New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open web analytics 1.7.3 remote code execution #17754
Open web analytics 1.7.3 remote code execution #17754
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
@bcoles Thanks for the quick feedback, I will look into your suggestions and will update the module accordingly. |
end | ||
|
||
def get_cache_content(cache_raw) | ||
regex_cache_base64 = /\*(\w*)/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the =
are included in this string, they're not getting matched by the \w
. You could change that so they are included, removing the need to calculate and add them yourself on L273-L274 by changing the regex to:
/\*(\w*={0,2})/
The \w
should also be updated to include the additional characters that base64 can include in the encoding such as +
and /
depending on the character set/flavor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch! I updated the regex to your suggestion.
Thanks @bcoles and @smcintyre-r7 for the review! As this is my first try of implementing a module into metasploit, I initially struggled a bit with some basics. However, I looked into your suggestions and updated the module accordingly. I tested and verified the module and if you have any other suggestions, let me know :) |
…archLimit into module
…ening the php url
@cdelafuente-r7 I looked over your suggestions and updated the code accordingly. A few things to note:
The rest are small code changes suggested from you. Thanks again for the code review :) If there are any more suggestions, let me know. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Pflegusch for updating this! I just left a few minor suggestions, otherwise it looks good to me.
Just one thing I wanted to point out. Since, apparently, it is not possible to restore the admin password and the configuration to their original state, I would be inclined to used a datastore option that force the module to run in defanged mode by default. A warning message would be displayed to explain the risks and the operator would have to disable this option to execute the module. You can find an example of this here.
That said, if you think it is okay to run the exploit without warning, I'm also fine with this. It's up to you to implement this logic.
Running the exploit in a defanged mode sounds good to me, as it's probably a good idea to warn the user that running this exploit will do some irreversible changes (e.g changing the password of a user) to the target system. I will implement that logic later on. Thanks for the idea @cdelafuente-r7! |
@cdelafuente-r7 Implemented the |
Thank you @Pflegusch! Everything looks good to me now. I tested using Docker and it works great. I'll go ahead and land it. Thanks again for your contribution. Example Output
|
Release NotesThis adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution. |
This adds an exploit for CVE-2022-24637 which is a Remote Code Execution vulnerability for Open Web Analytics for versions below 1.7.4. This exploit works because files generated with
'<?php (instead of the intended "<?php sequence)
aren't handled by the PHP interpreter.Verification Steps
RHOST
,RPORT
,SSL
,LHOST
,Password
,Username
andSearchLimit
check
run
Example