IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Help on building IPFire & Feature Requests
Post Reply
ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 3rd, 2016, 10:16 pm

Hello IPFire team,

I'm contacting you to report to you several vulnerabilities that are present in the latest IPFire 2.17 i586 Core Update 99 version (and older).

IPFire (as IPCop) implements a "referer checking" mecanism in his web administration panel to prevent CSRF attack.
But there are several input accross pages not sanitized sufficiently that permit Cross-Site Script (XSS).
Through these XSS and attacker can bypass the CSRF protection and execute all CSRF that he wants.

To illustrate these XSS (in GET or POST), you can find several screens here :
https://www.asafety.fr/data/20160403-IP ... XSS001.png
https://www.asafety.fr/data/20160403-IP ... XSS002.png
https://www.asafety.fr/data/20160403-IP ... XSS003.png

The GET XSS affecting the ipinfo.cgi script (IPCop had the same several month ago but it's fixed now) can be used to load third-party JS script. This third-party script can perform CSRF attack.

The proxy.cgi script has another vulnerability more critical. We can execute command on the IPFire server through this page.
With specialy crafter POST param targeting the proxy.cgi page, an attacker can obtain a full reverse-shell on the IPFire distro.

And attacker can chain these vulnerability to gain a reverse-shell with just one URL sent to an IPFire's admin (phishing / spear-phishing).

I've realise a demonstration video (private) of these vulnerabilities. You can see it here : https://www.youtube.com/watch?v=rBd21aXU83E

I join a full private advisory with all details of these vulns here :
https://www.asafety.fr/data/20160403_-_ ... cution.txt

I post this topic here on the forum because I have never receive activation email from https://bugzilla.ipfire.org/, and you don't provide a specific mail address for security issues.
I have found this Bug Bounty topic : viewtopic.php?t=15021 but no contact address. There is an IPFire Bug Bounty?

Please feel free to contact me if you need more information,

All details are not publicly available. Advisory, screens and video are just share with you here for security concerns.

Yann CAM - Security Consultant @ASafety and IPFire user | yann.cam@asafety.fr..

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 11:33 am

Hi Yann,

thank you for the report. I have moved it to a private area to investigate the issue.

It would have been nice to not disclose all information right away and to contact us on our bug tracker where you can check a "security issue" checkbox so that the issue is not public for now. This is only a support forum for user support and I was alerted by an other user.

We can use this thread to talk to each other in private for now and will make this public as soon as a fix is available.

-Michael
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 11:38 am

ycam wrote:I post this topic here on the forum because I have never receive activation email from https://bugzilla.ipfire.org/, and you don't provide a specific mail address for security issues.

Code: Select all

[root@mail01 ~]# grep asafety /var/log/maillog
Apr  3 23:45:46 mail01 postfix/smtp[13357]: CB22AA21: to=<yXXXXm@asafety.fr>, relay=spool.mail.gandi.net[217.70.184.6]:25, delay=5.5, delays=0.92/0/2.4/2.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D827517801C)
Apr  4 13:35:04 mail01 postfix/smtp[7315]: 3C70F259: to=<yXXXXm@asafety.fr>, relay=spool.mail.gandi.net[217.70.184.6]:25, delay=1.3, delays=0.17/0.02/0.8/0.28, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 698A9142217)
Your registration email seems to have been delivered to your ISP.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 4th, 2016, 11:50 am

Hello,

Thanks for put this topic in private.
I also tried to send details to admin through PM but it seems disable on your forum.

I just try again registration on https://bugzilla.ipfire.org with another email address "yann.cam@gmail.com" and no mail received... I check spam folder too.

Do you see events logs for this email address ?

I agree, creating a BugTracker issue is better than a forum topic, but I though that the BugTracker wasn't use anymore (HTTPS untrusted, registration email not received, etc.).

Sorry for confusion.

Can you enable my account manually on the BugTracker if I can't receive email?

Sincerely,
MichaelTremer wrote:
ycam wrote:I post this topic here on the forum because I have never receive activation email from https://bugzilla.ipfire.org/, and you don't provide a specific mail address for security issues.

