It’s common to see applications have additional features to connect/integrate with other components across the network, from setting up webhooks, connecting to SMTP servers, syncing LDAP, and whatnot.

Hello dear readers, SinSin is here, and this time we are going to research another application to Discover a ZeroDay in it. (Reported to vendor and got it patched)

A special program announced anyone who finds a vulnerability in their scope of IP addresses will be rewarded an enormous bounty

Expect The Unexpected: Discovering fresh ZeroDay for Bounty

This company was using a software called Sophos FastVue, this product is new and has not been around for a lot of years, so I thought why not give it a shot and start popping some ZeroDays in it

Fastvue Reporter, makes the log data from your firewall reflect real Internet usage activity. It removes images, scripts, fonts, ads, and other background traffic so you can send meaningful Internet usage reports and alerts, to the right person.

Now FastVue has multiple Reporter products which all of them were vulnerable:

  • Sophos Reporter
  • FortiGate Reporter
  • Palo Alto Reporter
  • SonicWall Reporter
  • Baracuda Reporter
  • ContentKeeper Reporter
  • TMG Reporter

The Poking

FastVue Reporter, LDAP Integration

whenever you create a new LDAP / Active Directory setting, something called a “Source” entity is created.

An LDAP source consists of:

  • LDAP Server Address
  • Port
  • SSL or Not
  • Username
  • Password

when you set this information through the dashboard, next time you visit the same menu, what you’ll see is the current setting but without the password field and the application is actually reading the LDAP information from its DB through this endpoint:

Getting Current LDAP Sources

Now here is the thing, as you can see in the response, we are not able to see the stored “Password”

The Vulnerability

What happens if we change only the LDAP Server address to attacker controlled server?

To my surprise, it was possible to change only the LDAP server address

Changing the LDAP Source setting

For doing this we just need the previous step “ID” Parameter and a SetLdapSource request to update the LDAP Settings and change the Server Address.

Okay, now we have changed the server address, how can I get a hold of the password?

Root Cause Analysis

(1) as you can see when we are doing an update-setting for LDAP, first the ID is received from the request and then a search is done in the Database to find the corresponding LDAP source, after retrieving the object, FastVue will use all the parameters which you sent to it to update that object, but only for the Password parameter (2) it will check if the new password is not empty and it has been sent, then updates the previous password or else it will use the current value (previous password) by default, so by changing the server IP address and not sending the password field an attacker can direct the FastVue LDAP Sync action to force authenticate to a fake LDAP server and extract the secret

The Extraction

Force Sync Request

Listening on the other side is:

Received Credentials

The vulnerability has been reported to the vendor, and they were so sharp and quick that they patched the vulnerability really fast

Thank you FastVue Team for being kind enough about the blog

https://twitter.com/fastvue/status/1426037912735404040

Hope you all enjoyed this research

See you next time…

My Twitter: https://twitter.com/Sin_Khe

My Posts: https://sinsinology.medium.com/

My Linked-In: https://www.linkedin.com/in/sina-kheirkhah-879860213/

My Slides: https://www.slideshare.net/sinakheirkhah

i enjoy finding bugs and i feel really great when i share my Knowledge and Learn Something New, So Be It