新闻资讯
NEWS INFORMATION
Sophos XG防火墙身份验证绕过漏洞(CVE-2022-1040)利用分析

0x00 前言

CVE-2022-1040是一个Sophos XG防火墙的身份验证绕过漏洞,漏洞细节可参考《CVE-2022-1040 Sophos XG Firewall Authentication bypass》,本文仅在此文章的基础上补全文中未提到的技术细节。

0x01 简介

本文将要介绍以下内容:

本地恢复带有漏洞的调试环境

OpCode的寻找方法

WAN和VPN区域的利用思路

开启login disclaimer切断利用链

0x02 本地恢复带有漏洞的调试环境

在本地搭建漏洞环境时,如果自动更新了补丁,可通过以下方式恢复成带有漏洞的调试环境:

编辑文件/usr/share/webconsole/WEB-INF/web.xml

定位以下内容:

001.png

这里使用RequestCheckFilter用来过滤request请求中JSON参数是否包含不可见字符。

可以手动删除以上代码,恢复成带有漏洞的调试环境。

无法直接修改文件/usr/share/webconsole/WEB-INF/web.xml

在修改文件前需要重新挂载:mount -o remount,rw /

再次修改文件即可。

0x03 OpCode的寻找方法

原文中提到:CSC端大概有1200种模式在运行,其中有161种模式的响应类型为2

这里可以通过反编译EventBean.class找到如下代码:

002.png

经过分析后,响应类型对应的应该为requesttype,而不是responsetype

查询符合条件数据的完整命令:

003.png

输出内容:

              opcode                 | mode | requesttype---------------------------------------+------+------------- set_system_date                       |  271 |           2 update_l2tp_connection                |  227 |           2 update_pharming_protection            |  259 |           2 export_connection                     |  238 |           2 migrate_group_to_cyberoam             |  407 |           2 group_policy_mapping                  |  408 |           2 migrate_group_summary                 |  409 |           2 migrate_group_add                     |  410 |           2 change_gui_language                   |  127 |           2 tooltip                               |  454 |           2 wizardopmode                          |  156 |           2 wizardbridgemodezoneaction            |  157 |           2 wizardinterface                       |  158 |           2 wizardinternetaccess                  |  159 |           2 wizardnotification                    |  160 |           2 wizardtimezoneconf                    |  161 |           2 wizardfinish                          |  162 |           2 sslvpn_liveuser_logout                |  240 |           2 migrateuser_csvupload                 |  503 |           2 DownloadMyAccountQuarantineMail       |  463 |           2 download_certificate                  |  250 |           2 load_new_firmware                     |  243 |           2 cancel_firmware_upload                |  184 |           2 CUSTOMER_REGISTRATION_REQUEST         |  176 |           2 APPLIANCE_REGISTRATION_REQUEST        |  175 |           2 TRAIL_SUBSCRIPTION_REQUEST            |  177 |           2 SUBSCRIPTION_REQUEST                  |  178 |           2 RELEASEQUARANTINEMAILFROMMAIL         |  458 |           2 import_group                          |  406 |           2 download_ca_certificate               |  361 |           2 theme_apply                           |  323 |           2 login                                 |  151 |           2 myaccount_login                       |  451 |           2 Download_AV_MyACQuarantineMail        |  472 |           2 Download_AV_MyACQuarantMailOld        |  186 |           2 DownloadMyAccountQuarantMailOld       |  192 |           2 release_quarantine_my_ac              |  488 |           2 release_quarantine_my_ac_old          |  489 |           2 checkForApplianceUpgrade              |  602 |           2 Download_AV_QuarantineOldMail         |  189 |           2 download_backup                       |  466 |           2 dryrun_new_firmware                   |  183 |           2 download_ctr                          |  704 |           2 REGISTRATION_SYNC_WITH_SERVER         |  181 |           2 ccc_opcode_request                    | 1500 |           2 Download_AV_QuarantineMail            |  471 |           2 download_old_spam                     |  493 |           2 ReleaseQuarantineMail                 |  460 |           2 ccc_compress_dir                      | 1502 |           2 ccc_appliance_login                   |  603 |           2 ccc_login                             | 1503 |           2 delete_file                           | 1505 |           2 add_protocol_group                    |  961 |           2 update_protocol_group                 |  962 |           2 add_application                       |  963 |           2 update_application                    |  964 |           2 add_protocol_identifier               |  965 |           2 reset_to_default                      |  966 |           2 ccc_flush_sql_file                    | 1501 |           2 verify_manual_update_content          |  139 |           2 login_disclaimer_action               |  716 |           2 resend_crederntials                   |  952 |           2 sms_gw_test_connectivity              |  954 |           2 generate_captcha_code                 |  958 |           2 ccc_opcode_pull_request               |  605 |           2 renew_guest_user                      |  953 |           2 add_guest_user_log_msg                |  956 |           2 failed_sms_log                        |  957 |           2 add_guest_user                        |  746 |           2 sms_status_log_msg                    |  955 |           2 dns_static_entry_add                  |  142 |           2 update_cisco_ipsec_connection         |  344 |           2 dns_static_entry_update               |  143 |           2 system_backup_for_CCC                 |  604 |           2 usbmodem_setting_gui                  |  185 |           2 download_crl_certificate              |  350 |           2 web_cat_domain_import                 |  421 |           2 web_cat_keyword_import                |  422 |           2 wDNSServerConfiguration               |  522 |           2 getmodemdetail                        |  423 |           2 sslvpn_logout                         |  405 |           2 iview_login                           |  385 |           2 create_virtualhost_rules              |  767 |           2 create_user_iphone_ipsecprofile       |  345 |           2 CyberoamIPSAutoUpgrade                | 1202 |           2 checkcert_key                         | 1203 |           2 update_ipsec_connection               |  224 |           2 setAlertSettings                      | 1201 |           2 set_config_mmap                       | 1366 |           2 fwm:Set_BypassFirewall                | 1262 |           2 networkd:set_interface_speed          | 1263 |           2 set_mtu_mss                           | 1261 |           2 loginSecuritySettings                 | 1208 |           2 enable_appsignatures                  | 1368 |           2 set_config_mmapfilepath               | 1369 |           2 br_vlan_setting                       | 1264 |           2 upload_list_as                        | 1729 |           2 add_list_as                           | 1727 |           2 guestUsersPrintLog                    | 1216 |           2 API_Interface                         | 1655 |           2 CCC_OPCODE_READ_REQUEST               | 1551 |           2 ccc_xmlopstring_request               | 1504 |           2 API_INTERFACE_TAR                     | 1656 |           2 activate_ami_image                    | 1627 |           2 API_Interface_Set                     | 1659 |           2 Import_Export_Set                     | 1657 |           2 DOWNLOAD_EXPORT_FILE                  | 1658 |           2 Create_Unbounded_Lag                  | 1220 |           2 reportHtmlFile                        |  684 |           2 download_ap_firmware                  |  822 |           2 mlm_method                            | 1271 |           2 monitorObject                         | 1733 |           2 downloadserverconfig                  | 1754 |           2 removeconfigfile                      | 1747 |           2 uploadserverconfig                    | 1748 |           2 systemHostName                        | 1211 |           2 print_voucher                         | 1415 |           2 export_csv                            | 1413 |           2 download_hotspot_template             | 1420 |           2 u2d_validate                          | 1646 |           2 supportaccessglobalconfig             | 1739 |           2 sslvpn_liveuser_insert                |  501 |           2 download_cc_report                    | 1678 |           2 wizardsummaryconf                     |  520 |           2 red_provisioning_bundle               | 1330 |           2 download_spx_addons                   | 1679 |           2 hb_event_req                          | 3102 |           2 ep_status                             | 3103 |           2 apiExport                             | 1187 |           2 mta_add_list                          |  848 |           2 view_mailfromspool                    | 4010 |           2 usbmodem_status                       |  425 |           2 ReleaseQuarantineMailOld              |  191 |           2 DownloadQuarantineMail                |  461 |           2 upload_list                           |  701 |           2 add_list                              |   81 |           2 get_four_eye_auth_status              | 3104 |           2 update_web_user_notification_settings | 2811 |           2 apply_wizard_config                   | 2510 |           2 new_wizard_checkethernet              | 1241 |           2 new_wizard_get_ipaddress              | 1242 |           2 new_wizard_check_gatewayisreachable   | 1243 |           2 new_wizard_check_dnsworking           | 1244 |           2 new_wizard_get_values                 | 1245 |           2 get_iface_obj                         | 1281 |           2 wizard_get_unbounded_iface            | 1250 |           2 ipaddress_validation                  | 1283 |           2 get_wizard_fstatus                    | 2520 |           2 change_admin_password_scm             | 2530 |           2 allow_deny_unauth_traffic             | 3116 |           2 download_backup_for_SFM               |  515 |           2 send_feedback                         |  860 |           2 getuuid                               |  861 |           2 apply_NAT_wizard_config               | 3215 |           2 add_custom_ccl                        | 2814 |           2 download_mib_file                     | 3715 |           2 update_custom_ccl                     | 2815 |           2 SophosCentralUnregister               | 1324 |           2 SophosCentralRegistration             | 1323 |           2 SetCentralPromotionPopupState         | 8111 |           2(160 rows)

