FaxCore AUID Exploit
by Element.Crying (Element.Crying@Gmail.com)
I recently was put in charge of the installation and implementation of my company's new web-based FaxCore faxing system.
Like any good IT manager, I spent the first week trying to find any bugs or exploits which might cause a halt in the company's productivity. The system was pretty solid when it came to bugs, of which I only found a few. I did discover a nice-sized security exploit in which anyone with a little bit of knowledge can view any user's domain password.
I have reviewed the source code, so I know that the initial login screen for the FaxCore system is pretty solid; the exploit only works once you have logged in to the system.
When configuring our system, we chose to import all of our users using Active Directory. You would need the login name and password of someone in the domain to get into FaxCore - or so I thought.
I read through the administration guide, which is available online, and I discovered that the default account created on a new FaxCore system is simply admin with the password of password.
The admin account is the only one referenced within the documentation; however, there are a few other system accounts visible in screenshots shown in the manual. Knowing that a good system administrator would change the password to the admin account as soon as FaxCore was installed, I looked for other means of logging in.
So I tried one of the other accounts listed in the screenshots.
SYS-UNROUTED is a system account created for internal operations. No surprise: it also shipped with a password of password, but because the account does not have administrator access, it was overlooked and thought of as a "non-threat."
I now was logged in to the system as SYS-UNROUTED. This account holds all of the unsorted faxes that have been received.
This is a potential threat but not the "big fish" that I was looking for.
Once I logged in to the system, I started looking through the source code of the default page.
There was very little code to see; the page just contained an <iframe> which pointed to: menus/mainMenu/default.aspx?xAUID=2002&
The part I was interested in was the xAUID part. I started manipulating the number in the xAUID parameter, and much to my surprise, I was accessing different system accounts.
There are seven system accounts, numbered from 2001 to 2007. One of these is the admin account.
By simply pointing my web browser at http://faxcore.domain.local/?xAUID=2001&, I found myself logged in as the administrator of the FaxCore system.
Again, this is a pretty big security hole, but I wanted to know how much damage this system could really do; after all, it is just a faxing system.
FaxCore ships with a feature that allows the administrator to "impersonate" another user, giving access to that user's fax mailbox. The impersonate function actually works on the same technique as the above-mentioned exploit; it opens up a new window and changes the xAUID.
From the administration page, you are able to go through the user list, impersonate each user, and view all of their faxes.
Here is where I started to do some research.
I knew that the FaxCore system used tokens to automatically fill in information on notifications and cover pages. One of the tokens is: $$USER.PASSWORD$$
Now, as I said earlier, we used the Active Directory option to import our user list instead of using the internal FaxCore user database. I also knew that the password token was used to email users their forgotten passwords. But I wanted to see if the FaxCore system stored the passwords of Active Directory users, so I designed a cover page within the FaxCore cover page editor with the password token used on it, and then I sent a fax to myself.
When I received the fax, my password was there in plain text. It had been stored in the FaxCore database when I logged into the system. My goal became the ability to get the password of all the users without having to send a fax from each one of them.
I discovered, while going through the faxes I had sent, that there was a page named "Test Tokens."
Upon clicking on that link, I was greeted with a page that showed what each token would display if used. This page also included my password - right there, in plain text.
I had found it.
All I needed was the direct link http://faxcore.domain.local/apps/messageViewer/deliveryTestTokens.aspx?xUserID= and the user list available after logging into the administrator account, and I was set.
Each user has a unique ID, and when the ID is entered at the end of the URL, the page will return all of the tokens available, including their domain login name and password.
This system has many vulnerabilities, but this was our greatest concern. Everyone in the company, including our president, uses the FoxCore software and would have been in danger of having their information openly made available. We have corrected the issues on our server; however, a patch has not been issued to correct these problems. So, other FaxCore customers are wide open and still vulnerable to this exploit.
As I reviewed the FaxCore source code, the biggest problem I found is that the only verification of which user you are is upon login.
Once you're logged in, your credentials are never again checked. This leaves the system wide open. As this problem is paired with an impersonation function which simply uses a numbered account to give you full access, I am surprised this vulnerability isn't common knowledge yet.
So this is my contribution to the 2600 community.
Shoutout to Element!