Add exploit for CVE-2020-11853: Micro Focus Multiple Products Authenticated Remote Code Execution #14671
Conversation
pedrib
changed the title
|
Tested on 2019.11 too, working! |
|
Thanks @pedrib for this contribution! As you mentioned, I don't think we can get a vulnerable version of the product. Would you mind sending the PCAP's to msfdev [at] metasploit [.] com? Thanks! |
|
@cdelafuente-r7 all done! |
|
@cdelafuente-r7 I tried sending it to you, but Google blocks me from sending (from my Gmail) and you from receiving (if I send over any other email address). What's the alternative? |
|
@pedrib, what errors did receive? I'm wondering if Gmail is getting stricter with attachments... If it is a content issue, maybe just compressing/encrypting would work. If it is a size issue (>25MB), would it be possible to send a Google Drive link (or any other cloud service)? |
|
@cdelafuente-r7 sent you a gdrive link with an encrypted file, let me know if you can get it. |
|
@pedrib, perfect, I got the PCAP's. Thank you! |
There was a problem hiding this comment.
Thanks @pedrib ! It looks good to me. I just left a few minor comments regarding the documentation and the two vulnerable URI's.
I also reviewed the PCAP's and, even if SSL is enabled for the first query, I verified the remote loading of Java classes over HTTP.
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
|
All done, thanks for reviewing! I am going to push another module soon, the next one is a local LPE for Windows. |
|
Thanks for making these changes @pedrib! Everything looks good now. I'll go ahead and land it. |
Release NotesNew module |
|
Thank you! |
agalway-r7
added
the
rn-modules
This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products:
Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows.
Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module.
Any authenticated user can exploit this vulnerability, even the lowest privileged ones.
The exploit uses a modified ysoserial c3p0 payload. The only part that is modified is that c3p0 is built using version 0.9.1.2, so that the serialVersionUid of the target is the same as the exploit. This can be achieved by patching ysoserial's pom.xml.
This module was only tested with Operations Bridge Manager 2020.05. It should work as is with earlier Operations Bridge Manager versions, but it might require small modifications (to the cookie name or vulnerable URI) for the other affected products. However it is equally likely that it works out of the box with the other products, as HPE / Micro Focus is well known for re-using (vulnerable) code.
For more information refer to the advisory link:
Verification Steps
use exploit/multi/http/microfocus_obm_auth_rceset rhost TARGET'set lhost YOUR_IPset srvhost YOUR_IPset lwsso_cookie_key AUTHENTICATED_COOKIErunAs in PR #14654, it might be hard for you to get a vulnerable version of the product. I have pcaps ready for Linux and Windows, let me know if you need them, but if you could test them and confirm my results that would be awesome.
This module has been tested on both Linux and Windows and it works perfectly.