It’s common to see applications have additional features to connect/integrate with other components across the network, from setting up webhooks, connecting to SMTP servers, syncing LDAP, and whatnot.
Hello dear readers, SinSin is here, and this time we are going to research another application to Discover a ZeroDay in it. (Reported to vendor and got it patched)
A special program announced anyone who finds a vulnerability in their scope of IP addresses will be rewarded an enormous bounty
Expect The Unexpected: Discovering fresh ZeroDay for Bounty
Well this client had lots of software and appliances all of which were completely up to date, this got me thinking, I really wanted that quote on quote enormous bounty but it needed special care, so I've decided to find ZeroDays in this program, and here is the story
This company was using a software called Sophos FastVue, this product is new and has not been around for a lot of years, so I thought why not give it a shot and start popping some ZeroDays in it
Fastvue Reporter, makes the log data from your firewall reflect real Internet usage activity. It removes images, scripts, fonts, ads, and other background traffic so you can send meaningful Internet usage reports and alerts, to the right person.
Now FastVue has multiple Reporter products which all of them were vulnerable:
- Sophos Reporter
- FortiGate Reporter
- Palo Alto Reporter
- SonicWall Reporter
- Baracuda Reporter
- ContentKeeper Reporter
- TMG Reporter
Let's cut to the chase, while looking around and testing functionalities, I’ve decided to test the “Active Directory / LDAP” Integration.
whenever you create a new LDAP / Active Directory setting, something called a “Source” entity is created.
An LDAP source consists of:
- LDAP Server Address
- SSL or Not
when you set this information through the dashboard, next time you visit the same menu, what you’ll see is the current setting but without the password field and the application is actually reading the LDAP information from its DB through this endpoint:
Now here is the thing, as you can see in the response, we are not able to see the stored “Password”
While looking to find a way to extract the “Password”, after a lot of testing I noticed that when we update the LDAP source settings, we can change information and we don’t need to provide the current password, then asked myself:
What happens if we change only the LDAP Server address to attacker controlled server?
To my surprise, it was possible to change only the LDAP server address
For doing this we just need the previous step “ID” Parameter and a SetLdapSource request to update the LDAP Settings and change the Server Address.
Okay, now we have changed the server address, how can I get a hold of the password?
Root Cause Analysis
There exist a function called SetLDAP which has a logical flaw leading to the information disclosure:
(1) as you can see when we are doing an update-setting for LDAP, first the ID is received from the request and then a search is done in the Database to find the corresponding LDAP source, after retrieving the object, FastVue will use all the parameters which you sent to it to update that object, but only for the Password parameter (2) it will check if the new password is not empty and it has been sent, then updates the previous password or else it will use the current value (previous password) by default, so by changing the server IP address and not sending the password field an attacker can direct the FastVue LDAP Sync action to force authenticate to a fake LDAP server and extract the secret
To extract the password, now we need to force the Application to do initiate LDAP Sync so the authentication process happens and the password gets extracted. to do a Force Sync, we need to request another endpoint
Listening on the other side is:
The vulnerability has been reported to the vendor, and they were so sharp and quick that they patched the vulnerability really fast
Thank you FastVue Team for being kind enough about the blog
Hope you all enjoyed this research
See you next time…
My Twitter: https://twitter.com/Sin_Khe
My Posts: https://sinsinology.medium.com/
My Linked-In: https://www.linkedin.com/in/sina-kheirkhah-879860213/
My Slides: https://www.slideshare.net/sinakheirkhah