Code: Select all

[root@mail01 ~]# grep asafety /var/log/maillog
Apr  3 23:45:46 mail01 postfix/smtp[13357]: CB22AA21: to=<yXXXXm@asafety.fr>, relay=spool.mail.gandi.net[217.70.184.6]:25, delay=5.5, delays=0.92/0/2.4/2.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D827517801C)
Apr  4 13:35:04 mail01 postfix/smtp[7315]: 3C70F259: to=<yXXXXm@asafety.fr>, relay=spool.mail.gandi.net[217.70.184.6]:25, delay=1.3, delays=0.17/0.02/0.8/0.28, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 698A9142217)
Your registration email seems to have been delivered to your ISP.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 12:34 pm

ycam wrote:Do you see events logs for this email address ?

I agree, creating a BugTracker issue is better than a forum topic, but I though that the BugTracker wasn't use anymore (HTTPS untrusted, registration email not received, etc.).
This is what I get in the logs. Really interesting:

Code: Select all

Apr 04 13:42:29 web02.ipfire.org postfix/cleanup[30488]: AEC076272A: message-id=<20160404114229.AEC076272A@web02.ipfire.org>
Apr 04 13:42:29 web02.ipfire.org postfix/qmgr[13891]: AEC076272A: from=<bugzilla@ipfire.org>, size=1816, nrcpt=1 (queue active)
Apr 04 13:42:30 web02.ipfire.org postfix/local[30490]: AEC076272A: to=<=?UTF-8?Q?yann=2Ecam=40gmail=2Ecom?=@web02.ipfire.org>, orig_to=<=?UTF-8?Q?yann=2Ecam=40gmail=2Ecom?=>, relay=local, delay=0.43, delays=0.27/0.01/0/0.15, dsn=5.1.1, status=bounced (unknown user: "=?utf-8?q?yann=2ecam=40gmail=2ecom?=")
ycam wrote:Can you enable my account manually on the BugTracker if I can't receive email?
I did so and sent you a PM.

The bugtracker is totally in use. We just don't have a publicly signed certificate on it. We use our own CA for "internal" things like this: http://certs.ipfire.org/ca.pem
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 12:36 pm

To get back to topic: Do you have any hints on how we best implement a CSRF token to our web services?

This vulnerability comes with no surprise. You have seen the untidy code that we inherited from IPCop. We are actually rewriting this totally from scratch, hence I am looking for a good fix, but maybe not for the most beautify solution. Of course we will have to patch this though.

Just wanted to check if my solution that I come up with has been implemented somewhere else before.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 4th, 2016, 12:56 pm

Ok, PM received, loggued in BugZilla, and default password changed. Thank you.
I'll report this topic as "security" ticket in the BugZilla.

Concerning the CSRF point :
MichaelTremer wrote:To get back to topic: Do you have any hints on how we best implement a CSRF token to our web services?

This vulnerability comes with no surprise. You have seen the untidy code that we inherited from IPCop. We are actually rewriting this totally from scratch, hence I am looking for a good fix, but maybe not for the most beautify solution. Of course we will have to patch this though.

Just wanted to check if my solution that I come up with has been implemented somewhere else before.
You need to know that none of anti-CSRF mecanism is usefull and sufficient if any one XSS (GET, stored, DOM or reflected) is present in a web application.

There are 3 main mecanisms to protect again CSRF attack :
- Referer checking (good but insufficient if an XSS is discovered)
- CSRF token (best method, but insufficient if an XSS is discovered too)
- "document.opener" analyzer on client-side with JavaScript (undocumented method, insufficient because controls are done client-side).

It's recommanded to implement at least the two first method, on ALL pages that receive form data.

To prevent from CSRF attack you must track and fix all XSS attack vectors on the administration web console.

