SSD Advisory – Tripwire IP360 Local File Inclusion

Vulnerabilities Summary
The following advisory describes a Local File Inclusion (LFI) vulnerability found in Tripwire IP360 version 7.2.6. Tripwire IP360 is a enterprise-class vulnerability and risk assessment, it’s provides visibility into the enterprise network, including all networked devices and their associated operating systems and application.
Credit
An independent security researcher Mohammed Shameem has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Tripwire has stated 7.2.6 which was vulnerable has reached end of life. No other version of Tripwire is affected by this LFI vulnerability. Tripwire customers still using version 7.2.6 should upgrade to version 7.5 or newer which is supported.

Vulnerabilities Details
Tripwire IP360 version 7.2.6 suffers from Local File Inclusion vulnerability.
While browsing the “Help” section of the product, it’s pops up the following window:

The highlighted section in the image is fetched with URL:

https://<ip>//index.ice?class=new_help&do=get_resource&url=ip360_administration_guide_v7_x_kwindex.htm

Parameter “url” is vulnerable to LFI.
Parameter “class” is a php page located at “/hive/ui/IP360/private/states”.
The vulnerable code can be found in the “url” parameter handling:

“//loads in a resource as requested
	function do_get_resource() {
		$url_param = fwRequest::get('url');
		$url = 'docs/admin/' . $url_param;
		$resource = file_get_contents($url, true);
//image files need to have header info specifying MIME type
	if($this->ends_with($url, ".gif")) {
		header('content-type: image/gif');
		echo $resource;
	}
	else if($this->ends_with($url, ".png")) {
		header('content-type: image/png');
		echo $resource;
	}
	else if($this->ends_with($url, ".jpg")) {
		header('content-type: image/jpeg');
		echo $resource;
	}
	//don't touch the JQuery file -- causes problems if converted
	else if($this->ends_with($url, "jquery-1.4.2.min.js")) {
		print $resource;
	}
	else if($this->ends_with($url, "jquery.js")) {
		print $resource;
	}
	//slightly different logic for this file
	else if($this->ends_with($url, "nsh.js")) {
		$nsh_converted_resource = $this->convert_links_nsh($resource);
		print $nsh_converted_resource;
	}
//convert all links
	else {
		if($url_param == 'helpman_navigation.js') {
			$helpman_navigation_resource = $this->convert_links($resource, true, false);
			$converted_resource = $this->add_helpman_nav_code($helpman_navigation_resource);”

file_get_contents is the vulnerable code which reads entire file into string and echoed back using “$resource” without proper handling.
Proof of Concept

  1. Setup Proxy and Login to the web interface of the Tripwire IP360 scanner
  2. Click on the Help link on top right corner
  3. Intercept the request with above given parameter
  4. Manipulate the “url” parameter value to “../../../../../../../../../../../etc/passwd” and observe the server response.

An attacker might carry out one or more of the following attacks:

  • Gather usernames via an “/etc/passwd” file
  • Get useful information from the log files, such as “/apache/logs/error.log” or “/apache/logs/access.log
  • Gather db Username and passwords
  • Look at the web source code and possible find more vulnerability.