pentest report - wordpress.com pentest report classification : public / tlp : white page 1 of 20 c...
TRANSCRIPT
©RANDORISEC-2017 Version1.0–March28,2017c
PENTESTREPORT
TLP:WHITEThis report is classified TLP:WHITE. TLP:WHITE is information that is for public, unrestricteddissemination,publication,web-postingorbroadcast.AnymemberoftheInformationExchangemaypublishtheinformation,subjecttocopyright.
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page1of20c
1.ExecutiveSummaryTheHive1isafreeandopen-sourcesecurityincidentresponseplatform.ItreliesonCortex2toanalyze
observables(IP,emailaddresses,domainnames,etc…).Bothtoolsweredesignedanddevelopedby
TheHiveProject3.
Apenetrationtest,whichfollowedtheWAHH4methodology,wasperformedbyRANDORISECtoassess
thesecurityleveloftheplatform.WetestedTheHiveBuckfast0(version2.10.0)andCortexversion
1.0.0.
PositivePoints
Wewere unable to access theweb application anonymously.Wewere also unable to elevate our
privilegeswithoutresortingtosocialengineeringtricks.
NegativePoints
Wehaveidentifiedacriticalvulnerability(StoredCross-SiteScripting)alongwithafewlesscriticalones
(ReflectedCross-SiteScripting,Verticalprivilegeescalation,Concurrentsessionallowed,Noaccount
lockoutpolicy,Nopasswordpolicy,InformationleakageandCross-SiteRequestForgery).
Byexploitingthesevulnerabilities,anattackercouldtrickusersintoexecutingmaliciouscodeintheir
browsersand/or computersor try tobrute-force theauthenticationmechanism.This could lead to
illegitimate access or privilege escalation. The only critical vulnerability we found does not come
directly fromTheHive codebut fromadependency.Thedevelopershavebeenmadeawareof the
vulnerabilitiespriortothepublicationofthisreportaccordingtotheresponsibledisclosurepolicy5.
TheyassuredRANDORISEC thatmost if not all vulnerabilitieswouldbe fixed inBuckfast 2 (version
2.10.2),dueinApril2017.
Wealsofoundsomelowseverityvulnerabilities.Theyaremainlylocatedintheaccesspart(session
handlingandauthentication)andshouldnotbeverychallengingtofix.
1https://github.com/CERT-BDF/TheHive2https://github.com/CERT-BDF/Cortex3https://thehive-project.org/4WebApplicationHacker’sHandbook.5https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page2of20c
Content1.ExecutiveSummary_______________________________________________________________ 11.Introduction ____________________________________________________________________ 32.Vulnerabilities___________________________________________________________________ 53.Recommendations _______________________________________________________________ 74.Detailedfindings_________________________________________________________________ 95.Appendices____________________________________________________________________ 18
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page3of20c
1. Introduction1.1. TestPeriodandDurationThepentestwasperformedin4man-daysspanningseveralweeksstartingfromFebruary9,2017and
endingonMarch21,2017.
1.2. CreditsRANDORISECandDavyDouhine,thecompany’sCEO,wouldliketothankthefollowingprofessionals,
listedinalphabeticalorder,fortheirhelpperformingthepentestdescribedinthisreport:
- FrédéricCikala
- NicolasMattiocco
- FlorentMontel
- MohamedMrabah
- MaximilanoSoler
ImportantNote
RANDORISECandthepentestingprofessionalsthatjoineditforthispentesthavenocontractwith
TheHive Project and did not receive any compensation of any sort to perform this pentest.
RANDORISECandthepentestingprofessionalslistedaboveperformedthisworkontheirfreetime
asawaytocontributetothesecurityofFree,OpenSourceSoftwareprojects.
1.3. PerimeterandMethodology
1.3.1. Target
TheHive and Cortex applications were installed using the public Docker versions, following the
instructionsprovidedatthefollowinglocation:
https://github.com/CERT-BDF/TheHive/wiki/Docker-guide---TheHive-Cortex
WeperformedourtestsonTheHiveBuckfast0(version2.10.0)andonCortex1.0.0:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page4of20c
1.3.2. Restric@ons
Norestrictionsweremade.
1.3.3. Testcases
Asthemissionwetookuponourselveswasapentestandnotanaudit,thisreportcontainsonlythe
vulnerabilities that were found. However, all the main areas that were checked are listed in the
appendicesattheendofthisdocument.
1.4. ConfidentialityThisreportanditsappendicesareclassifiedTLP:WHITEaccordingtoTrustedIntroducer’sISTLPv1.16.
6https://www.trusted-introducer.org/ISTLPv11.pdf
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page5of20c
2. Vulnerabilities
Severitylevelsresultfromthecombinationoftheirimpactwiththeirprobabilityofoccurrence,whichisquantifiedaccordingtothefollowingscale:Low(L)–yellow/Medium(M)–orange/High(H)–red.Note:Onlyprovenorveryplausiblevulnerabilitiesarelisted.Whenthetestswerenotabletohighlightsignificantsecurityholes,thosewillnotbementioned(unlessthetestwasexplicitlypartoftherequest).
Ref. Title Target(s) Description Risk(s) Severitylevel
AP.1 StoredXSS
TheHiveMaliciousJavaScriptcodecanbeinjected.Itwillbethenexecutedonthevictim’sbrowser. Userimpersonation H
AP.2 ReflectedXSS
TheHiveCortex
MaliciousJavaScriptcodecanbeinjected.Itwillbethenexecutedonthevictim’sbrowser. Userimpersonation L
AP.3 Vertical privilegeescalation
TheHive Anauthenticatedsimpleusercanhaveaccesstosomeadminmenus. Facilitatessessionusurpation L
AP.4 Concurrent sessionsallowed
TheHive Concurrentsessionsareallowedforasingleuser. Facilitatessessionusurpation L
AP.5 No account lockoutpolicy
TheHive Authenticationsystemcanbebrute-forced. Facilitatesuser
impersonation L
AP.6 Nopasswordpolicy
TheHiveAsnopasswordpolicyisenforcedwhenusingthelocaldatabaseforstoring user credentials, users can set weak passwords (e.g.:containingonlyonecharacter).
Facilitatesuserimpersonation L
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page6of20c
Ref. Title Target(s) Description Risk(s) Severitylevel
AP.7 Informationleakage
TheHiveInformation such as installed software versions (TheHive,ElasticSearch)ispublicallyavailable. Sensitiveinfoleak L
AP.8 CSRF
TheHiveAs no anti-CSRF tokens are used, TheHive is vulnerable to CSRFattacks. Illegitimateaccess L
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page7of20c
3. RecommendationsAc
tion
Ref.
Severity Target(s) ImprovementSuggestions Difficulty
1 AP.1AP.2
H TheHiveCortex
Ifpossible,useawhitelistattheapplicationlevelbydefiningtheexpectedcharactersratherthanrefusingthedangerousones.Ifthat’snotapossibility,theapplicationshouldfiltermeta-charactersfromuserinput.Whenperforminginputvalidation,considerallpotentiallyrelevantproperties,includinglength,typeof input,thefullrangeofacceptablevalues,missingorextra inputs,syntax,andconsistencyacrossrelatedfields,andconformancetobusinessrules.
3
2 AP.3 L TheHive Denyaccesstoadminpagestonon-adminusers. 2
3 AP.4 L TheHive Onlyallowonesessionperuseratanygiventime. 2
4 AP.5 L TheHive Enforceanaccountlockoutpolicy. 2
5 AP.6 L TheHive Implement a password policy or use LDAP or AD authentication and ensure your LDAP/APenforcesapasswordpolicy.
2
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page8of20c
Actio
n
Ref.