I've written few years ago and article to present these attack, countermesure and technics (in french) here : https://www.asafety.fr/vuln-exploit-poc ... -with-xss/

An action plan can be :
- Check that all page of web administration verify the Referer before processing input data
- Implement in all forms and additionnal "input type=hidden" with a random string (token). This value as to be uniq and stored in session. When the form (client-side) is submitted, the token added in POST param is compared to the token stored in session. If they match, the submission isn't a CSRF attack and can be processed.
- Check all perl function call in all *.cgi script in /srv/web/ipfire/cgi-bin/ that are considered as dangerous (system("") for exemple). Check if vars in these function call are properly sanitized to avoid command injection.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 12:57 pm

MichaelTremer wrote:Just wanted to check if my solution that I come up with has been implemented somewhere else before.
As far as I can see, the IPCop project has not reacted to your ticket (https://sourceforge.net/p/ipcop/bugs/807/) that you created three(!) years ago and this issue is still unpatched?
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 4th, 2016, 1:06 pm

Indeed... They have not reacted to my ticket...

But, during these 3 years, I've re-test my IPCop-vulnerabilities on newer IPCop version, and this is what I observe :

2013-03-31 : IPCop Team alerted with details, PoC and video (via Sourceforge)
2013-04-09 : Second alert sent to the team (via Sourceforge)
2013-04-25 : Third alert sent to the IPCop english support forum
2013-04-25 : PoC added in private on the sourceforge bug tracker, no response
2013-04-30 : Ticket priority change from 5 to 8, no response.
2014-02-13 : IPCop 2.1.1 released, RXSS not fixed, RCE not fixed, no news on ticket.
2014-03-03 : IPCop 2.1.2 released, RXSS not fixed, RCE not fixed, no news on ticket.
2014-04-03 : IPCop 2.1.3 released, RXSS fixed, RCE not fixed, no news on ticket.
2014-04-08 : IPCop 2.1.4 released, RXSS fixed, RCE not fixed, no news on ticket.
2014-05-02 : IPCop 2.1.5 released, RXSS fixed, RCE fixed, no news on ticket.
2014-12-21 : Public article on ASafety and public advisory

Once IPCop fixed these similar vulnerability (without any response to the original ticket...), I released an advisory on packetstorm here : https://packetstormsecurity.com/files/1 ... pting.html
And an article on my blog : https://www.asafety.fr/vuln-exploit-poc ... execution/

So they are patched now, but I haven't received any feedback...

For information, once the IPCop advisory was released, these vulnerabilities were considered as CVE :
https://cve.mitre.org/cgi-bin/cvename.c ... -2013-7417
https://web.nvd.nist.gov/view/vuln/deta ... -2013-7417

It's quite critical...
MichaelTremer wrote:
MichaelTremer wrote:Just wanted to check if my solution that I come up with has been implemented somewhere else before.
As far as I can see, the IPCop project has not reacted to your ticket (https://sourceforge.net/p/ipcop/bugs/807/) that you created three(!) years ago and this issue is still unpatched?

ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 4th, 2016, 1:19 pm

Sorry but, in the BugZilla "New ticket creation" page, where is the "security issue" checkbox that you quote?
I scrolled on all "component" field without finding "*security*" and there is no checkbox...
Screenshot : https://www.asafety.fr/data/20160404-Bu ... IPFire.PNG
(Each time I tried to "attach" a picture in this answer in the topic through the phpBB attachment feature, I've the "HTTP error" message and my attachment is not attached, for information).

The "security issue" status is applied when the ticket is submitted?

What "component" I choose for this ticket? Can I create it?

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5799
Joined: August 11th, 2005, 9:02 am

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by MichaelTremer » April 4th, 2016, 1:24 pm

Hi,

please just create the ticket (or multiple) and I will do the rest.

Uploading attachments to the bugtracker should work fine. This forum is severely broken by upstream.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

ycam
Posts: 6
Joined: April 3rd, 2016, 9:45 pm

Re: IPFire <= 2.17 Core Update 99 - Multiple vulnerabilities

Post by ycam » April 4th, 2016, 1:38 pm

Done here : https://bugzilla.ipfire.org/show_bug.cgi?id=11087

Sincerely,
MichaelTremer wrote:Hi,

please just create the ticket (or multiple) and I will do the rest.

Uploading attachments to the bugtracker should work fine. This forum is severely broken by upstream.

Post Reply