VirtualUI web application. The findings include path traversal and HTTP header injection, which could be leveraged to execute an XSS payload.

Thinfinity VirtualUI enables Windows-based desktop applications to function as cross-browser, cross-device web applications, which can be run on a Windows environment or be accessed remotely from a web-browser.

Path Traversal Proof of Concept – CVE-2019-16384

The path traversal vulnerability can be leveraged to perform remote data exfiltration on the Windows host.  This enables files outside of the intended web directory to be retrieved if the location is known and the application has sufficient permissions. Consequently, this compromises the confidentiality of application data.

The following proof of concept shows how common Windows configuration files were retrieved on the test host, traversing the file directories using the ../ notation. This was captured on the Cyblesoft demo site.

Vulnerable Request Including Path Traversal Payload

Vulnerable Request Including Path Traversal Payload

Local File ‘win.ini’ Displayed within Server Response

Local File ‘win.ini’ Displayed within Server Response

HTTP Header Injection Proof of Concept – CVE-2019-16385

The identified HTTP header injection vulnerability enables control over the application response and can be leveraged to perform a reflected Cross-Site Scripting attack.

The vulnerable mimetype URL parameter can be injected with an arbitrary payload, which is reflected within the Content-type header of the server response, in its entirety.

Injecting HTML encoded carriage return line feed characters %0d%0a within that vulnerable parameter results in the response being split, as a new line is inserted within the header section of the server response, whilst still returning a 200 OK response.

The ability to insert newlines and arbitrary payloads gives full control over the contents of the response and as shown below can be leveraged to perform reflected cross-site scripting. The created new lines result in the proceeding response headers being interpreted as the response body, and within this new response body, the malicious JavaScript payload is injected.

An example payload consisting of encoded CRLF characters, HTML, and JavaScript is injected to reflect a basic alert box within the client.

Vulnerable Request Including HTML Encoded CRLF Characters and XSS Payload

Vulnerable Request Including HTML Encoded CRLF Characters and XSS Payload

Server Response Showing Injected JS Payload

Server Response Showing Injected JS Payload

Versions Affected

All versions up to and including Thinfinity VirtualUI 2.5.17.2 are affected by both of the vulnerabilities disclosed.

Conclusion

These vulnerability types are common in modern web applications.  The ones presented here could have a moderate impact, and it is recommended that users of the software fix the vulnerability by applying the available patch,

Cyblesoft were quick to respond, and regular communication with the vendor enabled a patch to be released to address both of these issues before public disclosure.

Thinfinity UI Vulnerability Disclosure Timeline

  • Date of discovery: 20 August 2019
  • Vendor informed: 22 August 2019
  • Vendor patch received: 14 October 2019
  • Patch confirmed effective: 14 October 2019
  • Vendor informed about planned disclosure: 14 October 2019
  • Public Disclosure: 4 June 2020

CVE-2018-10956: Unauthenticated Privileged Directory Traversal in IPConfigure Orchid Core VMS

Affected Software: IPConfigure Orchid Core VMS (All versions < 2.0.6, tested on Linux and Windows)

Vulnerability: Unauthenticated Privileged Directory Traversal

CVE: CVE-2018-10956

Impact: Arbitrary File Read Access

Metasploit module:

https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb

Summary of Vulnerability

IPConfigure Orchid Core VMS is a Video Management System that is vulnerable to a directory traversal attack, which allows underlying database access, access to camera feeds and more. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the “sudoers” group. As such, any file on the underlying system, for which the location is known, can be read.

Nettitude has performed limited testing on the Windows version of Orchid Core VMS, and has been able to read files such as ‘C:/Windows/debug/NetSetup.log’ and ‘C:/WINDOWS/System32/drivers/etc/hosts’. Reading these files does not require permissions greater than a regular user account, however, it is possible that the Orchid Core VMS web server is running in a privileged context.

Below is an image for the login page of Orchid Core VMS.

Metasploit Module

We have created a Metasploit module for this vulnerability, which can be found here:

Vulnerability Analysis and Impact

Discovery of the vulnerability involved multiple steps, such as identifying the correct URL encoding that is accepted by the application, as well as the location of files on the underlying system, the latter of which was conducted through manual and automated fuzzing techniques.

The following images will help explain the discovery and exploitation of this vulnerability. This is the first GET request that was sent through a browser.

Request: https://ip/../../../../../../../etc/shadow

The response is interesting as the error suggests that it may be possible to read resources on the underlying web server. In this request it appears that the dot-dot-slash ( ../) was removed by the application. As such, in the second request, the dot-dot-slash was URL encoded and once again submitted through the browser.

Request: https://ip/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/shadow

In this request, the URL encoding for the forward slash ( %2e) was removed. Nettitude submitted a third request, the browser was bypassed and the same request was sent to the web server using curl.

The following image demonstrates the ability to read the ‘/etc/shadow’ file on a Linux file system. This is of particular concern as it displays that the Orchid web service is running with high user privileges. With this level of access an attacker is in the position to read certain files of interest. This includes SSH private keys, VPN configuration files and all other files on the underlying system.

The following image demonstrates the ability to read the ‘C:\Windows\debug\NetSetup.log’ file on a Windows file system. This demonstrates that the vulnerability is not limited to the Linux file system and affects both Windows and Linux operating systems.

Furthermore, Nettitude was able to identify the applications structure and database location using readily available developer documentation and the online knowledge base for Orchid Core VMS (https://support.ipconfigure.com/hc/en-us/categories/200146489-Orchid-Core-VMS).

Orchid Core VMS uses a SQLite database, which is intended to be treated as a file on modern operating systems. Nettitude was able to download this database using the previously described directory traversal vulnerability. The image below represents the users which have access to the application, along with their SHA1 16-byte salted password hashes. Upon successfully cracking password hashes and obtaining the cleartext password for a user account, an attacker is placed in the position to view live-camera streams, manage user accounts and perform other application functions which are otherwise restricted to authenticated users.

Perusing through the database, Nettitude also discovered valid session ID’s for the web application and connected-camera descriptions.

Proof of Concept for Linux

curl --insecure https://IP/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/shadow

Proof of Concept for Windows

curl http://IP:PORT/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/Windows/debug/NetSetup.log

Disclosure Timeline

  • 20 April 2018: Discovered directory traversal vulnerability in Orchid VMS 2.0 on Ubuntu 14.04 LTS.
  • 7 May 2018: Confirmation of vulnerability on other Linux OS and Windows OS across all Orchid VMS versions.
  • 7 May 2018: Initial write up of vulnerability.
  • 7 May 2018: Initial reach out to IPConfigure. Submitted request for contact details for an information security employee.
  • 8 May 2018: Verified that the correct contact has been reached.
  • 9 May 2018: Requested CVE reservation from Mitre.
  • 9 May 2018: Received CVE-2018-10956 from Mitre.
  • 9 May 2018: Sent PGP encrypted vulnerability write up to contact at IPConfigure.
  • 11 May 2018: Received confirmation of vulnerability from IPConfigure.
  • 11 May 2018: IPConfigure releases v2.0.6 for public download, resolving the identified vulnerability.
  • 20 June 2018: Nettitude publicly disclosed the vulnerability