Bxss exploitation of MeshCentral servers

[SomeGuru]

Hi community, has anyone else noticed accounts showing up as random series of numbers like 90004637 and or {script%!()aH9*} if so, when did you start seeing these accounts and what are your cross site config settings looking like? I noticed this three weeks ago now and have wondered if this is seen by others.

-SomeGuru

[silversword411]

Have you eliminated the possibility it's AV grabbing up your installer for testing in their sandboxes?

https://docs.tacticalrmm.com/faq/#help-ive-been-hacked-and-there-are-weird-agents-appearing-in-my-tactical-rmm

[SomeGuru]

100%, I opened up one of my servers to be seen by new bxss user granted and the user was fast and attempting to hit key points to see my internal machine domain systems and see what all they could access up to attempting to install malware/keylogger to the system. So I know this is a bxss exploited attack. Based on the domains emails being bxss.me for email addresses signed up through Azure AD.

Along with user names being {script:$&7bD@!24nM}. Alot were same email and only numbers like 90005826

-SomeGuru

[bbrendon]

You mean user accounts in the meshcentral GUI?

[silversword411]

@SomeGuru You mind looking me up on the Tactical RMM discord, would like to have a chat with you for more info. Thx!

[dinger1986]

can you please clarify what you mean with cross site config settings looking like? Are you running more than 1 meshcentral server? This needs more investigation and facts to see what and if there is an issue which affects a large number of users or just users specifically using meshcentral.

[Ylianst]

Hi. Looking at this discussion, there is not sufficient information to do anything. If you have an server that allows account creation and people create accounts with odd names, that is not in itself an issue. On MeshCentral.com, people create accounts with odd names or numbers all the time. As long as the account name is handled correctly throughout the MeshCentral web site, that is ok. For example if I create a abc<b>def</b> account, the bold tags should not show on the site.

Also, what is "BXSS"?? If it's "Blind XSS" - Please provide evidence.

Unless SomeGuru has actionable information, having an open server and people creating off account names is not an issue. If there is a vulnerability, please create an issue and put as much detail as possible or mail me directly if the information could lead to others using it to exploit MeshCentral servers. - Thanks.

[SomeGuru]

Ylianst,

Email will be sent, as this is a Azure SSO access on several servers. I will include the actual configuration parameters in the Config.JSON file as this has happened with move from standard SAML to AzureAD. Which has caused very interesting entries into the user access list. Users are not allowed to register through MeshCentral server page, but at AzureAD I am not sure if there is something there that my next level WAN IT team are not telling me.

-SomeGuru

[SomeGuru]

My hunch is based on the fact that these are in the users group, and also oddly enough the server doesn't delete these accounts at all... It says the proper number of accounts to delete, but then they are just left there undeleted. The 6 servers I am running are all on MongoDB backend for this.

[silversword411]

Hold on. You have SSO enabled, so you're syncing azure AD with your mesh?

Why wouldn't this be azure usernames syncing down to your mesh. Is Intel's azure getting injected IDs from somewhere else?

https://practical365.com/mercury-attack-april-2023/

That you can't delete them would make sense if the mesh SSO interface is a SSO read only sync. It wouldn't let you reach into azure and delete/modify other azure objects.

[Ylianst]

Do let you SSO administrator know right away that this is happening. When configured for SSO, MeshCentral delegated the user login trust to the SSO server. Obviously, if the SSO server is allowing bad things to happen, MeshCentral can't help much. SSO should have logs showing exactly what is going on.