Exploit breakdown — FatPipe networks WARP/IPVPN/MPVPN 10.2.2 privilege escalation
Hello and welcome,
this one is a little bit different than my usual “write-up” and penetration testing discovery. Today, I’ll be taking to you through the first post of a new series “Exploit breakdown” where I will be dissecting and explaining exploit proof of concepts”. In this article, we will be focusing on the FatPipe remote privilege escalation vulnerability which was posted on https://packetstormsecurity.com on September 28th, 2021.
FatPipe Networks
FatPipe Networks is a group of investor and patents holder who focuses primarily in technology responsible for the optimization, security, and acceleration of Wide Area Networks (WANs). Some of their products include IPVPN, MPVPN, Load balancers, etc. You can find more information about the company here.
Vulnerability summary
A privilege escalation vulnerability in FatPipe Networks’ products (specifically: WARP, IPVPN, and MPVPN version 10.2.2) was discovered by a hacker who goes by the name of Gjoko (a.k.a LiquidWorm) Krstic at @zeroscience.
For those who are not familiar, privilege escalation vulnerabilities allows regular users to escalate their privileges to users with more permissive/admin rights. Successful exploitation leads to unauthorized access to resources that are only intended for administrative users.
When an HTTP POST request is submitted to the affected URL, the application submits a JSON parameter “privilege” with a value of “0” which is an identifier for a group “USER”. Modifying the affected parameter to “1” results in the regular user gaining administrative rights — which leads to the escalation of privileges.
If you think about it, this is more an Indirect Object Reference (IDOR) issue, which leads to the elevation of privileges.
Note: This vulnerability was published under the advisory ID: ZSL-2021-5685
Exploit PoC breakdown
This exploit was developed in python and is publicly available on the internet.
Line 1 — in Python, argv takes an argument from the user which will be passed as variable “ajpi”. This will be the domain name in which the affected appliances’ application is hosted on.
Line 3 & 4 — asks the users to enter a valid (usually compromised) regular user account to login to the affected application.
Line 6 — In python, a request to open a session object which will be used by line 25.
Line 7 — HTTP POST request’s body which will be sent over to the affected URL to allow for login as regular user.
Line 9 — HTTP POST headers are set.
Line 24 — Login URL is set.
Line 25 — Sending the HTTP POST request body and headers to login to the URL set in Line 24.
Line 40 — Setting up the affected URL used for privilege escalation.
Line 41 —Setting a new HTTP POST body value (this is where the payload is placed). As you may notice, it is similar to the first POST request, however it sets the “privilege” value to “1” for administrator group, along with a new permission “edit” added to the account.
Line 44 — submits the new POST request to the affected URL set in line 40.
Successful exploitation will result in the regular user’s ability to view AND now, edit the device configurations.