Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Xymon useradm Command Execution module #12041

Merged
merged 1 commit into from Jul 11, 2019

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jul 2, 2019

Add Xymon useradm Command Execution exploit module.

    This module exploits a command injection vulnerability in Xymon
    versions before 4.3.25 which allows authenticated users
    to execute arbitrary operating system commands as the web
    server user.

    When adding a new user to the system via the web interface with
    `useradm.sh`, the user's username and password are passed to
    `htpasswd` in a call to `system()` without validation.
    This module has been tested successfully on Xymon version 4.3.10
    on Debian 6.
@bcoles bcoles added module docs labels Jul 2, 2019
@asoto-r7 asoto-r7 self-assigned this Jul 3, 2019
@asoto-r7

This comment has been minimized.

Copy link
Contributor

asoto-r7 commented Jul 3, 2019

@bcoles : I'm having trouble getting a test environment set up. I've got a local Ubuntu box where I manually installed 4.3.24 and I'm beating my head against getting the Apache config working. I'll keep digging, but right now, the provided Apache config directs me to the xymon folder without any CGI:

image

In the meantime, I grabbed the VM (which comes with , but I'm getting 401 Authorization failed during the check in the default config. I used htpasswd to add an admin user to the /usr/lib/xymon/server/etc/xymonpasswd file (which is linked to /etc/xymon/xymonpasswd), but the check still returns 401s, even after a reboot. I also tried stripping out the HTTP Authorization header, but still got the same result.

As a quick sanity check, I used pry to check the result, and it definitely looks like a proper 401:

msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.199.241:4444 

From: /home/administrator/git/metasploit-framework/modules/exploits/unix/webapp/xymon_useradm_cmd_exec.rb @ line 110 Msf::Modules::Exploit__Unix__Webapp__Xymon_useradm_cmd_exec::MetasploitModule#check:

    105:     res = send_request_cgi({
    106:       'uri' => normalize_uri(target_uri.path, 'useradm.sh')
    107:       'authorization' => basic_auth(user, pass)
    108:     })
    109: 
 => 110:     require 'pry'; binding.pry
    111: 
    112:     unless res
    113:       vprint_status "#{peer} - Connection failed"
    114:       return CheckCode::Unknown
    115:     end

[1] pry(#<Msf::Modules::Exploit__Unix__Webapp__Xymon_useradm_cmd_exec::MetasploitModule>)> res
=> #<Rex::Proto::Http::Response:0x00007efc00ccdd20
 @auto_cl=true,
 @body=
  "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>401 Authorization Required</title>\n</head><body>\n<h1>Authorization Required</h1>\n<p>This server could not verify that you\nare authorized to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.</p>\n<hr>\n<address>Apache/2.2.16 (Debian) Server at 192.168.220.130 Port 80</address>\n</body></html>\n",
 @body_bytes_left=0,
 @bufq="",
 @chunk_max_size=10,
 @chunk_min_size=1,
 @code=401,
 @count_100=0,
 @headers=
  {"Date"=>"Wed, 03 Jul 2019 12:30:15 GMT",
   "Server"=>"Apache/2.2.16 (Debian)",
   "WWW-Authenticate"=>"Basic realm=\"Xymon Administration\"",
   "Vary"=>"Accept-Encoding",
   "Content-Length"=>"482",
   "Content-Type"=>"text/html; charset=iso-8859-1"},
 @inside_chunk=false,
 @max_data=1048576,
 @message="Authorization Required",
 @peerinfo={"addr"=>"192.168.220.130", "port"=>80},
 @proto="1.1",
 @request=
  "GET /xymon-seccgi/useradm.sh HTTP/1.1\r\nHost: 192.168.220.130\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n",
 @state=3,
 @transfer_chunked=false>
[2] pry(#<Msf::Modules::Exploit__Unix__Webapp__Xymon_useradm_cmd_exec::MetasploitModule>)> exit
[*] 192.168.220.130:80 - Authentication failed
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > 

What am I missing here?

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jul 4, 2019

I manually installed 4.3.24 and I'm beating my head against getting the Apache config working.

Good luck with that. Unfortunately, installing isn't as simply as dumping the xymon directory in the docroot. At a guess, your CGI module or doc roots aren't configured properly. Your directory listing does not look correct. The Apache configuration should contain a docroot directive for /xymon/ to point to the CGI path.

Despite linking the installation instructions in the module documentation, I didn't use them. I used the VM for this PR, specifically so I didn't have to mess with Apache config and trying to get ~3 year old dependencies to play nice together.

I also verified the bug by reading the source and reviewing the patch diffs, to be sure that the VM was representative of reality. I also tested the module across subnets, in case there was IP whitelisting.

(For the other open Xymon module PR xymon_info, I used OS packages, as the module works against latest Xymon version. This was pleasantly painless.)

The good news, if you wish to pursue the manual installation route, is that you can probably steal some Apache config from the VM, which might save some time.

What am I missing here?

I'm not sure. There's a few things going on here.

From what I remember, the exploit worked out of the box, once a user was added with htpasswd.

First, I'd check that the changes applied with htpasswd were in fact written to the xymonpasswd file, then test authenticating with a web browser. Any HTTP request to files in the secure CGI directory (/xymon-seccgi/useradm.sh) should be sufficient.

Next, is there a reason you've removed the comma from the end of line 106? That's kind of important.

    105:     res = send_request_cgi({
    106:       'uri' => normalize_uri(target_uri.path, 'useradm.sh')
    107:       'authorization' => basic_auth(user, pass)
    108:     })
    109: 
 => 110:     require 'pry'; binding.pry
    111: 
    112:     unless res
    113:       vprint_status "#{peer} - Connection failed"
    114:       return CheckCode::Unknown
    115:     end

I'd probably need to see your console output with set HttpTrace true to offer further guidance.

If you don't have any luck, let me know and I'll rebuild the Xymon VM and document step-by-step any changes I make.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jul 5, 2019

I tried with a clean Xymon VM from the .ova. Added user admin with htpasswd /etc/xymon/xymonpasswd admin. Made no other changes. Didn't restart service. Didn't reboot.

Auth works. Check works. Exploit works.

image

@asoto-r7

This comment has been minimized.

Copy link
Contributor

asoto-r7 commented Jul 11, 2019

Thanks @bcoles. Apologies for the delay, since I was out on holiday.

I borked the VM on my first try, probably poking around configs unnecessarily. It worked fine with a fresh VM, though. For anyone in the future, here are the environment setup steps. Frankly, they're dead simple and I don't know how it didn't work the first time. 🤷‍♂

  1. Download the OVA from SourceForge.
  2. Launch the VM and login to the console as root : password.
  3. Run htpasswd /etc/xymon/xymonpasswd admin.
  4. When prompted, enter a new password for the admin user. Confirm the password.
  5. Use ifconfig to find the IP address and target the VM.
@asoto-r7 asoto-r7 merged commit a0538a9 into rapid7:master Jul 11, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
asoto-r7 added a commit that referenced this pull request Jul 11, 2019
@asoto-r7

This comment has been minimized.

Copy link
Contributor

asoto-r7 commented Jul 11, 2019

Release Notes

The Xymon Useradm Command Execution module has been added to the framework. It targets an authenticated remote code execution vulnerability in the Xymon network monitoring system (CVE-2016-2056).

msjenkins-r7 added a commit that referenced this pull request Jul 11, 2019
@bcoles bcoles deleted the bcoles:xymon_useradm_cmd_exec branch Jul 12, 2019
@tdoan-r7 tdoan-r7 added the rn-modules label Jul 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.