From 6b43d94c727e7bfc93cb679c3a39d1381b6b525c Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 6 Nov 2013 13:45:40 -0600 Subject: [PATCH] Rename, change titles/descriptions, fix minor bugs --- ...ro_ipmi_bof.rb => smt_ipmi_cgi_scanner.rb} | 21 ++++++++++--------- ...ert.rb => smt_ipmi_static_cert_scanner.rb} | 19 ++++++++--------- .../http/smt_ipmi_url_redirect_traversal.rb} | 17 ++++++++------- 3 files changed, 29 insertions(+), 28 deletions(-) rename modules/auxiliary/scanner/http/{supermicro_ipmi_bof.rb => smt_ipmi_cgi_scanner.rb} (84%) rename modules/auxiliary/scanner/http/{supermicro_ipmi_cert.rb => smt_ipmi_static_cert_scanner.rb} (76%) rename modules/auxiliary/{admin/supermicro_ipmi_traversal.rb => scanner/http/smt_ipmi_url_redirect_traversal.rb} (80%) diff --git a/modules/auxiliary/scanner/http/supermicro_ipmi_bof.rb b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb similarity index 84% rename from modules/auxiliary/scanner/http/supermicro_ipmi_bof.rb rename to modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb index f42d5d7102..2f1e7e8a8a 100644 --- a/modules/auxiliary/scanner/http/supermicro_ipmi_bof.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb @@ -14,15 +14,16 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Supermicro Onboard IPMI Buffer Overflow Scanner', + 'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner', 'Description' => %q{ - This module checks a Supermicro Onboard IPMI web interface against - several unauthenticated buffer overflows. The vulnerabilities exist - on the login.cgi and close_window.cgi components. + This module checks for known vulnerabilities in the CGI applications of + Supermicro Onboard IPMI controllers. These issues currently include + several unauthenticated buffer overflows in the login.cgi and close_window.cgi + components. }, 'Author' => [ - 'hdm', #Discovery and Metasploit module + 'hdm', # Discovery and analysis 'juan vazquez' # Metaspliot module ], 'License' => MSF_LICENSE, @@ -118,11 +119,11 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - vprint_status("#{peer} - Checking if it's a Supermicro web interface...") + vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...") if is_supermicro? - vprint_good("#{peer} - Supermicro web interface found") + vprint_good("#{peer} - Supermicro IPMI web interface found") else - vprint_error("#{peer} - Supermicro web interface not found") + vprint_error("#{peer} - Supermicro IPMI web interface not found") return end @@ -139,10 +140,10 @@ class Metasploit3 < Msf::Auxiliary }) end - vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi buffer overflow) ...") + vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") result = check_close_window if result - print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi buffer overflow)") + print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/supermicro_ipmi_cert.rb b/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb similarity index 76% rename from modules/auxiliary/scanner/http/supermicro_ipmi_cert.rb rename to modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb index 9f83f33b47..1b338506cb 100644 --- a/modules/auxiliary/scanner/http/supermicro_ipmi_cert.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb @@ -32,18 +32,17 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'Supermicro Onboard IPMI Static Encryption Key Scanner', + 'Name' => 'Supermicro Onboard IPMI Static SSL Certificate Scanner', 'Description' => %q{ - This module checks the certificate of the specified web servers. The Supermicro Onboard - IPMI firmware ships with harcoded private encryption keys for both the Lighttpd web server - SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available - Supermicro firmware can perform man-in-the-middle and offline decryption of communication to - the firmware. This module has been on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware - SMT_X9_214. + This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI + controllers. An attacker with access to the publicly-available firmware can perform + man-in-the-middle attacks and offline decryption of communication to the controller. + This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware + version SMT_X9_214. }, 'Author' => [ - 'hdm', # Discovery and Metasploit module + 'hdm', # Discovery and analysis 'juan' # Metasploit module ], 'License' => MSF_LICENSE, @@ -76,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary result = cert.verify(pkey) if result - print_good("#{ip}:#{rport} - Found service using Supermicro IPMI static private key to encrypt communications") + print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)") # Report with the the SSL Private Key hash for the host digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":") report_note( @@ -91,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary :host => rhost, :port => rport, :proto => 'tcp', - :name => "Supermicro Onboard IPMI Static Encryption Keys", + :name => "Supermicro Onboard IPMI Static SSL Certificate", :refs => self.references }) end diff --git a/modules/auxiliary/admin/supermicro_ipmi_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb similarity index 80% rename from modules/auxiliary/admin/supermicro_ipmi_traversal.rb rename to modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb index 45fbab6803..12378ab526 100644 --- a/modules/auxiliary/admin/supermicro_ipmi_traversal.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb @@ -15,14 +15,15 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Supermicro Onboard IPMI Directory Taversal', + 'Name' => 'Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal', 'Description' => %q{ - This module abuses a directory traversal on the web interface for Supermicro Onboard IPMI. The - vulnerability exists in the url_redirect.cgi CGI application, due to a lack of sanitization - of the url_name parameter. This may allow an attacker with a valid, but not necessarily - administrator-level account, to access the contents of any file on the system. This includes - the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts. - This module has been tested on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214. + This module abuses a directory traversal vulnerability in the url_redirect.cgi application + accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability + is present due to a lack of sanitization of the url_name parameter. This allows an attacker with + a valid, but not necessarily administrator-level account, to access the contents of any file + on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for + all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM) + with firmware version SMT_X9_214. }, 'Author' => [ @@ -57,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary "method" => "GET" }) - if res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./ + if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ return true else return false