While performing an internal security assessment for a client, I discovered an OS command injection vulnerability in an Infoblox NetMRI appliance. This was totally by accident, just going about our regular testing of web applications. I stumbled across the following page and used a proxy to submit values to the "Username" and "Password" fields of the application.
|Infoblox Login Page|
|Injecting a command to ping localhost 20 times|
|Injecting command to ping my attack workstation|
I then started a tcpdump session to listen for pings from the target IP address. When we received them it proved that the command injection was genuine.
Ordinarily, I would have spent the next bit of time interrogating the target, determining what user I was running as, group membership, etc. But, in this particular instance, I tried adding a user, and setting a password. If the web server was running as any user other than root this would fail.
|Injecting a "useradd" command|
|Setting a Password|
My next step was adding my user to the wheel group, so I could use sudo. I simply injected a usermod command to accomplish that.
|Adding the user account to the "wheel" group.|
After my user was a member of the wheel group, I used sudo to get a root shell.
After getting this far, in less than 24 hours I had a crash course in ruby and wrote a metasploit module. The module was tested against NetMRI 126.96.36.199.
Infoblox immediately released a hotfix on 5/16/2014 to remediate this vulnerability on existing installations, (v6.X-NETMRI-20710.gpg).
The flaw was corrected in the 6.8.5 release (created expressly for dealing with this issue), and that release has been put into manufacturing for new appliances.