Security
Headlines
HeadlinesLatestCVEs

Headline

m-privacy TightGate-Pro Code Execution / Insecure Permissions

m-privacy TightGate-Pro suffers from code execution, insecure permissions, deletion mitigation, and outdated server vulnerabilities.

Packet Storm
#vulnerability#web#windows#linux#pdf#auth#ssh

SEC Consult Vulnerability Lab Security Advisory < 20231122-0 >

           title: Multiple Vulnerabilities  
         product: m-privacy TightGate-Pro  

vulnerable version: Rolling Release, servers with the following package
versions are vulnerable:
tightgatevnc < 4.1.2~1
rsbac-policy-tgpro < 2.0.159
mprivacy-tools < 2.0.406g
fixed version: Servers with the following package versions and higher:
mprivacy-tools_2.0.406g
tightgatevnc_4.1.2~1
rsbac-policy-tgpro_2.0.159
CVE number: CVE-2023-47250, CVE-2023-47251
impact: high
homepage: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/
found: 2023-08-18
by: Daniel Hirschberger (Office Bochum)
Steven Kurka (Office Essen)
Marco Schillinger (Office Nürnberg)
SEC Consult Vulnerability Lab

                  An integrated part of SEC Consult, an Eviden business  
                  Europe | Asia

                  https://www.sec-consult.com

=======================================================================

Vendor description:

“TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser
System, literally translated 'remote-controlled web browser’. TightGate-Pro
physically separates the web browser execution environment from the workstation.
The system thus shields the internal network from the Internet and reliably
and preventively prevents attacks via the web browser. TightGate-Pro is the
strongest dedicated ReCoBS, because only physical outsourcing on a hardened
system permanently withstands attacks. Local virtualisations, sandboxing
systems or micro-virtualisations do not offer effective protection.
TightGate-Pro is used in public authorities, financial institutions, industrial
companies and critical infrastructures – in short, everywhere where “safe
surfing on the Internet” is indispensable at the workplace and internal
infrastructures must be reliably protected. TightGate-Pro is BSI-certified
according to EAL3+.”

Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/

Business recommendation:

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.

Vulnerability overview/description:

  1. Code Execution
    Execution of single commands and scripts is possible with the privileges of
    the current user. Code execution is possible with any file type on the
    server and no specific permissions need to be set for the utilized file.

Vendor response (translated):
“It is intended behavior to execute arbitrary bash scripts. It is not possible
to execute arbitrary programs and libraries. There is no privilege escalation
possible with this vulnerability.”

We can confirm that it was not possible to escalate privileges during our test.

  1. Access to all Desktops (CVE-2023-47250)
    Multiple users are connecting to the same TightGate-Pro server, resulting in
    one instance of the X11 window system. Due to insecure permissions of the
    X11 sockets it is possible for any user to open arbitrary windows on the
    desktop of other users for phishing attacks or installing a keylogger
    directly.

Vendor response (translated):
"We acknowledge this issue as a important vulnerability. A fix with full
RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently
available in the “Prestable” packages:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1
  • rsbac-policy-tgpro_2.0.159
    These can be applied by the admin user “update". The updates will be provided
    automatically as Hotfix around 2023-10-24.”
  1. File Transfer by Abusing the Print function (CVE-2023-47251)
    TightGate-Pro allows printing PDF documents on the host system. Documents are
    transferred to the host, printed and deleted afterwards. An attacker is able
    to control the path of the transferred file and to prevent the automatic
    deletion of the file.

Vendor response (translated):
"This is not a severe finding but we already fixed it. The fixes are available
in the packages:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1

Now the .spool directly is always scanned for malicious data and the VNC- client
does not transfer files which contain path symbols (e.g. …/)."

  1. Outdated Update Server
    Based on disclosed version numbers the update server is running outdated software
    with known vulnerabilities. The criticality of this issue depends on the
    exploitability of these issues.

Vendor response (translated):
"The old version of thttpd is already known. This is not seen as security-relevant.
The access to the updateserver requires a previous registration of a customer-
provided SSH key, which is only available to administrators on the TightGate-Pro
instance. thttpd is isolated on the updateserver and can only read files.

Even if an attacker can write malicious updatepackages, these are still secured
by a cryptographic signature and would not be installed on TightGate-Pro instances.
We will eventually replace thttpd with lighthttpd which is still supported."

Proof of concept:

  1. Code Execution
    Code execution is possible using the context menu of any file in the VNC session
    of TightGate-Pro. Selecting “Öffnen mit” (Open with) in the context menu of any
    file and selecting the “Benutzerdefinierte Befehlszeile” (custom commandline)
    section of the menu allows to provide a custom shell command to be executed:

[advisory_ce_open_with.png]
[advisory_ce_custom_command.png]

At this point there are two possible options:
In case the selected file is a bash script typing /bin/bash as custom command
will execute the script. For this PoC the following script has been used:

#!bin/bash  
echo poc >> /home/user/testuser/Desktop/test/PoC2.txt  

In case any other file is selected a complete command can be used as well.
A possible example is listed below:
/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"

According to vendor, arbitrary code execution is not possible as programs and
libraries won’t be executed.

