4 min readSep 30, 2021

It’s common to see applications have additional features to connect/integrate with other components across the network, from setting up webhooks, connecting to SMTP servers, syncing LDAP, and whatnot.

Hello dear readers, SinSin is here, and this time we are going to research another application to Discover a ZeroDay in it. (Reported to vendor and got it patched)

A special program announced anyone who finds a vulnerability in their scope of IP addresses will be rewarded an enormous bounty

Expect The Unexpected: Discovering fresh ZeroDay for Bounty

Well this client had lots of software and appliances all of which were completely up to date, this got me thinking, I really wanted that quote on quote enormous bounty but it needed special care, so I've decided to find ZeroDays in this program, and here is the story

This company was using a software called Sophos FastVue, this product is new and has not been around for a lot of years, so I thought why not give it a shot and start popping some ZeroDays in it

Fastvue Reporter, makes the log data from your firewall reflect real Internet usage activity. It removes images, scripts, fonts, ads, and other background traffic so you can send meaningful Internet usage reports and alerts, to the right person.

Now FastVue has multiple Reporter products which all of them were vulnerable:

Sophos Reporter
FortiGate Reporter
Palo Alto Reporter
SonicWall Reporter
Baracuda Reporter
ContentKeeper Reporter
TMG Reporter

The Poking

Let's cut to the chase, while looking around and testing functionalities, I’ve decided to test the “Active Directory / LDAP” Integration.

whenever you create a new LDAP / Active Directory setting, something called a “Source” entity is created.

An LDAP source consists of:

LDAP Server Address
Port
SSL or Not
Username
Password

when you set this information through the dashboard, next time you visit the same menu, what you’ll see is the current setting but without the password field and the application is actually reading the LDAP information from its DB through this endpoint:

Now here is the thing, as you can see in the response, we are not able to see the stored “Password”

The Vulnerability

While looking to find a way to extract the “Password”, after a lot of testing I noticed that when we update the LDAP source settings, we can change information and we don’t need to provide the current password, then asked myself:

What happens if we change only the LDAP Server address to attacker controlled server?

To my surprise, it was possible to change only the LDAP server address

For doing this we just need the previous step “ID” Parameter and a SetLdapSource request to update the LDAP Settings and change the Server Address.

Okay, now we have changed the server address, how can I get a hold of the password?

Root Cause Analysis

There exist a function called SetLDAP which has a logical flaw leading to the information disclosure:

(1) as you can see when we are doing an update-setting for LDAP, first the ID is received from the request and then a search is done in the Database to find the corresponding LDAP source, after retrieving the object, FastVue will use all the parameters which you sent to it to update that object, but only for the Password parameter (2) it will check if the new password is not empty and it has been sent, then updates the previous password or else it will use the current value (previous password) by default, so by changing the server IP address and not sending the password field an attacker can direct the FastVue LDAP Sync action to force authenticate to a fake LDAP server and extract the secret

The Extraction

To extract the password, now we need to force the Application to do initiate LDAP Sync so the authentication process happens and the password gets extracted. to do a Force Sync, we need to request another endpoint