Vulnerable Systems:
* Accellion File Transfer Appliance prior to version FTA_8_0_562
Immune Systems:
* Accellion File Transfer Appliance version FTA_8_0_562
1. Message Routing Daemon Default Encryption Keys
-------------------------------------------------
The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key using the blowfish algorithm. The appliance ships with two default keys, neither of which is random, which results in an attacker being able to communicate with the internal processes of the appliance and perform administration tasks on the appliance itself. These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, which are expanded with MD5 to create 448-bit blowfish keys.
2. MatchRep Daemon insert_plugin_meta_info() Command Injection
-------------------------------------------------
One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March.
3. Remote Administration TTY Check Bypass
-------------------------------------------------
The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell
without a TTY: (ssh admin () target 'sh')
4. Static Passwords for Privileged User Accounts
-------------------------------------------------
The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but it's a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself.
5. Remote Access via Stale SSH Authorized Keys
-------------------------------------------------
The "soggycat" user account has a static password, as mentioned previously, but also has two SSH keys configured for passwordless login. These keys were generated over eight years ago and should have been changed to reduce the risk of exposure. The comments of these two keys are worrying as well:
[root () fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin () admin c1s1 net, Mon Feb 25 2002 05:31:0
6. Weak MySQL Password for "root" Account
-------------------------------------------------
This issue is not exploitable by default due to firewall configuration of the appliance, but it points to larger problems with the design of the system. The root password for the MySQL server is simply "hawksql" and all users of the system are able to read this password within various configuration files. At the least, a non-root MySQL user account should be used to reduce the risk of attack due to SQL Injection flaws in the rest of the application.
7. Internal Daemons not Bound to Loopback Interface
-------------------------------------------------
This issue is not exploitable by default due to firewall configuration of the appliance. All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
8. Rsync Daemon Allows Access to Privileged User Home Directory
-------------------------------------------------
This issue is not exploitable by default due to firewall configuration of the appliance. The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.
Disclosure Timeline:
2010-10-21 - Issue #3 was reported to Accellion
2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion
2010-12-20 - A reminder the Rapid7 policy was sent to Accellion
2010-12-21 - Accellion responds with a fix date of January 2011
2010-12-21 - Accellion releases FTA_8_0_540 to address #3
2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items
2011-02-07 - Detailed advisory released