  1. Access to all Desktops (CVE-2023-47250)
    A normal user without special permissions has read and write access to all X11
    sockets stored in the temp folder of the user TightGate-Pro, visible in the
    following screenshot:

[advisory_desktop_access_x11_perms.png]

This allows any user for example to open dialogue boxes on the desktop of the
currently connected users as shown in the following screenshots. The command
used is listed below.

/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do DISPLAY=unix:"$i".0 zenity --password --username & done;'

[advisory_desktop_access_gui_triggered.png]

As it can be seen in the following screenshot any input to the dialogue boxes
can be read by the attacker.

[advisory_desktop_access_result.png]

  1. File Transfer by Abusing the Print function (CVE-2023-47251)
    File transfers can be triggered for PDF files which are stored in the
    /home/user/.spool/<username> directory. By setting a relative path as file
    name, the file can be stored in any user directory on the host system.
    In case the file name contains Unicode characters, deletion of the file is
    not executed after transfer and closing of the print prompt. To store a file
    on the user’s desktop, the name ..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf
    can be used. The transfer can then be triggered by sending the
    signal SIGUSR2 to the Xtightgatevnc process:
cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf'  
pkill -u $USER --signal SIGUSR2 Xtightgatevnc  

In addition, this file transfer does not check if any malicious files are
transferred to the host system. The following screenshot shows the warning of
a malware scanner after an eicar testfile was transferred. It is therefore
possible to circumvent the malware scanner of TightGate-Pro which only runs
if the intended way of transfer, namely the TightGate-Schleuse, is used.

[advisory_file_transfer_mal_file.png]

  1. Outdated Update Server
    Access to the update server is possible with the ssh key stored at
    /etc/cu/id_ed25519 and ssh port forwarding. The ssh key is customized
    for each customer. Root access is needed to retrieve the key.
    The command used for the forwarding is listed below:
ssh -N -L 8000:localhost:85 [email protected] -i id_ed25519 -v  

Afterwards access is possible at http:127.0.0.1:8000.
The server headers return the version of the webserver:
thttpd/2.25b 29dec2003

[advisory_outdated_server.png]

This version has in sum four known vulnerabilities (high and medium) listed:

  • CVE-2006-1078
  • CVE-2006-1079
  • CVE-2007-0664
  • CVE-2009-4491

Vulnerable / tested versions:

A TightGate-Pro server with the following package versions was used
for testing:

  • tightgatevnc < 4.1.2~1
  • rsbac-policy-tgpro < 2.0.159
  • mprivacy-tools < 2.0.406g

Vendor contact timeline:

2023-10-11: Contacting vendor through [email protected] via GPG
2023-10-13: CEO of m-privacy phones us and thanks us for the advisory,
a developer will send us a written statement next week.
2023-10-16: Received a written statement of their lead developer;
the vulnerabilities #2 (Access to all Desktops) and
#3 (File Transfer by Abusing the Print function) are
confirmed and a fix is available
#1 is seen as a feature not a bug, #4 is claimed to be
prevented by hardening measures on the server, also
thttpd will be replaced by lighthttpd in the future.
2023-10-24: We ask for some clarifications regarding software
versions and advisory publication date.
2023-10-29: Vendor provides software version information and asks us
to publish the advisory after 2023-11-06.
2023-11-22: Public release of security advisory.

Solution:

Install the “Prestable” packages or wait until they are available as hotfix:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1
  • rsbac-policy-tgpro_2.0.159

Workaround:

None

Advisory URL:

https://sec-consult.com/vulnerability-lab/


SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/


Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023

Related news

CVE-2023-47251: Vulnerability Lab

In mprivacy-tools before 2.0.406g in m-privacy TightGate-Pro Server, a Directory Traversal in the print function of the VNC service allows authenticated attackers (with access to a VNC session) to automatically transfer malicious PDF documents by moving them into the .spool directory, and then sending a signal to the VNC service, which automatically transfers them to the connected VNC client's filesystem.

CVE-2009-4492

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

CVE-2007-0664: Invalid Bug ID

thttpd before 2.25b-r6 in Gentoo Linux is started from the system root directory (/) by the Gentoo baselayout 1.12.6 package, which allows remote attackers to read arbitrary files.

CVE-2006-1078

Multiple buffer overflows in htpasswd, as used in Acme thttpd 2.25b, and possibly other products such as Apache, might allow local users to gain privileges via (1) a long command line argument and (2) a long line in a file. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included.

CVE-2006-1079

htpasswd, as used in Acme thttpd 2.25b and possibly other products such as Apache, might allow local users to gain privileges via shell metacharacters in a command line argument, which is used in a call to the system function. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution