Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix atutor_filemanager_traversal.rb credentials checks and clean up code #13725

Merged
merged 1 commit into from
Jun 30, 2020
Merged

Fix atutor_filemanager_traversal.rb credentials checks and clean up code #13725

merged 1 commit into from
Jun 30, 2020

Conversation

ErikWynter
Copy link
Contributor

About

This change fixes a bug in the atutor_filemanager_traversal.rb module at /modules/exploits/linux/http/ and cleans up the code. Currently, the module will not run if no credentials are provided, even though these are not required. The reason is the erroneous use of empty? in the exploit method (line 302): if (not datastore['USERNAME'].empty? and not datastore['PASSWORD'].empty?). This bug is also present in the check method (line 82), causing check to fail in the same scenario as well. This change also incorporates automatic code improvements made by running RuboCop against the module, and cleans up the exec_code method.

Scenarios

  1. Running the existing module without credentials
msf5 exploit(linux/http/atutor_filemanager_traversal) > show options

Module options (exploit/linux/http/atutor_filemanager_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.12     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /ATutor/         yes       The path of Atutor
   USERNAME                    no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.128     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/http/atutor_filemanager_traversal) > run

[*] Started reverse TCP handler on 192.168.1.128:4444 
[-] 192.168.1.12:80 - Exploit failed: NoMethodError undefined method `empty?' for nil:NilClass
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/atutor_filemanager_traversal) >
  1. Running the upgraded module without credentials
msf5 exploit(linux/http/atutor_filemanager_traversal) > run

[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] 192.168.1.12:80 - Account details are not set, bypassing authentication...
[*] 192.168.1.12:80 - Triggering type juggle attack...
  1. Running check on the existing module without credentials
msf5 exploit(linux/http/atutor_filemanager_traversal) > check

[-] 192.168.1.12:80 - Exploit failed: NoMethodError undefined method `empty?' for nil:NilClass
[-] 192.168.1.12:80 - Check failed: The state could not be determined.
  1. Running check on the upgraded module without credentials
msf5 exploit(linux/http/atutor_filemanager_traversal) > check
[*] 192.168.1.12:80 - Cannot reliably check exploitability. Check requires credentials. The target may still be vulnerable. If so, it may be possible to bypass authentication.

@ErikWynter
Copy link
Contributor Author

Notes

  • The upgraded module has not been tested against ATutor 2.2.1, but only against a newer version of ATutor (2.2.4), which is not vulnerable. However, the suggested changes are just a simple bug fix and some code improvements suggested by RuboCop, so the functionality of the module should only be impacted positively.
  • RuboCop still complaints about a few issues that it didn't automatically change. I have not to fixed these because I am not exactly sure how they would impact functionality and don't have a vulnerable system for testing.
  • There is a ton of room left for improvement here.

@space-r7 space-r7 self-assigned this Jun 22, 2020
@space-r7
Copy link
Contributor

Changes lgtm!

@space-r7 space-r7 merged commit e2f6330 into rapid7:master Jun 30, 2020
@space-r7
Copy link
Contributor

space-r7 commented Jun 30, 2020
edited by tperry-r7
Loading

Release Notes

The exploit/linux/http/atutor_filemanager_traversal exploit previously would not run if credentials were not provided even though credentials were not required. Now the exploit will run without credentials.

@tperry-r7 tperry-r7 added the rn-fix release notes fix label Jul 9, 2020
@ErikWynter ErikWynter deleted the atutor_filemanager_bug branch September 17, 2020 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
enhancement module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ErikWynter @space-r7 @bcoles @tperry-r7