New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trixbox CE v2.8.0.4 endpoint_devicemap.php Authenticated Remote Command Execution #13353
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
@stasinopoulos Thank you for this submission; it looks very well done and we appreciate the level of detail put into this! Only thing I will need before I can start testing this is some additional documentation details as per the bot's instructions above. Please follow the directions in those links and make sure to pay particular attention to the instructions where it asks you to describe how you set up the environment step by step (don't just say "grab version 1.1 and then run the exploit"; we need to know how you set it up step by step) and how you obtained the vulnerable version (download site, ftp site, etc). Thanks again and let me know if you have any questions and I'll be happy to assist! |
|
@gwillcox-r7 thanks for your prompt response. Kindly confirm that the provided documentation is fine. |
|
@stasinopoulos Please add your documentation as a separate commit to this branch rather than opening up a new branch. Commit to your local branch So:
|
|
@gwillcox-r7 Done n' sorry for the mess :P |
|
No problem @stasinopoulos, all part of the learning experience :) |
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
|
@stasinopoulos Please also run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please incorporate @bcoles's changes and add these ones in as well.
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_auth_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
| unless res | ||
| return CheckCode::Unknown('Connection failed') | ||
| end | ||
| unless res.body.include?(fingerprint) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be a good idea to also include an authentication check, ie:
if res.code == 401
return CheckCode::Unknown('Authentication Failed')
endThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stasinopoulos, I'm not sure if you fixed this issue, as your current code is assuming that if the target failed to respond with a 200 OK code that authentication failed. I think what @bcoles is trying to say is that usually a server returns a 401 error code or something similar if you weren't able to log in successfully. So your current check might state that authentication failed when this was not the case.
Also in future can you please wait for @bcoles or myself to mark an issue as resolved? This will prevent any confusion as to whether or not an issue is actually complete or if it needs further work.
@bcoles Can you confirm things here are as you would like to see them?
|
@gwillcox-r7 @bcoles are we ok for the merge of that module (btw thanks for your support)? |
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
|
@stasinopoulos Okay I think it is about time we did another full review of the code and the documentation. Going to get that going so long, and hopefully pick up anything else that needs to be done. After that is done and any changes have been incorporated, should be good to test and then land if everything goes well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more changes to go over, definitely looking a lot better though!
documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
| end | ||
| version = get_target(res) | ||
| if version.nil? | ||
| return CheckCode::Safe |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Every other case I see your outputting a line before returning a CheckCode code, so can we update this line to print out a message using print_error before we execute return CheckCode::Safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can also do CheckCode::Safe('This is the reason.') to automatically print the reason when running check directly.
Note that this has output limitations in the current implementation unless the AutoCheck mixin is used. A print will be universal. I hope that we can streamline this developer experience in the near future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A lot of people don't run with datastore[VERBOSE] set to TRUE, so all of these vprint_error or commands in the format of vprint_XXXX won't ever be executed unless this is set. This is not what we want, as we want the user to always recieve info about errors. Status updates, however, can be optionally displayed via vprint_status if they are of extremely low value, however, most of the time this is not the case and one should just use print_status as per normal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also for reference this is the code that will be run when you execute vprint_error:
def vprint_error(msg='')
print_error(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
end
Taken from lib/msf/core/module/ui/message/verbose.rb (thanks to @wvu-r7 for pointing this out to me)
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb
Outdated
Show resolved
Hide resolved
|
@stasinopoulos Looks like your |
|
@stasinopoulos TrixBox CE 2.0 seems to be timing out....are you sure you tested this on all systems? |
|
And finally latest version is also not working. I can confirm I can connect to the server via the browser fine: |
|
Weird, I wonder what was causing that, the server suddenly worked now for 2.4.2.0: Will try again with TrixBox CE 1.2.0 |
|
@stasinopoulos Tried again after rebooting but still getting this for Trixbox CE v1.2.0. Included trace for visibility into the actual HTML it is trying to parse. |
|
And here is output for TrixBox CE 1.2.3 with tracing enabled: |
|
I figured out why TrixBox CE 2.0 is failing. Turns out, at least on my install, this server takes several seconds to respond and is much slower than most other installs. This is causing the login request to time out so when exploiting the target, a response is never received in time. I would recommend increasing the timeout by several seconds to allow not only for the fact that this build is slower, but also to allow for the overhead that any slow connections might impose. |
|
TrixBox v1.0: Not correctly identifying the version: |
|
@stasinopoulos Here is an updated regex that will fix the regex you have at the moment in your code and will update the output to be better: If I run this against TrixBox CE 1.1, the output is now a lot more obvious: Targeting TrixBox 2.4.2.0, this output becomes somewhat less reliable... Looking at the code for later versions I can see that your regex would work better. What I propose is perhaps combing both together: |
I am so fixing that this week. |
|
Okay with this regex: We get some nice results at long last: Version info is now finally more accurate |
|
Ah so found out why it wasn't detecting that version. Your last check was waaaaaaaaaaay too specific. Here is what is was before: And here is the new version: Lesson here: Don't do checks specifically on a one branches's release number. There are typically multiple releases within a branch or within one major.minor release. Edit here is the code working now with these updates: |
|
@stasinopoulos Okay with updates this is what things look like atm: The timeout is on TrixBox CE 2.0 due to delays on the host, again just need that timeout update. Same with TrixBox CE 2.2.12. |
|
Well I guess when the timeout doesn't happen, CE 2.2.1 is actually pretty good: |
|
TrixBox CE 2.6.2.2 seems to work well with updates: And here is TrixBox 2.8.0.4: Looks like I might need to update the regex to catch one more potential period and number. Will attempt this tomorrow as initial attempts show that |
Updated with that -more accurate- version detection. |
|
@stasinopoulos Finally got this working, sorry for the delay. New code should be this (ignore the surrounding bits, this is more to show the update to the regex and to the version check): |
This module exploits a post-authentication OS command injection vulnerability found in Trixbox CE <= v2.8.0.4 which may allow arbitrary command execution on the underlying operating system.
Release NotesThis adds in a module for CVE-2020-7351, an authenticated RCE in the |
|
@stasinopoulos Discussed this over Slack but leaving it here for reference: we had to rebase this into one commit due to a bunch of merge conflicts when trying to squash the 60+ commits we had before down into a smaller number of commits. Although my name may appear on the commit, your name still appears when doing Congrats again on your first commit to the framework and on getting a CVE for this bug! Look forwards to seeing more contributions in the future! |
This module exploits an authenticated OS command injection vulnerability found in TrixBox CE version 1.2.0 to 2.8.0.4 inclusive in the
networkPOST parameter of the/maint/modules/endpointcfg/endpoint_devicemap.phppage. Successful exploitation allows for arbitrary command execution on the underlying operating system as theasteriskuser.Example Usage
Once a shell has been gained as the
asteriskuser, attackers can elevate their privileges torootby executing the following commands: