Saturday, February 4, 2012

Remote Code Execution on SkyMobile VTI Server

Recently, I got access to management web console of a new to me product called SkyMobile VTI Server. The web console itself was enough to allow complete access to the system as it was running with Administrative privileges and allowed file upload. All I needed to do was upload an asp meterpreter to wwwroot and get the work done.



But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.





In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.




I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)


And the result was sweet !!



4 comments:

  1. Hi,

    Did you report this to Sky Technology? Also, have you identified any other issues with other components of their solution?

    ReplyDelete
    Replies
    1. I tried to reach them but could not find any security contact. I filled their contact form many times but (obviously) to no avail.

      Delete
  2. Thanks. Usually, access to the the web status page is protected through identity management and all data and configurations are encrypted. You are obviously working off a development/demo version. The normal install is intentionally open with documentation on how to "harden" security for production systems. If this is a customer system, then you should report this and direct them to the SkyMobile help. Regards Sky support.

    ReplyDelete
  3. No this was not a demo version, this was a production system with default installation.

    As clear from your comment "The normal install is intentionally open", this is a case of insecure default installation (v22.00.04) as far as I understood the application.

    ReplyDelete