Sam Pizzey

That guy with the SQL injection company name.

ClearOS WebConfig Authentication Bypass
Jan 1, 2017
3 minutes read

ClearOS is a Linux distribution, based on Redhat Linux and published under the GPL at http://www.clearos.com. It is designed for use on secure gateway devices, including the commercially supported ‘ClearBox’ and comes bundled with a modular system that allows users to easily set up proxy servers, VPN, email gateways, and so on. Earlier this year I discovered a flaw in an authentication mechanism that allowed an attacker to gain root access to the gateway with no credentials.

Originally this was reported to Sentry as part of their bug bounty program, who were very helpful in getting the issue resolved including coordinating with the maintainer, assisting me with testing a fix on their end and awarding a generous bounty. They respond quickly and clearly take their program very seriously!

Description

ClearOS contains a component named ‘WebConfig’ which provides a web interface to manage the configuration and day to day operation of the system. WebConfig is a PHP application deployed over Apache and is enabled on a default install of ClearOS. By default, only system administrators can login to this interface, however there are a number of plugins which allow end-users access to it, and authentication can be set up using LDAP or other backends to manage credentials.

After a user is authenticated, WebConfig sets a cookie which holds the session data. Sessions are stored inside the cookie in their entirety, there is no server side session storage. They are encrypted to prevent tampering and information disclosure, however, research showed that the cryptography used was too weak for this purpose.

WebConfig uses a third party PHP library for managing these sessions, and this library depends on the ‘mcrypt’ PHP module for secure operation. In the absence of this module, it silently fell back to using a weaker XOR-based cipher. Since mcrypt was not distributed by ClearOS, this weaker cipher was in use all of the time.

In addition, the use of predictable information in the session data (the user agent of the browser that the session was generated from) introduced a known plaintext that could be used to attack this encryption. The author was able to demonstrate that, if an attacker could make one HTTP request to WebConfig with a user agent of their choice, the private key could be cracked offline very quickly. This key could then be used to forge a valid session for the ‘root’ user.

Special thanks to Dionach for their previous work on this bug in other applications using CodeIgniter, whose POC helped me realise why my original code didn’t work correctly when I was about to harm a keyboard in frustration!

Impact

This flaw, if exploited, allows an attacker access to the administrative frontend where they can manage any configuration settings or perform any action on the server.

Solution

Upgrade your WebConfig install to at least version 5.4.16. This has been pushed to the ClearOS updates system by the maintainers for both 6.* and 7.*, so if you are using the automatic updates feature you should have the fix already. If for some reason you cannot use the update, you should ensure that the mcrypt PHP module is enabled in your webconfig PHP install. The author recommends you instead stick to the update provided by the maintainers and not try to patch manually.

Timeline

26 Oct 2016 - Reported issue to ClearOS maintainers.

26 Oct 2016 - Response received, confirming issue.

01 Nov 2016 - Update for ClearOS 7 fully deployed.

16 Nov 2016 - Update for ClearOS 6 fully deployed.

01 Jan 2017 - Public disclosure.


Back to posts