Severity Target(s) ImprovementSuggestions Difficulty
6 AP.7 L TheHive Denyaccesstopotentiallysensitiveinformationtoanonymous,non-authenticatedusers. 2
7 AP.8 L TheHive Implementanti-CSRFtokens. 2
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page9of20c
4. Detailedfindings
4.1. AP.1-StoredXSSTheHiveisvulnerabletotwoHTMLandJavaScriptstoredinjectionsalsoknownasStoredCross-SiteScripting vulnerabilities. They could be used by authenticated users to elevate their privilege byhijackinganadmin’ssessionforexample.ThevulnerabilitiesarelocatedintheObservablesfunctionalityandintheObservablemanagement.Thefollowingscreenshotshowsthatthecodewillbeexecutedonthevictim’sbrowser:
1. FirstStoredXSS:Observables
Attackscenario:Anauthenticateduserwithwriteaccess(asdefinedintheusermanagementpage)createsanobservableonacaseandputsamaliciousJavaScriptpayloadasavalueoftheobservable:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page10of20c
TheJavaScriptpayloadusedtotestthisvulnerabilityis:<script>alert(/XSS/)</script>
Theobservableitemiscreated:
Then,ifauserthatcanaccessthecaselaunchesoneormanyanalyzers(forexamplebyclickingontheRunallanalyzerslink)onthisobservable:
Thepayloadwillbetriggered:
2. SecondStoredXSS:Observablesmanagement
Attackscenario:Anauthenticateduserwithadminaccess(asdefinedintheusermanagementpage)createsanewobservabledatatypeandputsamaliciousJavaScriptpayloadasthevalueofthedatatype:
TheJavaScriptpayloadusedtotestthisvulnerabilityis:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page11of20c
"><svg onload=confirm(/XSSagain/)>
Thenewobservabledatatypeiscreated:
Ifanotheradminusertriestodeletethisnewdatatype,thepayloadwillbetriggered:
TheresponsepageshowstheJavaScriptpayload:
Thenthedatatypewillbedeleted.Thisparticularbehaviorof“One-shotStoredXSS”isquiteinterestingasitcouldbeusedtoattackadmininstratorswithoutleavingevidence.Howeverthepre-requisitestoexploitit(adminaccesstoTheHive)lowertheriskofanexploitationusingthisparticularattackvector.Therootofthevulnerabilitycomesfromtheangular-ui-notificationlibrarywhichseemstotrustinputsasHTML:https://github.com/alexcrack/angular-ui-notificationAnissuehasbeenopenedonGitHub:https://github.com/alexcrack/angular-ui-notification/issues/86
Targets Risk(s) Recommendation SeverityTheHive Userimpersonation If possible, use awhite list at the
application level by defining theexpected characters rather thanrefusingthedangerousones.If that’s not a possibility, theapplication should filter meta-characters fromuser input.When
High
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page12of20c
performing input validation,consider all potentially relevantproperties, including length, typeof input, the full range ofacceptablevalues,missingorextrainputs, syntax, and consistencyacross related fields, andconformancetobusinessrules.
4.2. AP.2-ReflectedXSSTheHiveandCortexarevulnerabletomanyHTMLandJavaScriptstored injectionsalsoknownasReflectedCross-SiteScriptingvulnerabilities.Theycouldbeusedbyauthenticateduserstoelevatetheir privileges by hijacking an admin’s session or by anonymous users to impersonate anauthenticateduser’ssessionforexample.Thevulnerabilitiesare located in thenewanalysis functionality forCortexand in thehandlingoferrormessagesatTheHive’slevel.HoweverthelatestisveryunlikelyasitneedsInternetExplorer11withcompatibilitymodeenabled.
1. ReflectedXSSinCortex
Attackscenario:AuserwithaccesstoCortex7startsanewanalysisandputamaliciousJavaScriptpayloadintheDatafield:
7PleasenotethatCortexdoesnotuseanykindofauthenticationandmustnotexposedonpublicnetworks.
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page13of20c
TheJavaScriptpayloadusedtovalidatethevulnerabilityis:<script>alert(/XSS/)</script>
Thefollowingscreenshotshowsthatthecodeisexecuted:
AnexcerptoftheresponsepageshowingtheJavaScriptpayloadisshownbelow:
2. ReflectedXSSinTheHiveAttackscenario:
An anonymous user sends a link containing a JavaScript payload (or a link to it) like thefollowing:http://1.1.1.8:8080/api/login?<script>alert("TheHive_vulnerable_to_XSS_;)")</script>
Ifopened,thecodeisexecuted:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page14of20c
However, the responsepagestates that thecontent isnotHTML (but“text/plain”) soanexploitationusingthisattackvectorisveryunlikelyasthevictimhastorunanoldversionofInternetExplorerorInternetExplorer11withcompatibilitymodeenabled.
Rootofthevulnerabilitycomesfromtheangular-ui-notificationlibrarywhichseemstotrustinputsasHTML:https://github.com/alexcrack/angular-ui-notification
AnissuehasbeenopenedonGitHub:https://github.com/alexcrack/angular-ui-notification/issues/86
Targets Risk(s) Recommendation SeverityTheHive
Cortex
Userimpersonation If possible, use a white list at theapplication level by defining theexpected characters rather thanrefusingthedangerousones.Ifthat’snotapossibility,theapplicationshouldfiltermeta-charactersfromuserinput. When performing inputvalidation, consider all potentiallyrelevant properties, including length,type of input, the full range ofacceptable values, missing or extrainputs, syntax, and consistency acrossrelated fields, and conformance tobusinessrules.
Low
4.3. AP3-VerticalprivilegeescalationAnauthenticateduserwithread-onlyaccesscanuseadminfunctionalityandlistuserscreatedinthe
database.
Hereisascreenshotofarequest,askingtolisttheusers,andtheresponse:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page15of20c
Theusedrequestis:
POST /api/user/_search?range=0-10 HTTP/1.1 Host: thehive.randorisec.fr:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: application/json, text/plain, */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Referer: http://thehive.randorisec.fr:8080/index.html Content-Type: application/json;charset=utf-8 Content-Length: 22 Cookie: PLAY_SESSION=6b5415864c48577fc69186629e5bcf1f7b40b57c-username=maxi2&expire=1489027489081 Connection: close {"query":{"_any":"*"}}
Amalicioususercouldusethistolisttheotherusersandthentrytodiscovertheirpasswords.
Targets Risk(s) Recommendation SeverityTheHive Facilitates
sessionusurpation
Deny access to admin pages to non-adminusers. Low
4.4. AP.4-ConcurrentsessionsallowedConcurrentsessionsareallowed.
Ifanattackerfindsawaytohijackasession,itcouldbeunnoticedbythelegitimateuser.
Targets Risk(s) Recommendation SeverityTheHive Facilitates
sessionusurpation
Onlyallowonesessionperuseratanygiventime. Low
4.5. AP.5-NoaccountlockoutpolicyAn attacker could brute-force the authentication systemwithout being stopped or even slowed
down.
Hereisascreenshotshowingabrute-forceof1000requestsagainsttheloginpage:
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page16of20c
Withthisissueanattackercouldtrytodiscoverauser’spassword.
Targets Risk(s) Recommendation SeverityTheHive Facilitates
sessionusurpation
Enforceanaccountlockoutpolicy.Low
4.6. AP.6-NopasswordpolicyNopasswordpolicyisenforcedinTheHivewhenusingthelocaldatabaseforstoringusercredentials.
Users can thus set weak passwords (e.g.: containing only one character) when changing their
password.
Thiscouldhelpanattackerfindvalidcredentials.
Targets Risk(s) Recommendation SeverityTheHive Facilitates
sessionusurpation
Implement a password policy or useLDAPorADauthenticationandensureyour LDAP/AP enforces a passwordpolicy.
Low
4.7. AP.7-InformationleakageInformationsuchasinstalledsoftwareversions(TheHive,ElasticSearch)ispubliclyavailable.
Hereisascreenshotshowingananonymousrequestandtheresponsewiththeversioninformation:
Thiscouldhelpanattackerintheirreconnaissancephase.
Targets Risk(s) Recommendation SeverityTheHive Facilitates
sessionusurpation
Deny access to info to anonymous,non-authenticatedusers. Low
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page17of20c
4.8. AP.8-CSRF(CrossSiteRequestForgery)Asnoanti-CSRFtokensareused,TheHiveisvulnerabletoCSRFattacks.
Hereisascreenshotshowinganauthenticatedrequest,withoutanti-CSRFtoken,senttocreatea
user:
Byusingsocialengineeringtricks(orastoredXSS)anattackercouldtrickanadmintolaunchthe
followingrequestthatwillcreateauserandgrantillegitimateaccess:
<html>
<script>
function jsonreq() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST","http://thehive.randorisec.fr:8080/api/user", true);
xmlhttp.setRequestHeader("Content-Type","application/json");
xmlhttp.send('{"roles":["read","write","admin"],"login":"hacker11","name":"hacker1
1 hakcker11","password":"hacker4"}');
}
jsonreq();
</script>
</html>
However,thisbehaviorisprohibitedbymodernbrowsersandtheSame-originpolicy(SOP).
Nonetheless, this vulnerability should been taken in consideration as a loosely configured CORS
(Cross-OriginResourceSharing)policycouldincreasetheprobabilityofsuchattack.
Targets Risk(s) Recommendation SeverityTheHive Facilitates session
usurpationImplementanti-CSRFtokens.
Low
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page18of20c
5. Appendices
5.1WAHHchecks
Reconandanalysis checked? vulnMapvisiblecontent x Discoverhidden&defaultcontent x Testfordebugparameters x Identifydataentrypoints x Identifythetechnologiesused x Maptheattacksurface x
Testhandlingofaccess checked? vulnAuthentication x Testpasswordqualityrules x #AP.6Testforusernameenumeration x Testresiliencetopasswordguessing x #AP.5Testanyaccountrecoveryfunction x Testany"rememberme"function x Testanyimpersonationfunction x Testusernameuniqueness x Checkforunsafedistributionofcredentials x Testforfail-openconditions x Testanymulti-stagemechanisms x Sessionhandling x #AP.4Testtokensformeaning x Testtokensforpredictability x Checkforinsecuretransmissionoftokens x Checkfordisclosureoftokensinlogs x Checkmappingoftokenstosessions x Checksessiontermination x Checkforsessionfixation x Checkforcross-siterequestforgery x #AP.8Checkcookiescope x
Accesscontrols x#AP.3#AP.7
Understandtheaccesscontrolrequirements x Testeffectivenessofcontrols,usingmultipleaccounts x Testforinsecureaccesscontrolmethods(Referer,etc) x
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page19of20c
Testhandlingofinput checked? vulnFuzzallrequestparameters x TestforSQLinjection x Identifyallreflecteddata x TestforreflectedXSS x #AP.2TestforHTTPheaderinjection x Testforarbitraryredirection x Testforstoredattacks x #AP.1TestforOScommandinjection x Testforpathtraversal x Testforscriptinjection x Testforfileinclusion x TestforSMTPinjection x Testfornativesoftwareflaws(Bof,integerbugs,formatstrings) x TestforSOAPinjection x TestforLDAPinjection x TestforXPathinjection x
Testapplicationlogic checked? vulnIdentifythelogicattacksurface x Testtransmissionofdataviatheclient x Testforrelianceonclient-sideinputvalidation x Testanythick-clientcomponents(Java,ActiveX,Flash) x Testmulti-stageprocessesforlogicflaws x Testhandlingofincompleteinput x Testtrustboundaries x Testtransactionlogic x
Assessapplicationhosting checked? vulnTestsegregationinsharedinfrastructures N/A TestsegregationbetweenASP-hostedapplications N/A Testforwebservervulnerabilities N/A Defaultcredentials N/A Defaultcontent N/A DangerousHTTPmethods N/A Proxyfunctionality N/A Virtualhostingmis-configuration N/A Bugsinwebserversoftware N/A
TheHivePentestReport
CLASSIFICATION:PUBLIC/TLP:WHITE Page20of20c
Miscellaneoustests checked? vulnCheckforDOM-basedattacks x Checkforframeinjection x Checkforlocalprivacyvulnerabilities x Persistentcookies x Caching x SensitivedatainURLparameters x Formswithautocompleteenabled x Followupanyinformationleakage x CheckforweakSSLciphers N/A
N/A:Notapplicable