Added symmetricom_syncserver_rce.rb

[sdcampbell]

This change adds symmetricom_syncserver_rce.rb to modules/exploits/linux/http.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/http/symmetricom_syncserver_rce
• run 'check' to verify if system is vulnerable
• select a payload, set options, and enter exploit to get a shell.

This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this module because we can't test it. The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).

I have a packet capture and the output from HttpTrace which I will send to your email address.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[space-r7]

Hey @sdcampbell, thank you for the module! I mostly suggested changes to metadata and some nice-to-have items, but I understand you no longer have access to a vulnerable target.

[space-r7]

Adding AutoCheck gives the user the ability to automatically run the check method when exploiting

Suggested change

	include Msf::Exploit::EXE
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::HTML
	prepend Msf::Exploit::Remote::AutoCheck

[space-r7]

I suggest adding the TARGETURI option in case the base path to the target is different for users of the module. With this option, you can use normalize_uri() to build the request uri.

Suggested change

	register_options(
	[
	OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
	OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
	OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])
	], self.class)
	register_options(
	[
	OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
	OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
	OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444']),
	OptString.new('TARGETURI', [ true, 'Base path to Symmetricom SyncServer', '/' ])
	])

[space-r7]

Suggested change

	uri = '/controller/ping.php'
	uri = normalize_uri(target_uri.path, '/controller/ping.php')

[space-r7]

Suggested change

	uri = "/controller/ping.php"
	uri = normalize_uri(target_uri.path, '/controller/ping.php')

[space-r7]

This looks like a good use case for fetch payloads or a command stager, but I understand that may not be feasible since we can't test it.

[sdcampbell]

I added the module documentation and accepted some of the proposed module code changes. Other suggestions which may affect the module working were not implemented simply because I no longer have access to the vulnerable system to test.

[sdcampbell]

symmetricom_syncserver_rce.md

[space-r7]

Added two commits which add the documentation and module output. Also includes formatting changes from Rubocop and some updates to the metadata. I just have one question about the srvport line. Didn't want to change that before verifying. Thanks!

[sdcampbell]

I fixed the issue with the srvport variable not used.

[space-r7]

Thanks, verified the pcap. Will get this landed soon!

[space-r7]

Release Notes

This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.