Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Total.js Directory Traversal module #11547

Merged
merged 6 commits into from Mar 12, 2019

Conversation

Projects
None yet
3 participants
@fabiocogno
Copy link
Contributor

fabiocogno commented Mar 10, 2019

This module check and exploits a Directory Traversal vulnerability in Total.js framework < 3.2.4 (CVE-2019-8903). Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.

References:
https://cvedetails.com/cve/CVE-2019-8903/
https://cwe.mitre.org/data/definitions/22.html
https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/
https://snyk.io/vuln/SNYK-JS-TOTALJS-173710

This module has been tested successfully on Total.js framework 3.1.0, 3.2.0 and 3.2.2

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/http/totaljs_traversal
  • set RHOST <IP>
  • set RPORT <PORT>
  • run
  • Verify you get Total.js version if the target is vulnerable

Scenarios

msf5 > use auxiliary/scanner/http/totaljs_traversal 
msf5 auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59
RHOST => 192.168.2.59
msf5 auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320
RPORT => 8320
msf5 auxiliary(scanner/http/totaljs_traversal) > run
[*] Running module against 192.168.2.59

[*] Total.js version is: ^3.2.0
[*] App name: CMS
[*] App description: A simple and powerful CMS solution written in Total.js / Node.js.
[*] App version: 12.0.0
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/totaljs_traversal) > 

Testing

In order to set-up a vulnerable site, please refer to https://fabiocogno.github.io/metasploit-modules/totaljs-directory-traversal-try-this-at-home.html

fabiocogno added some commits Mar 10, 2019

@bcoles bcoles added docs and removed needs-docs labels Mar 10, 2019

@wchen-r7 wchen-r7 self-assigned this Mar 11, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 12, 2019

Hmm this is a little interesting. I tested it on total.js version 3.2.2 and the module didn't work. 3.2.0 did though.

@fabiocogno

This comment has been minimized.

Copy link
Contributor Author

fabiocogno commented Mar 12, 2019

Hmm this is a little interesting. I tested it on total.js version 3.2.2 and the module didn't work. 3.2.0 did though.

This is very strange ... for convenience I am using docker to quickly have different environments so I have verified that I have not made mistakes of some kind in creating the image. I attach a screenshot of my latest test.

Screenshot from 2019-03-12 21-37-53

Can you share your test?

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 12, 2019

Yeah, even better, I think I managed to reproduce this weird state. Notice this one, I'm on 3.2.2:

totaljsvuln

OK, and then I uninstall total.js again, and the reinstall 3.2.2... this time, the module works:

totaljsvuln2

Pretty odd but since I can also get it to work on 3.2.2.... I guess this isn't a blocker.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 12, 2019

Code looks good to me. I'll land this. Thanks @fabiocogno and thanks @bcoles for reviewing.

@wchen-r7 wchen-r7 merged commit e906ecb into rapid7:master Mar 12, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Mar 12, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 12, 2019

Release Notes

This adds a new auxiliary module that exploits a directory traversal vulnerability against Total.js.

msjenkins-r7 added a commit that referenced this pull request Mar 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.