Torrid Networks was recently engaged by a Gurgaon, Delhi NCR, INDIA based company to conduct a comprehensive penetration testing of its content filtering infrastructure. Customer is using Websense content filtering product to filter the non-business and malicious internet traffic from getting accessed at the end-users workstations. Objective of this assignment was to get an assurance on the security posture of company’s content filtering infrastructure.
Our penetration testing team requested the LAN access from the customer so that the content filtering infrastructure can be checked from inside of the LAN. On hitting one unauthorized website, our team could easily trace the IP address of the running Websense instance. Websense was installed on a Windows 2003 server along with SQL server installed on the same server to store the web access logs. During the penetration testing, we found critical remote code execution vulnerability in the Windows server which led us to the server compromise and returned meterpreter shell. We used latest BackTrack distro with metasploit framework to exploit the vulnerability.
After getting meterpreter shell, we were able to perform various tasks like creating/deleting directories, users, taking hashdump etc. We created a local user with administrator privileges to get remote desktop session so that copying data to or from Websense server becomes easy. Our penetration testing goal was to compromise Websense content filtering system, gain access to the content filtering policies and modify it, but server compromise didn’t take us to the Websense management console since the authentication credentials in Websense management console were being picked from a centralized authentication repository i.e. active directory.
Management console login appeared to be a challenging task at the first sight. From the RDP session, we identified the installation path of Websense and also located the Websense configuration file to identify the URL for the management console. Our team tried brute forcing the management console which didn’t work for us. Default username for administrator account for Websense is “websenseadministrator”. The only possible option we were left behind was to reset the “websenseadministrator” password.
To reset the password, we were required to have a registered account at www.websense.com with a valid subscription key of the product in order to reset the password. It was easy to grab the subscription key from the configuration file of Websense. However, we weren’t having any registered account at www.websense.com.
We were not having email account with the same domain name as our customer’s domain name so we assumed that the new account will not be accepted by the Websense team. Even then, we proceeded with registering the account at www.websense.com using our own domain name i.e. @torridnetworks.com along with other legitimate information. After registration, we received below email from Websense with our login details. We logged into the Websense portal but couldn’t generate the password reset key for “websenseadministrator” account since, we weren’t yet authorized by Websense to do so.
After few hours, we surprisingly received a confirmation email from Websense with the instructions to reset the password.
We logged into the websense.com portal with the newly created username and password to gain access to the customer’s product. We could escalate our privileges to super admin as displayed in the below image as well. This became possible since we were the first user to claim ourselves as “Super Admin”:
We followed the reset password instruction page, where further instructions were mentioned which required us to copy the generated key, put the key to resetPassword.txt file in the bin folder of installed Websense and then reset the WebSenseAdministrator password using WsPwdReset.exe.
Our penetration testing results confirmed that compromising websense content filtering just required the operating system access. Websense has established an additional security control by allowing the administrator’s password reset from its portal but it doesn’t add any value. Problem lies in the Websense security process where Websense team doesn’t vet the created account and approves anyone who has the valid subscription key. Subscription key is not so private information since during the procurement of the product subscription key travels from OEMs, distributor, reseller to the end-customer.