Posts

SuperMicro IPMI Exploitation

Image
Software & Hardware Versions Exploited in POCThis vulnerability is now known as CVE-2019-19642

Hardware Motherboard model number: X8STi-F
Software IPMI FW Version: 2.06 BIOS Version: 02.68

Vulnerability Description
The Virtual Media feature of the web based IPMI contains an OS Command Injection issue, allowing attackers to execute arbitrary commands on the victim system’s firmware. Attackers exploiting this issue are able to install backdoors or pivot into a network and execute further attacks within the victim network.

This type of issue is classified as CWE-78, improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). https://cwe.mitre.org/data/definitions/78.html

Vulnerability ExploitationThe vulnerability exists in /rpc/setvmdrive.asp. When sending an authenticated POST request to this URL, the POST parameters ShareHost and ShareName can injected with bash commands. To attain execution of the injected commands, “backticks” also referred to as “b…

OSSEC Privilege Escalation via Directory Traversal

Image
Overview OSSEC Hids can allow an attacker escalate privileges via the method described in this post. I recently came across this issue which could present a concern in some environments. This issue is known as CVE-2018-19666.
Access Required There is some access required, as this is privilege escalation. Full access to the OSSEC server.Low privilege access to a system with OSSEC hids agent installed. The Vulnerability OSSEC has a feature called ActiveResponse that allows OSSEC admins to execute scripts to respond to security incidents. The documentation says the script has to be in a specified directory, specifically it says this:

The [response script] must be inside the /var/ossec/active-response/bin/ [on the system with ossec hids] with the execution permissions set.

This Active Response feature can run scripts remotely on the client system if the script is in the active-response/bin directory either on windows or linux. When a specially crafted configuration is used, an attacker …