4A Security Analysis

4A Security Analysis
0x00. Overview

0.1 cause

Some time ago, I saw someone asking about the 4A penetration test in the zone. I have been in touch with several 4A and bastion host products. Today I will summarize the 4A problems I encountered during penetration.

0.2 4A

4A indicates Authentication, Account, Authorization, and Audit. The Chinese name is the unified security management platform solution. Identity authentication, authorization, auditing, and account (that is, non-repudiation and data integrity) are defined as four major components of network security, this establishes the status and role of identity authentication in the network security system. (Baidu encyclopedia ).

 

0x01. Authentication

There are generally the following authentication methods:

Static Password

Dynamic Password token

USB token

The following problems exist:

1.1 account enumeration

Here, the account enumeration does not only know which account exists and which account does not exist.

String mobileNumber = request. getParameter ("mobile"); if (StringUtiles. isNotEmpty (mobileNumber) {PrimaryAccount primaryAccount = new PrimaryAccount (); primaryAccount. setMobile (mobileNumber); List <PrimaryAccount> paList = accountService. getPraccList (PrimaryAccount); if (CollectionUtils. isNotEmpty (paList) {username = paList. get (0 ). getPracctName ();}}...... if (StringUtiles. isBlank (errMsg) {errMsg = "authentication failed"} String failed = "main account:" + username + "Logon 4A authentication failed, cause: "+ errMgs ;......

As shown in the preceding account, if you enter a mobile phone number during logon, the username corresponding to the mobile phone number will be returned when logon fails, then we can take the mobile phone number and user name to the password retrieval page and perform further tests.

1.2 lock screen Bypass

There is a lock screen function on a vendor's 4A platform. When you click lock screen, the 4A management interface will be locked. After you re-enter the password, you will be able to enter the management platform.

Ext.Ajax.request({    url : '../platform/login!lockLogin.do',    params : {        name : name,        lockPwd : lockPwd    },    success : function(rsp,opt){        var responseArray = Ext.util.JSON.decode(rsp.responseText);        var result = responseArray.resultStr;        var desc = responseArray.descStr;        if(result == true){            $.unblockUI();            $("#lockPwd").val("");            times=0;        }else if......    }})

As you can see from the code, as long as result = 0 can be unlocked, we can use burp to intercept response, or modify JS.

0x02. Account

In 4A, an account is divided into the primary account and the slave account. A user only has one primary account and uniquely identifies it. This primary account also has N slave accounts, which have different slave accounts for different systems, so that users can access the systems they can access. For example

2.1 reset User Password

Http://wooyun.org/bugs/wooyun-2010-072644

In this bug, you can reset the password of another user by modifying the password. Typical account management problems.

2.2 token

Token is everywhere in 4A, So If token verification is not rigorous, there may be dramatic results. Next, this vulnerability will show you when the token is invalid.

This page is not logged on through 4A, but directly accessing the logon page of the website.

The figure above shows that after logging on to the system through 4A, you can change the URL and username to the Administrator's page and user name when accessing the system. The Administrator's page is displayed.

0x03. Authorization

Authorization is generally divided:

1. User-authorized UBAC

2. user-role-based authorization RBAC

3. Resource-based authorization ABAC

The following problems exist:

3.1 call cmd

An important function in 4A permission allocation is resource-based authorization. For example, you can assign A securecrt to primary account A so that it can use SSH to allocate A notepad to Primary Account B, so that you can use notepad. However, we all know that cmd and other functions can be called up through the "Find Files" function such as browsers and notepad.

For example, the cmd window is directly called through the allocated IE browser. What do you want to do next? OK.

3.2 access others' resources

Generally, the "personal folder" function is integrated in 4A. This folder can be used to upload files to your own folder. However, when you click the personal folder, you can modify the username, then we can see other people's files.

3.3 download an object

This is also a problem with the personal folder (or other places where download is provided). You can download a specified file without restrictions. You can download any file.

public String execute() throws FAException{    ......    String file = request.getParameter("file");    String place = request.getParameter("place");    String fileName = request.getParameter("filename");    download(file,fileName,request,response,place);}private void download(String file,String fileName,HttpServletRequest request,HttpServletResponse response,String place) throws FAException{    ......    path = (request.getSession().getServletContext().getRealPath("/") + file).replace("/",File.separator).replace("\",File.separator);}FileInputStream fis  = new FileInputStream(path);......response.setHeader("Content-Disposition","attachment:filename=\"" + fileName_zh + "\"");

As you can see in the code, you can get parameters such as file and then download the file directly ..

3.4 Front-End Server

Some bastion hosts have front-end hosts, which means some functions that cannot be implemented in the bastion hosts (such as built-in pcanywhere, but just for example). Therefore, you need to place pcanywhere in the front-end hosts, to use pcanywhere, You can remotely log on to the front-end machine and call the pcanywhere page.

What is the problem? Since it is a remote login to call the pcanywhere page, we only need to use the windows key or alt + tab to switch to other programs, and then control the front-end machine.

Let's take a look at this key issue ..

0x04. Audit

The audit mainly records logs of logon, access, and other actions to check whether there are any non-compliance events.

4.1 counterfeit logon IP

Vulnerability in WEB logon Source IP Address Spoofing on the Paladi/Huawei/Jiangnan tian'an bastion host

In this bug, the logon IP address is forged through x-forwarded-for, which has an impact on the log. If you need to sort logs in the future, or identify non-compliance events based on the logs, this will have a great impact.

0x05. Summary

The above just lists the problems I encountered when testing a 4A or bastion host. There are certainly a lot of tricky methods that I have not observed.
It is not easy to code words at home on New Year's Day.