New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unified_remote exploit #16989
unified_remote exploit #16989
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
@H4rk3nz0 wanted to show you https://github.com/rapid7/metasploit-framework/pull/16989/files#diff-36de1eb4db0be8601b9f08557b8add6cf522a8b14f93bf59aee7eb83ca1dc547R133 . In your original POC you had |
|
@h00die thanks for the cool module writeup, never did get far with dissecting what everything in the hex body was doing : ) . I do recall reaching out to unified remote through their on site contact at the time of testing unified remote (~ mid February 2021). I am having trouble finding the exact date of that correspondence as it was just a response from them stating that they don't consider it a problem as users are able to set authentication passwords for the web console which was disabled by default. I didn't chase for a CVE at the time. Will let you know if I can locate an exact date but it may be lost to the digital ether. |
|
@H4rk3nz0 interesting. I see how you can disable the web console (its enabled by default), but not how to 'secure' it. I see you can set creds for the remote portion, but we can bypass that if the web console is enabled. Seems like things aren't adding up, but i guess we can move forward w/o a CVE. I'm adding in some checks now for the site being down, and then will push this up for review |
|
@H4rk3nz0 if you have time, give this module a try and let me know how its working for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @h00die for this module! I just left a few minor comments for you to review when you get a chance.
|
@H4rk3nz0 can you please confirm there is a way to auth the web page controller? i don't see that option anywhere, just 'turn it off and on' |
|
Hi @h00die I believe I misunderstood the functionality of the password feature at the time. I am unable to secure web console outside of completely disabling it. Also I thought this may interest you as a potential improvement to the current script that can remove the possibility of user interacting interrupting the payload process: https://pastebin.com/raw/VMeWckHA I have attached a modified script (rough and quick edit apologies) as unified remote has a 'premium feature' for the mobile app that allows executing commands remotely as a 'utility function' naturally not too hard to figure out what is controlling length of string set as command payload. It all happens out of view of the GUI. Let me know what you think, cheers. |
|
Quick extra note - any command output is returned in TCP response from the unified remote server as a Result: if that is of interest. |
|
pushing back to draft while looking at the improvements |
|
So for a CVE, let's gather this in one place, so I can release @smcintyre-r7 and/or @mkienow-r7 to actually do the CVE assignment. Here's the CVE distillation: Title: Unified Intents AB Unified Remote Improper Authorization |
|
Reserved CVE ID |
|
@H4rk3nz0 was the name 'update' something you set in the script name? Seemed like it, but i forgot to test making that variable before updating the PR |
|
@h00die , thanks for the hard work transcribing the scripts to msf modules. Your hard work is much appreciated. With regards to 'update' I assume you're referring to within the hex and call for the 'invisible' feature? As I understand it, the invisible command execution feature creates a batch file on Windows and a bash file on linux hosts which it makes calls to 'update' the content of then executes it in a following call and returns the output. https://www.unifiedremote.com/remotes/command As I understand it despite being a 'pro' feature the invisible option should work by default on all unified remote installations. Also a quick note: I see you included the pastebin url I shared as a reference but please be aware that pastebin will expire in 9 days time from now. I didn't expect that you would include it, my apologies. If you would like to modify that and create a more permanent store then by all means. |
|
after testing, the word 'update' is not changeable, its part of the protocol. @H4rk3nz0 I'll leave the ref in there for the time being incase there's any other changes during testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @h00die for your updates. I just left a few minor comments before it lands. I tested with all the different configurations you described in the documentation and it works great.
|
should be good to go! |
|
Thanks @h00die for updating this. Everything looks good to me now. I tested multiple scenarios against Unified Remote version 3.11.0.2483(50) on Windows 11 and verify it works as expected. I'll go ahead and land it. Example outputTested against Unified Remote version 3.11.0.2483(50) on Windows 11 No authentication - visible trueNo authentication - visible falseGroup authentication - visible trueGroup authentication - visible falseUser authentication - visible trueUser authentication - visible falseNo authentication - no web server access - visible trueUser authentication - no web server access - visible true (should fail) |
Release NotesThis adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (3.11.0.2483) is vulnerable, which make it a 0-Day. |
|
FWIW, just published this CVE. Sorry for the delay. |
|
Not a problem, I just got the Web Triggerable RCE working. In theory any Unified Remote user that visits a web page* with the right JS could get popped. |
|
|
||
| ### PATH | ||
|
|
||
| This ONLY applies to the pull method. Where to temporarily store the payload. Defaults to `c:\\Windows\\Temp\\` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What alternatives are there to "the pull method" ?
pull is not mentioned or documented anywhere else, with the exception of the module target which states "pull".
| 'Platform' => 'win', | ||
| 'Stance' => Msf::Exploit::Stance::Aggressive, | ||
| 'Targets' => [ | ||
| ['pull', {}], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
A similar exploit to #16985
This PR adds a new module to exploit an auth bypass to rce in 'unified remote'.
Leaving it draft right now, talking to @todb / @todb-r7 about a possible CVE for it. Also needs a real description and docs, but wanted to post for gathering info on the CVE stuff.
@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose? If so, can you post details so we can possibly get this CVEd as well? Its still valid against the most recent version.
This is a neat exploit as you connect to the WEB server (no auth) to pull the config, then set the RDP-ish auth to be none if needed. Then connect to the service and ask it to open cmd, then type out what you want on the user's screen. its fun to watch shell code :). Wrote in a cmdstager method, but due to the buffering and timeouts, decided to remove it as it just wasn't a good fit at all unfortunately. used @H4rk3nz0's original method which uses the host to host the payload on a web server and just download it. MUCH faster and more reliable.
Verification
msfconsoleuse exploit/windows/misc/unified_remoterhostandlhostas required.run