Gladinet CentreStack and Triofox Insecure Cryptography Vulnerability Allowing Arbitrary File Inclusion

A vulnerability exists in Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791, where the AES cryptographic implementation relies on hardcoded keys. This flaw weakens security for publicly exposed endpoints that utilize this cryptography, potentially allowing arbitrary local file inclusion through specially crafted requests that do not require authentication. The vulnerability could be exploited in conjunction with previous issues to achieve full system compromise.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, such as the web.config file, which contains critical configuration information including machine keys. These keys could be used in a deserialization attack to execute arbitrary code on the server.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'filesvr.dn' endpoint with an encrypted 'Access Ticket' parameter. The 'Access Ticket' must be crafted using the hardcoded encryption key and initialization vector, which can be extracted from the application's memory. Once the ticket is decrypted, it reveals the file path of the web.config file, among other information. After obtaining the machine keys from the web.config file, they can be used to perform a ViewState deserialization attack, a well-known method for executing arbitrary code on the server.

Remediation

Users are advised to update to Gladinet CentreStack or Triofox version 16.12.10420.56791. After updating, it is recommended to rotate the machineKey in the application's web.config file.