-   Notifications  You must be signed in to change notification settings 
- Fork 14.6k
CVE-2020-7200 - HPE Systems Insight Manager 7.6.x Unauthenticated RCE via AMF Deserialization #14846
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| Thanks for your pull request! Before this can be merged, we need the following documentation for your module: | 
| Uploading the source code for generating the  | 
19b6896 to adbb6f1   Compare      modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb  Outdated   Show resolved Hide resolved  
    modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb  Outdated   Show resolved Hide resolved  
 | Hmm, it looks like the class file and  | 
| 
 | 
…ke structure as per space-r7 's recommendations
…ince this supports Meterpreter and is generally a lot more reliable
| Fixed the loop issue with d739bf7 and also updated the module with f193caa to use the Windows Powershell target by default since that supports Meterpreter and generally has a wider range of payloads that works (for instance  | 
| return CheckCode::Safe('Failed to identify an active amfsecure endpoint on the target.') unless res&.code == 200 | ||
|  | ||
| CheckCode::Appears('Found an active amfsecure endpoint on the target!') | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems reasonable that the server may respond with a 200 OK for any requested research which would cause this to return Appears. Is there anything in the expected response body or maybe the headers that would help narrow this down a bit more?
Also Appears may not be the best fit here since there's no version detection taking place. Detected might be a bit more appropriate especially if the vulnerability has been patched.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm so this is an interesting one as the affected page doesn't give away anything such as a version number or similar that could help identify it, and the only version numbers that are revealed are for stuff like Tomcat and generic servers which are not really good matches.
That being said this server is locked to listening on port 50000 and has a login page at / which I should be able to use as a search point to say "hey if the login page at / contains these words, and the vulnerable page exists and is returning 200 OK, then its likely this target is vulnerable".
Unfortunately the login page does not have any versioning information and I am not aware of any page that reveals the version info of HPE SIM at this time.
For reference at the moment the vulnerability has not been patched. The vendor recommendation is to remove the vulnerable .war file, essentially destroying the functionality. Those who rely on this functionality will either have to remain vulnerable, or be forced to find a replacement.
Will update this check so long and also update the Appears check to instead return Detected as we can't do version detection as you pointed out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if you attempted to trigger the deserialization vuln with a sort of No-op and checked the error message like you do for the actual exploit. Then you could confidently return a Vulnerable status which would be even better.
From your module metadata it looks like somethings written to disk. Does that occur during exploitation because it doesn't look like you're using the command stager which would write out to the disk. If you could trigger the deserialization enough to get an error to identify it's vulnerable without crashing the service or writing to disk I think that'd be a good solution. If it logs something incriminating, I think it's a reasonable trade off for accuracy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Woops it appears I didn't actually answer your question cause for some reason I either didn't read the second message or GitHub didn't show it to me 😞 I don't believe anything is written to disk by this exploit, its probably an artifact left over from the original code that I based this off of back when I thought this module could handle payload droppers (spoiler alert, it really does not handle them well at all). I'll remove that so long as it doesn't make sense anymore.
As for the deserialization, yeah I can get it to trigger an error with a blank payload, which should be more than enough to indicate that the target is vulnerable using similar logic, as if that null error occurs when sending a message to the target its pretty much guaranteed to be vulnerable. I'll update the code to reflect this so that we can return more accurate results. and return vulnerable properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did another update in 8479f01 to remove the extra metadata about dropping a file since that no longer applies, and to also return a Vulnerable status after trying to deserialize a payload that simply executes the command a, and then checking the results.
…rching for the presence of three strings that together should only be returned by HPE SIM web servers.
   modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb  Outdated   Show resolved Hide resolved  
 | Gah I need to update the documentation and also lint this again. Give me a second... | 
| Works great for me. Tested with both targets:  | 
| Release NotesNew module  | 
This module adds support for CVE-2020-7200, an unauthenticated RCE vulnerability within HPE Systems Insight Manger 7.6.x that results in unauthenticated RCE. The issue occurs due to two factors: the first is that an outdated version of the Apache CommonsCollections library, specifically version 3.2.2, is in use within HPE Systems Insight Manager 7.6.x, which assists with the exploitation process. The second and more important issue is that no verification takes place on any serialized AMF requests which are sent to the
/simsearch/messagebroker/amfsecurepage, which is accessible to unauthenticated users.This module should allow one to execute fairly arbitrary command line statements as the user running the HPE Systems Insight Manager server, which is normally the local administrator.
Verification
List the steps needed to make sure this thing works
msfconsoleuse exploit/windows/http/hpe_sim_76_amf_deserializationset TARGET Windows\ Powershellset PAYLOAD windows/x64/meterpreter/bind_tcpset RHOSTS *target*exploitgetsystemon a Meterpreter shell gets you system from the administrative user.set TARGET Windows\ Commandset PAYLOAD cmd/windows/adduserexploitmetasploitis created with the passwordMetasploit$1.