Rename, change titles/descriptions, fix minor bugs
HD Moore
parent
b9caf091d4
commit
6b43d94c72
|
|
@ -14,15 +14,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Supermicro Onboard IPMI Buffer Overflow Scanner',
|
'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module checks a Supermicro Onboard IPMI web interface against
|
This module checks for known vulnerabilities in the CGI applications of
|
||||||
several unauthenticated buffer overflows. The vulnerabilities exist
|
Supermicro Onboard IPMI controllers. These issues currently include
|
||||||
on the login.cgi and close_window.cgi components.
|
several unauthenticated buffer overflows in the login.cgi and close_window.cgi
|
||||||
|
components.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'hdm', #Discovery and Metasploit module
|
'hdm', # Discovery and analysis
|
||||||
'juan vazquez' # Metaspliot module
|
'juan vazquez' # Metaspliot module
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
|
@ -118,11 +119,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
vprint_status("#{peer} - Checking if it's a Supermicro web interface...")
|
vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...")
|
||||||
if is_supermicro?
|
if is_supermicro?
|
||||||
vprint_good("#{peer} - Supermicro web interface found")
|
vprint_good("#{peer} - Supermicro IPMI web interface found")
|
||||||
else
|
else
|
||||||
vprint_error("#{peer} - Supermicro web interface not found")
|
vprint_error("#{peer} - Supermicro IPMI web interface not found")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -139,10 +140,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi buffer overflow) ...")
|
vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...")
|
||||||
result = check_close_window
|
result = check_close_window
|
||||||
if result
|
if result
|
||||||
print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi buffer overflow)")
|
print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)")
|
||||||
report_vuln({
|
report_vuln({
|
||||||
:host => rhost,
|
:host => rhost,
|
||||||
:port => rport,
|
:port => rport,
|
||||||
|
|
@ -32,18 +32,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Supermicro Onboard IPMI Static Encryption Key Scanner',
|
'Name' => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module checks the certificate of the specified web servers. The Supermicro Onboard
|
This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI
|
||||||
IPMI firmware ships with harcoded private encryption keys for both the Lighttpd web server
|
controllers. An attacker with access to the publicly-available firmware can perform
|
||||||
SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available
|
man-in-the-middle attacks and offline decryption of communication to the controller.
|
||||||
Supermicro firmware can perform man-in-the-middle and offline decryption of communication to
|
This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
|
||||||
the firmware. This module has been on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
|
version SMT_X9_214.
|
||||||
SMT_X9_214.
|
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'hdm', # Discovery and Metasploit module
|
'hdm', # Discovery and analysis
|
||||||
'juan' # Metasploit module
|
'juan' # Metasploit module
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
|
@ -76,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
result = cert.verify(pkey)
|
result = cert.verify(pkey)
|
||||||
|
|
||||||
if result
|
if result
|
||||||
print_good("#{ip}:#{rport} - Found service using Supermicro IPMI static private key to encrypt communications")
|
print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")
|
||||||
# Report with the the SSL Private Key hash for the host
|
# Report with the the SSL Private Key hash for the host
|
||||||
digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
|
digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
|
||||||
report_note(
|
report_note(
|
||||||
|
|
@ -91,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:host => rhost,
|
:host => rhost,
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:proto => 'tcp',
|
:proto => 'tcp',
|
||||||
:name => "Supermicro Onboard IPMI Static Encryption Keys",
|
:name => "Supermicro Onboard IPMI Static SSL Certificate",
|
||||||
:refs => self.references
|
:refs => self.references
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
@ -15,14 +15,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Supermicro Onboard IPMI Directory Taversal',
|
'Name' => 'Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module abuses a directory traversal on the web interface for Supermicro Onboard IPMI. The
|
This module abuses a directory traversal vulnerability in the url_redirect.cgi application
|
||||||
vulnerability exists in the url_redirect.cgi CGI application, due to a lack of sanitization
|
accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability
|
||||||
of the url_name parameter. This may allow an attacker with a valid, but not necessarily
|
is present due to a lack of sanitization of the url_name parameter. This allows an attacker with
|
||||||
administrator-level account, to access the contents of any file on the system. This includes
|
a valid, but not necessarily administrator-level account, to access the contents of any file
|
||||||
the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts.
|
on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
|
||||||
This module has been tested on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.
|
all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)
|
||||||
|
with firmware version SMT_X9_214.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
|
@ -57,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
"method" => "GET"
|
"method" => "GET"
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./
|
if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./
|
||||||
return true
|
return true
|
||||||
else
|
else
|
||||||
return false
|
return false
|
||||||
Loading…
Reference in New Issue