Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349 #2783

Merged
merged 2 commits into from Dec 20, 2013

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Dec 19, 2013

Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349

opensis-exploit

@wchen-r7 wchen-r7 and 1 other commented on an outdated diff Dec 20, 2013
modules/exploits/unix/webapp/opensis_modname_exec.rb
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' =>
+ [
+ # Tested on OpenSIS versions 4.9 and 5.2 (Ubuntu Linux)
+ ['OpenSIS version 4.5 to 5.2', { 'auto' => true }]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Dec 04 2012',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI for OpenSIS', '/opensis/']),
+ OptString.new('USERNAME', [true, 'The username for OpenSIS', '']),
@wchen-r7
wchen-r7 Dec 20, 2013 Contributor

So authentication is required, but it's possible to login as ""?

@bcoles
bcoles Dec 20, 2013 Contributor

User/pass is required, but there's not defaults.

@wchen-r7
wchen-r7 Dec 20, 2013 Contributor

If there's no default, I recommend doing:

OptString.new('USERNAME',  [true, 'The username for OpenSIS'])

That way the user must supply one before the module actually starts.

@wchen-r7 wchen-r7 and 1 other commented on an outdated diff Dec 20, 2013
modules/exploits/unix/webapp/opensis_modname_exec.rb
+ 'Description' => %q{
+ This module exploits a PHP code execution vulnerability in OpenSIS
+ versions 4.5 to 5.2 which allows any authenticated user to execute
+ arbitrary PHP code under the context of the web-server user.
+ The 'ajax.php' file calls 'eval()' with user controlled data from
+ the 'modname' parameter.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'EgiX', # Discovery
+ 'Brendan Coles <bcoles[at]gmail.com>' # msf exploit
+ ],
+ 'References' =>
+ [
+ ['CVE', '2013-1349'],
@wchen-r7
wchen-r7 Dec 20, 2013 Contributor

Could you please also add a reference for OSVDB? Thanks. It's OSVDB-100676.

@bcoles
bcoles Dec 20, 2013 Contributor

Added in commit fb6cd9c.

@wchen-r7 wchen-r7 and 1 other commented on an outdated diff Dec 20, 2013
modules/exploits/unix/webapp/opensis_modname_exec.rb
+ 'ExitFunction' => 'none'
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' =>
+ [
+ # Tested on OpenSIS versions 4.9 and 5.2 (Ubuntu Linux)
+ ['OpenSIS version 4.5 to 5.2', { 'auto' => true }]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Dec 04 2012',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI for OpenSIS', '/opensis/']),
@wchen-r7
wchen-r7 Dec 20, 2013 Contributor

Hmm, there's some extra spaces here.

@bcoles
bcoles Dec 20, 2013 Contributor

Hmm you're right. Spaces are pretty, but not as pretty as code formatted to 80 columns. Fixed in commit fb6cd9c.

@wchen-r7 wchen-r7 added a commit that referenced this pull request Dec 20, 2013
@wchen-r7 wchen-r7 Land #2783 - OpenSIS 'modname' PHP Code Execution ce8b8e8
@wchen-r7 wchen-r7 merged commit fb6cd9c into rapid7:master Dec 20, 2013

1 check passed

default The Travis CI build passed
Details
@bcoles bcoles deleted the bcoles:opensis_modname_exec branch Jan 21, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment