module
Nuuo Central Management Server Authenticated Arbitrary File Download
| Disclosed | Created |
|---|---|
| Oct 11, 2018 | Mar 19, 2019 |
Disclosed
Oct 11, 2018
Created
Mar 19, 2019
Description
The Nuuo Central Management Server allows an authenticated user to download files from the
installation folder. This functionality can be abused to obtain administrative credentials,
the SQL Server database password and arbitrary files off the system with directory traversal.
The module will attempt to download CMServer.cfg (the user configuration file with all the user
passwords including the admin one), ServerConfig.cfg (the server configuration file with the
SQL Server password) and a third file if the FILE argument is provided by the user.
The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
included in Metasploit, these files cannot be decrypted programmatically. The user will
have to open them with zip or a similar program and provide the default password "NUCMS2007!".
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
All versions of CMS server up to and including 3.5 are vulnerable to this attack.
installation folder. This functionality can be abused to obtain administrative credentials,
the SQL Server database password and arbitrary files off the system with directory traversal.
The module will attempt to download CMServer.cfg (the user configuration file with all the user
passwords including the admin one), ServerConfig.cfg (the server configuration file with the
SQL Server password) and a third file if the FILE argument is provided by the user.
The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
included in Metasploit, these files cannot be decrypted programmatically. The user will
have to open them with zip or a similar program and provide the default password "NUCMS2007!".
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
All versions of CMS server up to and including 3.5 are vulnerable to this attack.
Author
Pedro Ribeiro [email protected]
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.