Security Advisory 09-011 – Multiple Vulnerabilities In The Accellion Secure File Transfer Web Application Allows Remote Compromise As A Root User
Accellion Secure File Transfer Appliance
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown – Portcullis Computer Security Ltd.
All known versions of Secure File Transfer Appliance; the vulnerability discovered was for version FTA_7_0_259.
Accellion Secure File Transfer Appliance is an appliance based solution used for receiving and delivering large files. It does this by allowing users to upload and download files via https. It is generally deployed in a DMZ to allow users access from the local network as well as the Internet. It is based on a customised Redhat OS running a web application which provides the user and administrative interfaces. Combining multiple vulnerabilities in the web application allows an attacker to remotely compromise the appliance as the root user:
It is also possible for an attacker with administrative access to inject arbitrary commands into the administrative interface of the web application by making requests to set an SNMP community string. When a community string of “public
touch /tmp/portcullis” is set, the web application executes the command “touch /tmp/portcullis” in the context of the web server user. Using command injection and the printf command, arbitrary code can be uploaded to the appliance. The PHP source for the application is obfuscated but it is likely that this is due to the parameter containing the community string being passed unmodified to the system() function.
Finally, using sudo, the web application is able to execute the script “/usr/local/bin/admin.pl” as the root user. The purpose of this script is to allow the reconfiguration of the appliance, and to that end, the script has a number of functions. One function of the script is to allow the application to move a file from one arbitrary location to another. Since no validation or sanitisation of the parameters occurs, it can be used to overwrite itself. For example, “/usr/local/bin/admin.pl –file_move –source=/home/admin/evil.pl –dest=/usr/local/bin/admin.pl”.
The proof of concept exploit code is available.
15/06/2009 – Vendor informed via email by Portcullis
18/08/2009 – Vendor advised the following:
This bug was reported and announced back on January 12, 2009. It was fixed in patch 7_0_287 tagged on December 12,2008 and released live to our customers on January 12,2009 as part of patch 7_0_296.
04/11/2009 – Publication
Copyright © Portcullis Computer Security Limited 2009, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.