SSD Advisory – Panopta OnSight Remote Root

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Panopta OnSight Enterprise is a monitoring platform made up of adaptable building blocks which can be assembled for a custom fit solution. Use a mixture of deployment on-site and on our public cloud to build the most powerful managed hybrid solution available in the industry.
That combined with Panopta world class support means a fully managed monitoring experience so that you can focus on running your business. Get the ultimate combination of flexibility and control with tight integration into existing systems and other best of breed tools already in place. All without having to compromise any of your network security. Panopta OnSight Enterprise doesn’t force you to change the way you operate. It just fits like a glove.
Vulnerability Details
Panopta OnSight is a virtual appliance which exposes two primary network services, nginx and sshd. There are two undocumented user accounts on the system, one of which’s password leaked after examining the file system. This user is in the sudo group, so after login to the system, privileges can be elevated and a user can execute arbitrary shell commands as root.

Analysis
Upon boot of the appliance, a randomly generated admin password (Panopta OnSight key) for the web console is generated. An example is demonstrated below:
panopta onsight configuration console
By rebooting the system and entering recovery mode, we physically gained root access to the appliance. Looking through the file system, it was noticed that several sensitive files were left on the box during ship. Among these, the most useful proved to be .bash_history found in the /home/panopta.admin directory:
bash-history-censored
As we can see, the vendor erroneously pasted what instinctively looks like a password, as a shell command, right in the middle of an attempted su session. Testing proved that this is actually the password for the panopta.admin system account, which can remotely login via SSH and has sudo privileges.
$ ssh panopta.admin@pan-onsight
panopta.admin@ pan-onsight's password: [
rX2XvXnXbXxX]
Panopta OnSight Monitoring Appliance
==================================================
Web Console: https://pan-onsight/
Agent Proxy: https://pan-onsight:8443
[…]
panopta.admin@onsight:~$ sudo bash
[sudo] password for
panopta.admin:
root@onsight:~# id
uid=0(root) gid=0(root) groups=0(root)
root@onsight:~#

Suggested Fixes / Workaround
SSH access is not documented for this appliance and should either be documented or disabled. Sensitive files should be removed from the file system before shipping the product.
Vendor response

You can view the page referencing the security flaw using the link below. Look for the April 15th release under the Appliance section.
http://answers.panopta.com/new-features-and-improvements-2/

Updates
2015-07-26 – The vendor has requested that we censor the password that was shown in the advisory to prevent exploitation of (still) vulnerable servers, we have partially censored the password to prevent easy exploitation – we think though, that completely removing the password would not serve the public rather would make it appear as if “the vulnerability does not exist”.

Interested in Unauthenticated action vulnerabilities? You may be interested in these:

Looking to submit an Unauthenticated action vulnerability?

Talk to us!