0x04 WAN和VPN区域的利用思路

参考资料:https://support.sophos.com/support/s/article/KB-000039388?language=en_US

作为额外的安全措施,从WAN和VPN区域登录Sophos XG防火墙的管理员页面添加了验证码。

原POC在测试时返回{"redirectionURL":"/webpages/login.jsp","status":-1}

分析过程可以借助日志调试信息提高效率,开启日志调试信息的方法:

执行命令:

004.png

关闭日志调试信息的方法:

再次执行csc custom debug

使用IDEA对此过程进行跟踪调试,实现验证码校验的功能位于CSRFCheckFilter.class中的doFilter()函数和validateCaptcah()函数,以及CaptchaHelper.class中的validateCaptchaChallenger()函数。

代码细节如下:

005.png

以上代码比较两部分内容是否相等:json数据中”captcha”的内容和session中”captchaChallenge”属性的内容。

json数据中”captcha”的内容可通过访问登录页面https://

session中”captchaChallenge”属性的内容需要构造有效的cookie数据包才能获得,否则返回的结果为null。构造有效的cookie数据包测试如下图:

006.png

0x05 开启login disclaimer切断利用链

当漏洞利用成功时,返回数据包的Header中会生成有效的Cookie

我在测试过程中,找到了一种简单直接的防御方法:开启login disclaimer

具体如下:

登录Web管理页面,依次选择Administartion->Admin and user settings->勾选Enable login disclaimer

开启login disclaimer后,登录时会弹出声明页面,如下图:

007.png

此时漏洞利用返回的Cookie失效。

0x06 小结

本文在技术研究的角度补全《CVE-2022-1040 Sophos XG Firewall Authentication bypass》中未提到的技术细节。