return
The title of this post is a reference to “So Many Ways to Own Dell EMC Networker”. During a pentest, that post was very useful to us. Thanks so much! We recommend read it before to continue.In our pentest exercise, we found many installations of Networker Client in the internal Network.Some of these installations allowed us to execute Networker commands remotely, so we tried to exploit the command injection vulnerability in “nsrdump”, but the command was not found.Fortunately, we found the “nsr_render_log” command and were able to get the password hashes for the users, but we couldn’t crack them. Moreover, the exploitation via Erlang was also not possible because the hosts were not running that service. At this point we decided to try with other Networker commands.
⦁ nsrrcopy arbitrary file upload
We started by listing the available Networker commands in a default installation. One of them that catch our attention was "nsrrcopy". Maybe because sounds like "Remote Copy".
The "nsrrcopy" file is actually a Bash script. Reading the script we can see that it calls another program named "uasm" and pass to it some parameters controlled by us.
The uasm command documentation defines that its purpose is for "saving" and "recovering" filesystem data. Also, it says that can be used like the "tar" command.
For example, to save the file "/etc/passwd" we use the "-s" option. This creates a byte stream that is sent to standard output and redirected to the "stream" file.
And to recover the "/etc/passwd" file we use the "-r" option. This reads the previously byte stream created from the standard input and restore the files. The "-iY" parameter is for overwrite files without confirmation.
In nsrrcopy, uasm is executed in recovery mode overwriting files without confirmation. Also, an extra parameter "$1" should be passed. It is optional and must be a path. When it is present, prevents from writing files outside such path. Luckily for us, we can control it and put "/" to allow writing into the whole filesystem.
The main objetive is execute "nsrrcopy" via "nsrexec" to upload arbitrary files into the remote host. But, "nsrrcopy" (uasm) reads the byte stream with the file’s content from the standard input ¿How we can control the standard input of the remote program? Luckily, "nsrexec" uses an environment variable "STDIN" that will be the standard input passed to the remote program.
Now the issue is that we can't put our malicious byte stream directly into the STDIN environment variable because it contains many null bytes and will be truncated.
One way to solve it is by using "netsed" and replacing the STDIN’s value in the network packet before sending it to the remote host.
Another way would be programming a script that speaks the Networker protocol and sends our payload directly.
⦁ Exploitation step by step
Create your malicious script in “/usr/sbin/nsrwoot”
Give it execution permissions
Generate the byte stream with “uasm”
Encode the byte stream to pass it to “netsed”
You will get something like this:
Generate a “AAA…” pattern with the same length of bytes
Configure the port redirection with Socat
Configure the port redirection and bytes substitution with Netsed.
Set STDIN with the “AAA...” pattern
Execute “nsrrcopy” in the remote host
After the last command is executed, the “nsrwoot” script will be created in the remote host and you can execute it with “nsrexec”.
⦁ Disclosure Timeline
